diff --git a/packages/microsoft_dhcp/changelog.yml b/packages/microsoft_dhcp/changelog.yml index f88b038889c..e98e18db889 100644 --- a/packages/microsoft_dhcp/changelog.yml +++ b/packages/microsoft_dhcp/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.7.0" + changes: + - description: Change host.domain to host.name to reflect the event data and then extract host.domain from the host.name + type: enhancement + link: https://github.com/elastic/integrations/pull/4280 - version: "1.6.0" changes: - description: Update package to ECS 8.4.0 diff --git a/packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-log.log-expected.json b/packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-log.log-expected.json index 28b8eaa563f..60928c9bd58 100644 --- a/packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-log.log-expected.json +++ b/packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-log.log-expected.json @@ -78,8 +78,9 @@ ] }, "host": { - "domain": "057182593757.test.com", - "ip": "172.28.43.169" + "domain": "test.com", + "ip": "172.28.43.169", + "name": "057182593757.test.com" }, "log": { "file": { @@ -118,8 +119,9 @@ ] }, "host": { - "domain": "1-07.test.com", - "ip": "172.28.53.173" + "domain": "test.com", + "ip": "172.28.53.173", + "name": "1-07.test.com" }, "log": { "file": { @@ -158,8 +160,9 @@ ] }, "host": { - "domain": "3-07.test.com", - "ip": "172.28.53.36" + "domain": "test.com", + "ip": "172.28.53.36", + "name": "3-07.test.com" }, "log": { "file": { @@ -240,8 +243,9 @@ ] }, "host": { - "domain": "035856103966.test.com", - "ip": "172.28.43.159" + "domain": "test.com", + "ip": "172.28.43.159", + "name": "035856103966.test.com" }, "log": { "file": { @@ -280,8 +284,9 @@ ] }, "host": { - "domain": "001100581357.test.com", - "ip": "172.28.40.35" + "domain": "test.com", + "ip": "172.28.40.35", + "name": "001100581357.test.com" }, "log": { "file": { @@ -321,11 +326,12 @@ ] }, "host": { - "domain": "host.test.com", + "domain": "test.com", "ip": "192.168.2.1", "mac": [ "00-00-00-00-00-00" - ] + ], + "name": "host.test.com" }, "log": { "file": { @@ -358,11 +364,12 @@ ] }, "host": { - "domain": "host.test.com", + "domain": "test.com", "ip": "192.168.2.10", "mac": [ "00-00-00-00-00-00" - ] + ], + "name": "host.test.com" }, "log": { "file": { @@ -401,11 +408,12 @@ ] }, "host": { - "domain": "host.test.com", + "domain": "test.com", "ip": "192.168.2.20", "mac": [ "00-00-00-00-00-00" - ] + ], + "name": "host.test.com" }, "log": { "file": { @@ -484,8 +492,9 @@ ] }, "host": { - "domain": "hostname.test.com", - "ip": "10.10.10.10" + "domain": "test.com", + "ip": "10.10.10.10", + "name": "hostname.test.com" }, "log": { "file": { @@ -564,7 +573,8 @@ ] }, "host": { - "domain": "domain.local" + "domain": "local", + "name": "domain.local" }, "log": { "file": { @@ -597,7 +607,8 @@ ] }, "host": { - "domain": "domain.local" + "domain": "local", + "name": "domain.local" }, "log": { "file": { diff --git a/packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-logv6.log-expected.json b/packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-logv6.log-expected.json index 6664a0e5868..5e26c6d2750 100644 --- a/packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-logv6.log-expected.json +++ b/packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-logv6.log-expected.json @@ -122,7 +122,8 @@ "timezone": "America/New_York" }, "host": { - "domain": "test.local" + "domain": "local", + "name": "test.local" }, "log": { "file": { @@ -155,8 +156,8 @@ ] }, "host": { - "domain": "test-host", - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "name": "test-host" }, "log": { "file": { @@ -197,8 +198,8 @@ ] }, "host": { - "domain": "test-host", - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "name": "test-host" }, "log": { "file": { @@ -239,8 +240,8 @@ ] }, "host": { - "domain": "test-host", - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "name": "test-host" }, "log": { "file": { @@ -281,8 +282,8 @@ ] }, "host": { - "domain": "test-host", - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "name": "test-host" }, "log": { "file": { @@ -323,8 +324,8 @@ ] }, "host": { - "domain": "test-host", - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "name": "test-host" }, "log": { "file": { @@ -365,8 +366,8 @@ ] }, "host": { - "domain": "test-host", - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "name": "test-host" }, "log": { "file": { @@ -407,8 +408,8 @@ ] }, "host": { - "domain": "test-host", - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "name": "test-host" }, "log": { "file": { @@ -449,8 +450,8 @@ ] }, "host": { - "domain": "test-host", - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "name": "test-host" }, "log": { "file": { diff --git a/packages/microsoft_dhcp/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml b/packages/microsoft_dhcp/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml index 6f891b51df0..e2ad56f4133 100644 --- a/packages/microsoft_dhcp/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml +++ b/packages/microsoft_dhcp/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml @@ -10,7 +10,7 @@ processors: - _tmp_.time - message - host.ip - - host.domain + - host.name - _tmp_.mac - user.name - microsoft.dhcp.transaction_id @@ -25,6 +25,14 @@ processors: - microsoft.dhcp.relay_agent_info - microsoft.dhcp.dns_error_code ignore_failure: true + - grok: + field: host.name + if: 'ctx.host?.name != null && ctx.host.name.contains(".")' + patterns: + - "%{HOSTNAME}\\.%{GREEDYDATA:host.domain}" + pattern_definitions: + "HOSTNAME": "[^.]+" + ignore_failure: true - set: field: _tmp_.timestamp value: "{{{_tmp_.date}}} {{{_tmp_.time}}}" diff --git a/packages/microsoft_dhcp/data_stream/log/elasticsearch/ingest_pipeline/dhcpv6.yml b/packages/microsoft_dhcp/data_stream/log/elasticsearch/ingest_pipeline/dhcpv6.yml index 7c808cad13d..ff848a28a8b 100644 --- a/packages/microsoft_dhcp/data_stream/log/elasticsearch/ingest_pipeline/dhcpv6.yml +++ b/packages/microsoft_dhcp/data_stream/log/elasticsearch/ingest_pipeline/dhcpv6.yml @@ -9,7 +9,7 @@ processors: - _tmp_.time - message - host.ip - - host.domain + - host.name - microsoft.dhcp.error_code - microsoft.dhcp.duid.length - microsoft.dhcp.duid.hex @@ -17,6 +17,14 @@ processors: - microsoft.dhcp.dhc_id - microsoft.dhcp.subnet_prefix ignore_failure: true + - grok: + field: host.name + if: 'ctx.host?.name != null && ctx.host.name.contains(".")' + patterns: + - "%{HOSTNAME}\\.%{GREEDYDATA:host.domain}" + pattern_definitions: + "HOSTNAME": "[^.]+" + ignore_failure: true - set: field: _tmp_.timestamp value: "{{{_tmp_.date}}} {{{_tmp_.time}}}" diff --git a/packages/microsoft_dhcp/data_stream/log/fields/ecs.yml b/packages/microsoft_dhcp/data_stream/log/fields/ecs.yml index dc0d37a45b8..fa4d81c3383 100644 --- a/packages/microsoft_dhcp/data_stream/log/fields/ecs.yml +++ b/packages/microsoft_dhcp/data_stream/log/fields/ecs.yml @@ -20,6 +20,8 @@ name: event.type - external: ecs name: host.domain +- external: ecs + name: host.name - external: ecs name: host.ip - external: ecs diff --git a/packages/microsoft_dhcp/data_stream/log/sample_event.json b/packages/microsoft_dhcp/data_stream/log/sample_event.json index fc2dbc65249..c56a4fede80 100644 --- a/packages/microsoft_dhcp/data_stream/log/sample_event.json +++ b/packages/microsoft_dhcp/data_stream/log/sample_event.json @@ -1,77 +1,73 @@ { + "@timestamp": "2001-01-01T01:01:01.000-05:00", "agent": { + "ephemeral_id": "268da6cf-879e-4478-b666-96c44fba3109", + "id": "3355f43c-4984-4a3f-b93d-56ac8c865c8c", "name": "docker-fleet-agent", - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", "type": "filebeat", - "ephemeral_id": "adc79855-a07e-4f88-b14d-79d03400f73d", - "version": "8.2.0" - }, - "log": { - "file": { - "path": "/tmp/service_logs/test-dhcpV6.log" - }, - "offset": 1619 - }, - "elastic_agent": { - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "version": "8.2.0", - "snapshot": false - }, - "message": "DHCPV6 Request", - "microsoft": { - "dhcp": { - "duid": { - "length": "18", - "hex": "0004A34473BFC27FC55B25E86AF0E1761DAA" - } - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "microsoft_dhcp" - ], - "observer": { - "hostname": "docker-fleet-agent", - "ip": [ - "172.18.0.7" - ], - "mac": [ - "02-42-AC-12-00-07" - ] - }, - "input": { - "type": "log" - }, - "@timestamp": "2021-12-06T12:43:57.000-05:00", - "ecs": { - "version": "8.3.0" + "version": "8.4.1" }, "data_stream": { + "dataset": "microsoft_dhcp.log", "namespace": "ep", - "type": "logs", - "dataset": "microsoft_dhcp.log" + "type": "logs" }, - "host": { - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "domain": "test-host" + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "3355f43c-4984-4a3f-b93d-56ac8c865c8c", + "snapshot": false, + "version": "8.4.1" }, "event": { + "action": "dhcp-dns-update", "agent_id_status": "verified", - "ingested": "2022-05-09T14:40:22Z", - "original": "11002,12/06/21,12:43:57,DHCPV6 Request,2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6,test-host,,18,0004A34473BFC27FC55B25E86AF0E1761DAA,,,,,", - "code": "11002", - "timezone": "America/New_York", - "kind": "event", - "action": "dhcpv6-request", "category": [ "network" ], + "code": "35", + "dataset": "microsoft_dhcp.log", + "ingested": "2022-09-26T06:06:08Z", + "kind": "event", + "original": "35,01/01/01,01:01:01,DNS update request failed,192.168.2.1,host.test.com,000000000000,", + "outcome": "failure", + "timezone": "America/New_York", "type": [ "connection", - "protocol" + "denied" + ] + }, + "host": { + "domain": "test.com", + "ip": "192.168.2.1", + "mac": [ + "00-00-00-00-00-00" ], - "dataset": "microsoft_dhcp.log", - "outcome": "success" - } + "name": "host.test.com" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/test-dhcp.log" + }, + "offset": 2407 + }, + "message": "DNS update request failed", + "observer": { + "hostname": "docker-fleet-agent", + "ip": [ + "172.23.0.4" + ], + "mac": [ + "02-42-AC-17-00-04" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "microsoft_dhcp" + ] } \ No newline at end of file diff --git a/packages/microsoft_dhcp/docs/README.md b/packages/microsoft_dhcp/docs/README.md index 4a669c13707..d840ba02d05 100644 --- a/packages/microsoft_dhcp/docs/README.md +++ b/packages/microsoft_dhcp/docs/README.md @@ -20,81 +20,77 @@ An example event for `log` looks as following: ```json { + "@timestamp": "2001-01-01T01:01:01.000-05:00", "agent": { + "ephemeral_id": "268da6cf-879e-4478-b666-96c44fba3109", + "id": "3355f43c-4984-4a3f-b93d-56ac8c865c8c", "name": "docker-fleet-agent", - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", "type": "filebeat", - "ephemeral_id": "adc79855-a07e-4f88-b14d-79d03400f73d", - "version": "8.2.0" - }, - "log": { - "file": { - "path": "/tmp/service_logs/test-dhcpV6.log" - }, - "offset": 1619 - }, - "elastic_agent": { - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "version": "8.2.0", - "snapshot": false - }, - "message": "DHCPV6 Request", - "microsoft": { - "dhcp": { - "duid": { - "length": "18", - "hex": "0004A34473BFC27FC55B25E86AF0E1761DAA" - } - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "microsoft_dhcp" - ], - "observer": { - "hostname": "docker-fleet-agent", - "ip": [ - "172.18.0.7" - ], - "mac": [ - "02-42-AC-12-00-07" - ] - }, - "input": { - "type": "log" - }, - "@timestamp": "2021-12-06T12:43:57.000-05:00", - "ecs": { - "version": "8.3.0" + "version": "8.4.1" }, "data_stream": { + "dataset": "microsoft_dhcp.log", "namespace": "ep", - "type": "logs", - "dataset": "microsoft_dhcp.log" + "type": "logs" }, - "host": { - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "domain": "test-host" + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "3355f43c-4984-4a3f-b93d-56ac8c865c8c", + "snapshot": false, + "version": "8.4.1" }, "event": { + "action": "dhcp-dns-update", "agent_id_status": "verified", - "ingested": "2022-05-09T14:40:22Z", - "original": "11002,12/06/21,12:43:57,DHCPV6 Request,2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6,test-host,,18,0004A34473BFC27FC55B25E86AF0E1761DAA,,,,,", - "code": "11002", - "timezone": "America/New_York", - "kind": "event", - "action": "dhcpv6-request", "category": [ "network" ], + "code": "35", + "dataset": "microsoft_dhcp.log", + "ingested": "2022-09-26T06:06:08Z", + "kind": "event", + "original": "35,01/01/01,01:01:01,DNS update request failed,192.168.2.1,host.test.com,000000000000,", + "outcome": "failure", + "timezone": "America/New_York", "type": [ "connection", - "protocol" + "denied" + ] + }, + "host": { + "domain": "test.com", + "ip": "192.168.2.1", + "mac": [ + "00-00-00-00-00-00" ], - "dataset": "microsoft_dhcp.log", - "outcome": "success" - } + "name": "host.test.com" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/test-dhcp.log" + }, + "offset": 2407 + }, + "message": "DNS update request failed", + "observer": { + "hostname": "docker-fleet-agent", + "ip": [ + "172.23.0.4" + ], + "mac": [ + "02-42-AC-17-00-04" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "microsoft_dhcp" + ] } ``` @@ -121,6 +117,7 @@ An example event for `log` looks as following: | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | input.type | | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.offset | | long | diff --git a/packages/microsoft_dhcp/manifest.yml b/packages/microsoft_dhcp/manifest.yml index 8c749bcaf3a..d9135a0745d 100644 --- a/packages/microsoft_dhcp/manifest.yml +++ b/packages/microsoft_dhcp/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: microsoft_dhcp title: Microsoft DHCP -version: "1.6.0" +version: "1.7.0" license: basic description: Collect logs from Microsoft DHCP with Elastic Agent. type: integration