From 72c3b9fb3e67f7d15d6b851208e159c948248c12 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Tue, 12 Sep 2023 17:03:33 +0930 Subject: [PATCH 1/3] cisco_meraki: handle blocked ARP packet messages --- packages/cisco_meraki/changelog.yml | 5 ++ .../log/_dev/test/pipeline/test-events.log | 1 + .../pipeline/test-events.log-expected.json | 51 +++++++++++++++++++ .../elasticsearch/ingest_pipeline/events.yml | 30 ++++++++++- .../data_stream/log/fields/ecs.yml | 2 + packages/cisco_meraki/docs/README.md | 1 + packages/cisco_meraki/manifest.yml | 2 +- 7 files changed, 89 insertions(+), 3 deletions(-) diff --git a/packages/cisco_meraki/changelog.yml b/packages/cisco_meraki/changelog.yml index bb33f0c34cf..6d420efbb36 100644 --- a/packages/cisco_meraki/changelog.yml +++ b/packages/cisco_meraki/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.13.0" + changes: + - description: Handle blocked ARP packet messages. + type: enhancement + link: https://github.com/elastic/integrations/pull/7771 - version: "1.12.0" changes: - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log index 1baeaa6cbba..9cb82a11f15 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log +++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log @@ -21,3 +21,4 @@ <134>1 1639132875.360638431 1_2_AP_4 events type=disassociation radio='1' vap='1' client_mac='36:E7:E9:AE:04:3D' channel='132' reason='8' apple_da_reason='7' instigator='2' duration='40.260521941' auth_neg_dur='0.024206187' last_auth_ago='40.229666962' is_wpa='1' full_conn='0.477861916' ip_resp='1.005954707' ip_src='10.68.128.113' http_resp='0.477861916' arp_resp='0.179876562' arp_src='10.68.128.113' dns_server='10.128.128.128' dns_req_rtt='0.095675854' dns_resp='0.416596437' dhcp_lease_completed='0.182086020' dhcp_server='10.128.128.128' dhcp_server_mac='E0:CB:BC:49:F7:26' dhcp_resp='0.182086020' aid='1750957891' <134>1 1639132903.129587239 LG2_AP_01 events type=disassociation radio='1' vap='1' client_mac='8E:2F:69:33:FA:6A' channel='36' reason='8' apple_da_reason='7' instigator='2' duration='27.641499140' auth_neg_dur='0.008153688' last_auth_ago='27.627178619' is_wpa='1' full_conn='0.395120958' ip_resp='0.520431812' ip_src='10.72.66.49' http_resp='0.395120958' arp_resp='0.132684875' arp_src='10.72.66.49' dns_server='10.128.128.128' dns_req_rtt='0.121687' dns_resp='0.335365542' dhcp_lease_completed='0.133589958' dhcp_server='10.128.128.128' dhcp_server_mac='F8:9E:28:70:1A:7C' dhcp_resp='0.133589958' aid='1899362895' <134>1 1639132917.085087788 LG2_AP_01 events type=wpa_auth radio='1' vap='1' client_mac='8E:2F:69:33:FA:6A' aid='1546367691' +<134>1 1639132851.416656563 TCP9001 events Blocked ARP Packet from ab:01:02:03:04:05 with IP 81.2.69.144 on VLAN 123 \ No newline at end of file diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json index a2f1630cfd3..d227c15b671 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json +++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json @@ -1048,6 +1048,57 @@ "forwarded", "preserve_original_event" ] + }, + { + "@timestamp": "2021-12-10T10:40:51.416Z", + "cisco_meraki": { + "event_subtype": "blocked", + "event_type": "events" + }, + "ecs": { + "version": "8.9.0" + }, + "event": { + "action": "blocked", + "category": [ + "network" + ], + "original": "\u003c134\u003e1 1639132851.416656563 TCP9001 events Blocked ARP Packet from ab:01:02:03:04:05 with IP 81.2.69.144 on VLAN 123", + "type": [ + "info" + ] + }, + "interface": { + "name": "VLAN 123" + }, + "log": { + "syslog": { + "priority": 134 + } + }, + "observer": { + "hostname": "TCP9001" + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "mac": "AB-01-02-03-04-05" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml index 9ab57e85444..6a6bed62b91 100644 --- a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml +++ b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml @@ -11,11 +11,15 @@ processors: - set: field: cisco_meraki.event_subtype value: 'Site-to-Site VPN' - if: ctx?.msgtype.toLowerCase() == "site-to-site" + if: ctx.msgtype.toLowerCase() == "site-to-site" - set: field: cisco_meraki.event_subtype value: client_vpn_connect - if: ctx?.msgtype.toLowerCase() == "client_vpn_connect" + if: ctx.msgtype.toLowerCase() == "client_vpn_connect" +- set: + field: cisco_meraki.event_subtype + value: blocked + if: ctx.msgtype.toLowerCase() == "blocked" #################################################### # log event with type= format # these are dfs_event, association, disassocation, @@ -73,6 +77,28 @@ processors: WORDORHOST: '(?:%{WORD}|%{HOSTNAME})' if: ctx.event.original.startsWith('<') && ctx?.cisco_meraki?.event_subtype == "Site-to-Site VPN" +#################################################### +# Handle Blocked ARP +#################################################### +- grok: + field: event.original + patterns: + - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}Blocked ARP Packet from %{MAC:source.mac} with IP %{IP:source.ip} on %{GREEDYDATA:interface.name}$' + pattern_definitions: + SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>' + SYSLOGVER: '\b(?:\d{1,2})\b' + SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}' + WORDORHOST: '(?:%{WORD}|%{HOSTNAME})' + if: ctx.event.original.startsWith('<') && ctx?.cisco_meraki?.event_subtype == "blocked" +- gsub: + field: source.mac + pattern: '[:.]' + replacement: '-' + ignore_missing: true +- uppercase: + field: source.mac + ignore_missing: true + #################################################### # Handle dfs_event, wpa_auth, wpa_deauth, # association or disassociation diff --git a/packages/cisco_meraki/data_stream/log/fields/ecs.yml b/packages/cisco_meraki/data_stream/log/fields/ecs.yml index 2e4f83a1d9e..aaadbe38f52 100644 --- a/packages/cisco_meraki/data_stream/log/fields/ecs.yml +++ b/packages/cisco_meraki/data_stream/log/fields/ecs.yml @@ -114,6 +114,8 @@ name: http.request.method - external: ecs name: http.request.referrer +- external: ecs + name: interface.name - external: ecs name: log.level - external: ecs diff --git a/packages/cisco_meraki/docs/README.md b/packages/cisco_meraki/docs/README.md index 29bf818aaf2..36a502e2743 100644 --- a/packages/cisco_meraki/docs/README.md +++ b/packages/cisco_meraki/docs/README.md @@ -194,6 +194,7 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server | http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | | input.type | Input type. | keyword | +| interface.name | Interface name as reported by the system. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | diff --git a/packages/cisco_meraki/manifest.yml b/packages/cisco_meraki/manifest.yml index 9e3ae2847f2..b22dcf2193b 100644 --- a/packages/cisco_meraki/manifest.yml +++ b/packages/cisco_meraki/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.11.0 name: cisco_meraki title: Cisco Meraki -version: "1.12.0" +version: "1.13.0" description: Collect logs from Cisco Meraki with Elastic Agent. type: integration categories: From f20e5bf9aec2dad714580e1d5c3e977ec05e7386 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 13 Sep 2023 06:38:49 +0930 Subject: [PATCH 2/3] add auth and port event subtype handling --- packages/cisco_meraki/changelog.yml | 6 + .../log/_dev/test/pipeline/test-events.log | 7 +- .../pipeline/test-events.log-expected.json | 159 +++++++++++++++++- .../elasticsearch/ingest_pipeline/events.yml | 42 ++++- 4 files changed, 210 insertions(+), 4 deletions(-) diff --git a/packages/cisco_meraki/changelog.yml b/packages/cisco_meraki/changelog.yml index 6d420efbb36..044b5d47e48 100644 --- a/packages/cisco_meraki/changelog.yml +++ b/packages/cisco_meraki/changelog.yml @@ -4,6 +4,12 @@ - description: Handle blocked ARP packet messages. type: enhancement link: https://github.com/elastic/integrations/pull/7771 + - description: Handle auth event subtype. + type: enhancement + link: https://github.com/elastic/integrations/pull/7771 + - description: Handle port event subtype. + type: enhancement + link: https://github.com/elastic/integrations/pull/7771 - version: "1.12.0" changes: - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log index 9cb82a11f15..4abf54d8cbd 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log +++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log @@ -21,4 +21,9 @@ <134>1 1639132875.360638431 1_2_AP_4 events type=disassociation radio='1' vap='1' client_mac='36:E7:E9:AE:04:3D' channel='132' reason='8' apple_da_reason='7' instigator='2' duration='40.260521941' auth_neg_dur='0.024206187' last_auth_ago='40.229666962' is_wpa='1' full_conn='0.477861916' ip_resp='1.005954707' ip_src='10.68.128.113' http_resp='0.477861916' arp_resp='0.179876562' arp_src='10.68.128.113' dns_server='10.128.128.128' dns_req_rtt='0.095675854' dns_resp='0.416596437' dhcp_lease_completed='0.182086020' dhcp_server='10.128.128.128' dhcp_server_mac='E0:CB:BC:49:F7:26' dhcp_resp='0.182086020' aid='1750957891' <134>1 1639132903.129587239 LG2_AP_01 events type=disassociation radio='1' vap='1' client_mac='8E:2F:69:33:FA:6A' channel='36' reason='8' apple_da_reason='7' instigator='2' duration='27.641499140' auth_neg_dur='0.008153688' last_auth_ago='27.627178619' is_wpa='1' full_conn='0.395120958' ip_resp='0.520431812' ip_src='10.72.66.49' http_resp='0.395120958' arp_resp='0.132684875' arp_src='10.72.66.49' dns_server='10.128.128.128' dns_req_rtt='0.121687' dns_resp='0.335365542' dhcp_lease_completed='0.133589958' dhcp_server='10.128.128.128' dhcp_server_mac='F8:9E:28:70:1A:7C' dhcp_resp='0.133589958' aid='1899362895' <134>1 1639132917.085087788 LG2_AP_01 events type=wpa_auth radio='1' vap='1' client_mac='8E:2F:69:33:FA:6A' aid='1546367691' -<134>1 1639132851.416656563 TCP9001 events Blocked ARP Packet from ab:01:02:03:04:05 with IP 81.2.69.144 on VLAN 123 \ No newline at end of file +<134>1 1639132851.416656563 TCP9001 events Blocked ARP Packet from ab:01:02:03:04:05 with IP 81.2.69.144 on VLAN 123 +<134>1 1694519069.914814259 TCP9001 events Port 4 changed STP role from designated to disabled +<134>1 1694519069.912939179 TCP9001 events port 4 status changed from 100fdx to down +<134>1 1694519040.863533579 TCP9001 events Port 1 changed STP role from disabled to designated +<134>1 1694519040.862946339 TCP9001 events port 1 status changed from down to 100fdx +<134>1 1694519007.104885873 TCP9001 events Auth failure resets to success diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json index d227c15b671..3dc840bfd79 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json +++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json @@ -1052,14 +1052,14 @@ { "@timestamp": "2021-12-10T10:40:51.416Z", "cisco_meraki": { - "event_subtype": "blocked", + "event_subtype": "arp_blocked", "event_type": "events" }, "ecs": { "version": "8.9.0" }, "event": { - "action": "blocked", + "action": "arp_blocked", "category": [ "network" ], @@ -1099,6 +1099,161 @@ "forwarded", "preserve_original_event" ] + }, + { + "@timestamp": "2023-09-12T11:44:29.914Z", + "cisco_meraki": { + "event_subtype": "port_changed_stp_role", + "event_type": "events" + }, + "ecs": { + "version": "8.9.0" + }, + "event": { + "action": "port_changed_stp_role", + "category": [ + "network" + ], + "original": "\u003c134\u003e1 1694519069.914814259 TCP9001 events Port 4 changed STP role from designated to disabled", + "type": [ + "info" + ] + }, + "log": { + "syslog": { + "priority": 134 + } + }, + "observer": { + "hostname": "TCP9001" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-09-12T11:44:29.912Z", + "cisco_meraki": { + "event_subtype": "port_status_changed", + "event_type": "events" + }, + "ecs": { + "version": "8.9.0" + }, + "event": { + "action": "port_status_changed", + "category": [ + "network" + ], + "original": "\u003c134\u003e1 1694519069.912939179 TCP9001 events port 4 status changed from 100fdx to down", + "type": [ + "info" + ] + }, + "log": { + "syslog": { + "priority": 134 + } + }, + "observer": { + "hostname": "TCP9001" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-09-12T11:44:00.863Z", + "cisco_meraki": { + "event_subtype": "port_changed_stp_role", + "event_type": "events" + }, + "ecs": { + "version": "8.9.0" + }, + "event": { + "action": "port_changed_stp_role", + "category": [ + "network" + ], + "original": "\u003c134\u003e1 1694519040.863533579 TCP9001 events Port 1 changed STP role from disabled to designated", + "type": [ + "info" + ] + }, + "log": { + "syslog": { + "priority": 134 + } + }, + "observer": { + "hostname": "TCP9001" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-09-12T11:44:00.862Z", + "cisco_meraki": { + "event_subtype": "port_status_changed", + "event_type": "events" + }, + "ecs": { + "version": "8.9.0" + }, + "event": { + "action": "port_status_changed", + "category": [ + "network" + ], + "original": "\u003c134\u003e1 1694519040.862946339 TCP9001 events port 1 status changed from down to 100fdx", + "type": [ + "info" + ] + }, + "log": { + "syslog": { + "priority": 134 + } + }, + "observer": { + "hostname": "TCP9001" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-09-12T11:43:27.104Z", + "cisco_meraki": { + "event_subtype": "auth", + "event_type": "events" + }, + "ecs": { + "version": "8.9.0" + }, + "event": { + "action": "auth", + "category": [ + "network" + ], + "original": "\u003c134\u003e1 1694519007.104885873 TCP9001 events Auth failure resets to success", + "type": [ + "info" + ] + }, + "observer": { + "hostname": "TCP9001" + }, + "tags": [ + "forwarded", + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml index 6a6bed62b91..b338e73b061 100644 --- a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml +++ b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml @@ -20,6 +20,14 @@ processors: field: cisco_meraki.event_subtype value: blocked if: ctx.msgtype.toLowerCase() == "blocked" +- set: + field: cisco_meraki.event_subtype + value: auth + if: ctx.msgtype.toLowerCase() == "auth" +- set: + field: cisco_meraki.event_subtype + value: port + if: ctx.msgtype.toLowerCase() == "port" #################################################### # log event with type= format # these are dfs_event, association, disassocation, @@ -83,12 +91,13 @@ processors: - grok: field: event.original patterns: - - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}Blocked ARP Packet from %{MAC:source.mac} with IP %{IP:source.ip} on %{GREEDYDATA:interface.name}$' + - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}%{BLOCKEDARP:_temp.blocked_arp} from %{MAC:source.mac} with IP %{IP:source.ip} on %{GREEDYDATA:interface.name}$' pattern_definitions: SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>' SYSLOGVER: '\b(?:\d{1,2})\b' SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}' WORDORHOST: '(?:%{WORD}|%{HOSTNAME})' + BLOCKEDARP: 'Blocked ARP Packet' if: ctx.event.original.startsWith('<') && ctx?.cisco_meraki?.event_subtype == "blocked" - gsub: field: source.mac @@ -98,6 +107,37 @@ processors: - uppercase: field: source.mac ignore_missing: true +- set: + field: cisco_meraki.event_subtype + value: arp_blocked + if: ctx._temp?.blocked_arp != null + +#################################################### +# Handle Ports +#################################################### +- grok: + field: event.original + patterns: + - '(?i)%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}port %{NOTSPACE} %{PORTACTION:_temp.port_action}' + pattern_definitions: + SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>' + SYSLOGVER: '\b(?:\d{1,2})\b' + SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}' + WORDORHOST: '(?:%{WORD}|%{HOSTNAME})' + PORTACTION: '(?:changed stp role|status changed)' + if: ctx.event.original.startsWith('<') && ctx?.cisco_meraki?.event_subtype == "port" +- gsub: + field: _temp.port_action + pattern: ' ' + replacement: '_' + ignore_missing: true +- lowercase: + field: _temp.port_action + ignore_missing: true +- set: + field: cisco_meraki.event_subtype + value: 'port_{{{_temp.port_action}}}' + if: ctx._temp?.port_action != null #################################################### # Handle dfs_event, wpa_auth, wpa_deauth, From 66c7bea90474398b0e32c5fa9052f9604aae0fef Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Fri, 15 Sep 2023 06:12:57 +0930 Subject: [PATCH 3/3] fix vlan part handling --- .../_dev/test/pipeline/test-events.log-expected.json | 10 ++++++---- .../log/elasticsearch/ingest_pipeline/events.yml | 2 +- packages/cisco_meraki/data_stream/log/fields/ecs.yml | 4 ++-- packages/cisco_meraki/docs/README.md | 2 +- 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json index 3dc840bfd79..fe49c8f09ee 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json +++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-events.log-expected.json @@ -1068,16 +1068,18 @@ "info" ] }, - "interface": { - "name": "VLAN 123" - }, "log": { "syslog": { "priority": 134 } }, "observer": { - "hostname": "TCP9001" + "hostname": "TCP9001", + "ingress": { + "vlan": { + "id": "123" + } + } }, "source": { "geo": { diff --git a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml index b338e73b061..afd2e407494 100644 --- a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml +++ b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml @@ -91,7 +91,7 @@ processors: - grok: field: event.original patterns: - - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}%{BLOCKEDARP:_temp.blocked_arp} from %{MAC:source.mac} with IP %{IP:source.ip} on %{GREEDYDATA:interface.name}$' + - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}%{BLOCKEDARP:_temp.blocked_arp} from %{MAC:source.mac} with IP %{IP:source.ip} on %{NOTSPACE} %{GREEDYDATA:observer.ingress.vlan.id}$' pattern_definitions: SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>' SYSLOGVER: '\b(?:\d{1,2})\b' diff --git a/packages/cisco_meraki/data_stream/log/fields/ecs.yml b/packages/cisco_meraki/data_stream/log/fields/ecs.yml index aaadbe38f52..e8ce1e59a77 100644 --- a/packages/cisco_meraki/data_stream/log/fields/ecs.yml +++ b/packages/cisco_meraki/data_stream/log/fields/ecs.yml @@ -114,8 +114,6 @@ name: http.request.method - external: ecs name: http.request.referrer -- external: ecs - name: interface.name - external: ecs name: log.level - external: ecs @@ -148,6 +146,8 @@ name: observer.egress.interface.name - external: ecs name: observer.ingress.interface.name +- external: ecs + name: observer.ingress.vlan.id - external: ecs name: observer.product - external: ecs diff --git a/packages/cisco_meraki/docs/README.md b/packages/cisco_meraki/docs/README.md index 36a502e2743..a9d90d3d9b6 100644 --- a/packages/cisco_meraki/docs/README.md +++ b/packages/cisco_meraki/docs/README.md @@ -194,7 +194,6 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server | http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | | input.type | Input type. | keyword | -| interface.name | Interface name as reported by the system. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | @@ -214,6 +213,7 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server | observer.egress.interface.name | Interface name as reported by the system. | keyword | | observer.hostname | Hostname of the observer. | keyword | | observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword | | observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | observer.product | The product name of the observer. | keyword | | observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |