elastic · efd6 · Aug 16, 2023 · Aug 15, 2023
@@ -1,5 +1,11 @@
 version: "2.3"
 services:
+  cisco_ise-log-filestream:
+    image: alpine
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+      - ${SERVICE_LOGS_DIR}:/var/log
+    command: /bin/sh -c "cp /sample_logs/* /var/log/"
   cisco_ise-log-tcp:
     image: docker.elastic.co/observability/stream:v0.8.0
     volumes:

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.12.0"
+  changes:
+    - description: Add support for filestream input.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/7394
 - version: "1.11.1"
   changes:
     - description: Add missing ECS field mappings

@@ -0,0 +1,8 @@
+service: cisco_ise-log-filestream
+input: filestream
+data_stream:
+  vars:
+    preserve_original_event: true
+    preserve_duplicate_custom_fields: true
+    paths:
+      - '{{SERVICE_LOGS_DIR}}/*.log'
@@ -0,0 +1,19 @@
+paths:
+{{#each paths as |path|}}
+- {{path}}
+{{/each}}
+prospector.scanner.exclude_files: [".gz$"]
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
@@ -110,6 +110,8 @@
   name: host.hostname
 - external: ecs
   name: host.ip
+- external: ecs
+  name: log.file.path
 - external: ecs
   name: log.level
 - external: ecs

@@ -72,3 +72,41 @@ streams:
         show_user: false
         description: >-
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+  - input: filestream
+    template_path: filestream.yml.hbs
+    title: Cisco_ISE logs
+    description: Collect Cisco ISE logs via TCP input.
+    vars:
+      - name: paths
+        title: Paths
+        type: text
+        required: true
+        show_user: true
+        multi: true
+        default:
+          - /var/log/cisco_ise*
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - cisco_ise-log
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`.
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
@@ -527,6 +527,7 @@ An example event for `log` looks as following:
 | host.os.version | Operating system version as a raw string. | keyword |
 | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
 | input.type | Input type | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
 | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
 | log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword |
 | log.offset | Log offset | long |

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: cisco_ise
 title: Cisco ISE
-version: "1.11.1"
+version: "1.12.0"
 license: basic
 description: Collect logs from Cisco ISE with Elastic Agent.
 type: integration
@@ -95,5 +95,8 @@ policy_templates:
             required: true
             show_user: true
             default: 9026
+      - type: filestream
+        title: Collect Cisco ISE logs using filestream input
+        description: Collecting Cisco ISE logs using filestream input.
 owner:
   github: elastic/security-external-integrations