diff --git a/packages/cisco/0.13.3/changelog.yml b/packages/cisco/0.13.3/changelog.yml new file mode 100755 index 0000000000..ed20c974cd --- /dev/null +++ b/packages/cisco/0.13.3/changelog.yml @@ -0,0 +1,146 @@ +# newer versions go on top +- version: "0.13.3" + changes: + - description: Update readme file + type: enhancement + link: https://github.com/elastic/integrations/pull/2927 +- version: "0.13.2" + changes: + - description: Make fields agree with ECS + type: bugfix + link: https://github.com/elastic/integrations/pull/3018 +- version: "0.13.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "0.13.0" + changes: + - description: Update to ECS 8.0.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2577 +- version: "0.12.5" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.12.4" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "0.12.3" + changes: + - description: Update Title and Description. + type: bugfix + link: https://github.com/elastic/integrations/pull/1997 +- version: "0.12.2" + changes: + - description: Fixed a bug that prevents the package from working in 7.16. + type: bugfix + link: https://github.com/elastic/integrations/pull/1882 +- version: "0.12.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1804 +- version: "0.12.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1788 +- version: "0.11.7" + changes: + - description: Adding missing ECS fields + type: bugfix + link: https://github.com/elastic/integrations/pull/1730 +- version: "0.11.6" + changes: + - description: Deprecating Cisco package in favor of new product specific packages + type: enhancement + link: https://github.com/elastic/integrations/pull/1589 +- version: "0.11.5" + changes: + - description: Requires version 7.14.1 of the stack + type: bugfix + link: https://github.com/elastic/integrations/pull/1541 +- version: "0.11.4" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1471 +- version: "0.11.3" + changes: + - description: Fix text consistency + type: bugfix + link: https://github.com/elastic/integrations/pull/1347 +- version: "0.11.2" + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1377 +- version: "0.11.1" + changes: + - description: Escape special characters in docs + type: enhancement + link: https://github.com/elastic/integrations/pull/1405 +- version: "0.11.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.10.1" + changes: + - description: Fix reversed ingress / egress interfaces + type: bugfix + link: https://github.com/elastic/integrations/pull/1326 +- version: "0.10.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1257 +- version: "0.9.5" + changes: + - description: Remove unimplemented "Log Level" parameter from ASA/FTD. + type: bugfix + link: https://github.com/elastic/integrations/pull/1159 +- version: "0.9.4" + changes: + - description: use `wildcard` field type for relevant ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1181 +- version: "0.9.3" + changes: + - description: update to ECS 1.10.0 and prepare package for fleet GA + type: bugfix + link: https://github.com/elastic/integrations/pull/1035 +- version: "0.9.2" + changes: + - description: make event.original optional + type: enhancement + link: https://github.com/elastic/integrations/pull/1073 +- version: "0.9.1" + changes: + - description: fix broken package + type: bugfix + link: https://github.com/elastic/integrations/pull/1011 +- version: "0.9.0" + changes: + - description: parse additional log types + type: enhancement + link: https://github.com/elastic/integrations/pull/896 +- version: "0.8.1" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/840 +- version: "0.8.0" + changes: + - description: move edge processing to ingest pipelines + type: enhancement + link: https://github.com/elastic/integrations/pull/775 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement + link: https://github.com/elastic/integrations/pull/23 diff --git a/packages/cisco/0.13.3/data_stream/asa/agent/stream/stream.yml.hbs b/packages/cisco/0.13.3/data_stream/asa/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..28ea4aaa98 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/asa/agent/stream/stream.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco/0.13.3/data_stream/asa/agent/stream/udp.yml.hbs b/packages/cisco/0.13.3/data_stream/asa/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..f76534e8ce --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/asa/agent/stream/udp.yml.hbs @@ -0,0 +1,17 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco/0.13.3/data_stream/asa/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/0.13.3/data_stream/asa/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..d69265b555 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/asa/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,1962 @@ +--- +description: "Pipeline for Cisco ASA logs" +processors: + - rename: + field: message + target_field: event.original + ignore_missing: true + - set: + field: ecs.version + value: '1.12.0' + # + # Parse the syslog header + # + # This populates the host.hostname, process.name, timestamp and other fields + # from the header and stores the message contents in _temp_.full_message. + - grok: + field: event.original + patterns: + - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}" + pattern_definitions: + SYSLOG_HEADER: "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?" + SYSLOGFACILITY: "<%{NONNEGINT:syslog.facility.code:int}(?:.%{NONNEGINT:syslog.priority:int})?>" + # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. + FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" + ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" + PROCESS: "(?:[^%\\s:\\[]+)" + SYSLOG_END: "(?:(:|\\s)\\s+)" + # exactly match the syntax for firepower management logs + PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})" + HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?" + + # + # Parse FTD/ASA style message + # + # This parses the header of an EMBLEM-style message for FTD and ASA prefixes. + - grok: + field: _temp_.full_message + patterns: + - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" + # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header. + - "%{GREEDYDATA:message}" + pattern_definitions: + FTD_SUFFIX: "[^0-9-]+" + # Before version 6.3, FTD used ASA prefix in syslog messages + FTD_PREFIX: "%{DATA}%(?:[A-Z]+)" + + # + # Create missing fields when no %FTD label is present + # + # message_id is needed in order for some processors below to work. + - set: + field: _temp_.cisco.message_id + value: "" + if: "ctx?._temp_?.cisco?.message_id == null" + + # + # set default event.severity to 7 (debug): + # + # This value is read from the EMBLEM header and won't be present if this is not + # an emblem message (firewalls can be configured to report other kinds of events) + - set: + field: event.severity + value: 7 + if: "ctx?.event?.severity == null" + + # + # Parse the date included in FTD logs + # + - date: + if: "ctx.event?.timezone == null && ctx._temp_?.raw_date != null" + field: "_temp_.raw_date" + target_field: "@timestamp" + formats: + - "ISO8601" + - "MMM d HH:mm:ss" + - "MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "EEE MMM dd HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + [ + { + "append": + { + "field": "error.message", + "value": "{{ _ingest.on_failure_message }}", + }, + }, + ] + - date: + if: "ctx.event?.timezone != null && ctx._temp_?.raw_date != null" + timezone: "{{ event.timezone }}" + field: "_temp_.raw_date" + target_field: "@timestamp" + formats: + - "ISO8601" + - "MMM d HH:mm:ss" + - "MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "EEE MMM dd HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + [ + { + "append": + { + "field": "error.message", + "value": "{{ _ingest.on_failure_message }}", + }, + }, + ] + + # + # Set log.level + # + - set: + field: "log.level" + if: "ctx.event.severity == 0" + value: unknown + - set: + field: "log.level" + if: "ctx.event.severity == 1" + value: alert + - set: + field: "log.level" + if: "ctx.event.severity == 2" + value: critical + - set: + field: "log.level" + if: "ctx.event.severity == 3" + value: error + - set: + field: "log.level" + if: "ctx.event.severity == 4" + value: warning + - set: + field: "log.level" + if: "ctx.event.severity == 5" + value: notification + - set: + field: "log.level" + if: "ctx.event.severity == 6" + value: informational + - set: + field: "log.level" + if: "ctx.event.severity == 7" + value: debug + + # + # Firewall messages + # + # This set of messages is shared between FTD and ASA. + - set: + if: 'ctx._temp_.cisco.message_id != ""' + field: "event.action" + value: "firewall-rule" + - dissect: + if: "ctx._temp_.cisco.message_id == '106001'" + field: "message" + description: "106001" + pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106002'" + field: "message" + description: "106002" + pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106006'" + field: "message" + description: "106006" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106007'" + field: "message" + description: "106007" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" + - grok: + if: "ctx._temp_.cisco.message_id == '106010'" + field: "message" + description: "106010" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" + - dissect: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "message" + description: "106013" + pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}" + - set: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "network.transport" + description: "106013" + value: icmp + - set: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "network.direction" + description: "106013" + value: inbound + - grok: + if: "ctx._temp_.cisco.message_id == '106014'" + field: "message" + description: "106014" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?" + - grok: + if: "ctx._temp_.cisco.message_id == '106015'" + field: "message" + description: "106015" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106016'" + field: "message" + pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106016" + - dissect: + if: "ctx._temp_.cisco.message_id == '106017'" + field: "message" + pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}" + description: "106017" + - dissect: + if: "ctx._temp_.cisco.message_id == '106018'" + field: "message" + pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" + description: "106018" + - dissect: + if: "ctx._temp_.cisco.message_id == '106020'" + field: "message" + pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}" + description: "106020" + - dissect: + if: "ctx._temp_.cisco.message_id == '106021'" + field: "message" + pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106021" + - dissect: + if: "ctx._temp_.cisco.message_id == '106022'" + field: "message" + pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106022" + - grok: + if: "ctx._temp_.cisco.message_id == '106023'" + field: "message" + description: "106023" + patterns: + - ^%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(%{GREEDYDATA:_temp_.cisco.source_username} )?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access.group "%{NOTSPACE:_temp_.cisco.list_id}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106027'" + field: "message" + description: "106027" + pattern: '%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"' + - dissect: + if: "ctx._temp_.cisco.message_id == '106100'" + field: "message" + description: "106100" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'" + field: "message" + description: "106103" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '111004'" + field: "message" + description: "111004" + pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}" + - set: + field: event.outcome + description: "111004" + value: "success" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" + - set: + field: event.outcome + description: "111004" + value: "failure" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" + - remove: + field: _temp_.cisco.cli_outcome + ignore_missing: true + - append: + field: event.type + description: "111004" + value: "change" + if: "ctx._temp_.cisco.message_id == '111004'" + - grok: + if: "ctx._temp_.cisco.message_id == '111009'" + description: "111009" + field: "message" + patterns: + - "^%{NOTSPACE} '%{NOTSPACE:host.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}" + - grok: + if: "ctx._temp_.cisco.message_id == '111010'" + field: "message" + description: "111010" + patterns: + - "User '%{NOTSPACE:host.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}" + - dissect: + if: "ctx._temp_.cisco.message_id == '113019'" + field: "message" + description: "113019" + pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}" + - grok: + if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "302013, 302015" + patterns: + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \\(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\\)(\\(%{NOTSPACE:_temp_.cisco.source_username}\\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \\(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\\)( \\(%{NOTSPACE:destination.user.name}\\))?%{GREEDYDATA}" + - dissect: + if: "ctx._temp_.cisco.message_id == '303002'" + field: "message" + description: "303002" + pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" + - dissect: + if: "ctx._temp_.cisco.message_id == '302012'" + field: "message" + description: "302012" + pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}" + - grok: + if: "ctx._temp_.cisco.message_id == '302020'" + field: "message" + description: "302020" + patterns: + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" + pattern_definitions: + NOTCOLON: "[^:]*" + ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" + ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" + MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" + - dissect: + if: "ctx._temp_.cisco.message_id == '302022'" + field: "message" + description: "302022" + pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '302023'" + field: "message" + description: "302023" + pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}" + - grok: + if: "ctx._temp_.cisco.message_id == '304001'" + field: "message" + description: "304001" + patterns: + - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" + - set: + if: "ctx._temp_.cisco.message_id == '304001'" + field: "event.outcome" + description: "304001" + value: success + - dissect: + if: "ctx._temp_.cisco.message_id == '304002'" + field: "message" + description: "304002" + pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" + - grok: + if: "ctx._temp_.cisco.message_id == '305011'" + field: "message" + description: "305011" + patterns: + - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} + - dissect: + if: "ctx._temp_.cisco.message_id == '313001'" + field: "message" + description: "313001" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313004'" + field: "message" + description: "313004" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session" + - dissect: + if: "ctx._temp_.cisco.message_id == '313005'" + field: "message" + description: "313005" + pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313008'" + field: "message" + description: "313008" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313009'" + field: "message" + description: "313009" + pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '322001'" + field: "message" + description: "322001" + pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338001'" + field: "message" + description: "338001" + pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338001'" + field: "server.domain" + description: "338001" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338002'" + field: "message" + description: "338002" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338002'" + field: "server.domain" + description: "338002" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338003'" + field: "message" + description: "338003" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338004'" + field: "message" + description: "338004" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338005'" + field: "message" + description: "338005" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338005'" + field: "server.domain" + description: "338005" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338006'" + field: "message" + description: "338006" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338006'" + field: "server.domain" + description: "338006" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338007'" + field: "message" + description: "338007" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338008'" + field: "message" + description: "338008" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338101'" + field: "message" + description: "338101" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338101'" + field: "server.domain" + description: "338101" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338102'" + field: "message" + description: "338102" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338102'" + field: "server.domain" + description: "338102" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338103'" + field: "message" + description: "338103" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338104'" + field: "message" + description: "338104" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338201'" + field: "message" + description: "338201" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338201'" + field: "server.domain" + description: "338201" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338202'" + field: "message" + description: "338202" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338202'" + field: "server.domain" + description: "338202" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338203'" + field: "message" + description: "338203" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338203'" + field: "server.domain" + description: "338203" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338204'" + field: "message" + description: "338204" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338204'" + field: "server.domain" + description: "338204" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "message" + description: "338301" + pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}" + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "client.address" + description: "338301" + value: "{{destination.address}}" + ignore_empty_value: true + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "client.port" + description: "338301" + value: "{{destination.port}}" + ignore_empty_value: true + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "server.address" + description: "338301" + value: "{{source.address}}" + ignore_empty_value: true + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "server.port" + description: "338301" + value: "{{source.port}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "message" + description: "502103" + pattern: "User priv level changed: Uname: %{host.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.type" + description: "502103" + value: + - "group" + - "change" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.category" + description: "502103" + value: "iam" + - dissect: + if: "ctx._temp_.cisco.message_id == '507003'" + field: "message" + description: "507003" + pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}" + - dissect: + if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "605004, 605005" + pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' + - dissect: + if: "ctx._temp_.cisco.message_id == '609001'" + field: "message" + description: "609001" + pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '609002'" + field: "message" + description: "609002" + pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}" + - dissect: + if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "611102, 611101" + pattern: 'User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{host.user.name}' + - dissect: + if: "ctx._temp_.cisco.message_id == '710003'" + field: "message" + description: "710003" + pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '710005'" + field: "message" + description: "710005" + pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713049'" + field: "message" + description: "713049" + pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" + - grok: + if: "ctx._temp_.cisco.message_id == '716002'" + field: "message" + description: "716002" + patterns: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> WebVPN session terminated: %{GREEDYDATA:event.reason}." + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} WebVPN session terminated: %{GREEDYDATA:event.reason}." + - grok: + if: "ctx._temp_.cisco.message_id == '722051'" + field: "message" + description: "722051" + patterns: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" + - dissect: + if: "ctx._temp_.cisco.message_id == '733100'" + field: "message" + description: "733100" + pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}" + - dissect: + if: "ctx._temp_.cisco.message_id == '734001'" + field: "message" + description: "734001" + pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" + - dissect: + if: "ctx._temp_.cisco.message_id == '805001'" + field: "message" + description: "805001" + pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - dissect: + if: "ctx._temp_.cisco.message_id == '805002'" + field: "message" + description: "805002" + pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - split: + field: "_temp_.cisco.dap_records" + separator: ",\\s+" + ignore_missing: true + - dissect: + if: "ctx._temp_.cisco.message_id == '434002'" + field: "message" + pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '434004'" + field: "message" + pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" + - dissect: + if: "ctx._temp_.cisco.message_id == '110002'" + field: "message" + pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '419002'" + field: "message" + pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}" + - dissect: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." + - dissect: + if: "ctx._temp_.cisco.message_id == '750002'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713120'" + field: "message" + pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})" + - dissect: + if: "ctx._temp_.cisco.message_id == '713202'" + field: "message" + pattern: "IP = %{source.address}, %{event.reason}. %{} packet." + - dissect: + if: "ctx._temp_.cisco.message_id == '750003'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" + - grok: + if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "message" + patterns: + - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$" + # Handle ecs action outcome protocol + - set: + if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "unknown" + - set: + if: '["419002"].contains(ctx._temp_.cisco.message_id)' + field: "network.protocol" + value: "tcp" + - set: + if: '["110002"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["713120"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["713905", "713904", "713906", "713902", "713901", "710005"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "connection-started" + - set: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "error" + - append: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.type" + value: "error" + + # + # Handle 302xxx messages (Flow expiration a.k.a "Teardown") + # + - set: + if: '["302012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "flow-expiration" + description: "302012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002" + - grok: + field: "message" + if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' + description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" + patterns: + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) + - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.destination_username}\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? + pattern_definitions: + NOTCOLON: "[^:]*" + ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" + ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" + MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" + + # + # Decode FTD's Security Event Syslog Messages + # + # 43000x messages are security event syslog messages specific to FTD. + # Format is a comma-separated sequence of key: value pairs. + # + # The result of this decoding is saved as _temp_.orig_security.{Key}: {Value} + - kv: + if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "430001, 430002, 430003, 430004, 430005" + field_split: ",(?=[A-za-z1-9\\s]+:)" + value_split: ":" + target_field: "_temp_.orig_security" + trim_key: " " + trim_value: " " + ignore_failure: true + + # + # Remove _temp_.full_message. + # + # The field has been used as temporary buffer while decoding. The full message + # is kept under event.original. Processors below can still add a message field, as some + # security events contain an explanatory Message field. + - remove: + field: + - message + - _temp_.full_message + ignore_missing: true + + # + # Populate ECS fields from Security Events + # + # This script uses the key-value pairs from Security Events to populate + # the appropriate ECS fields. + # + # A single key can be mapped to multiple ECS fields, and more than one key can + # map to the same ECS field, which results in an array being created. + # + # This script performs an additional job: + # + # Before FTD version 6.3, the message_id was not included in Security Events. + # As this field encodes the kind of event (intrusion, connection, malware...) + # the script below will guess the right message_id from the keys present in + # the event. + # + # The reason for overloading this script with different behaviors is + # that this pipeline is already reaching the limit on script compilations. + # + #******************************************************************************* + # Code generated by go generate. DO NOT EDIT. + #******************************************************************************* + - script: + if: ctx._temp_?.orig_security != null + params: + ACPolicy: + target: ac_policy + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.rule_name] + AccessControlRuleAction: + target: access_control_rule_action + id: ["430002", "430003"] + ecs: [event.outcome] + AccessControlRuleName: + target: access_control_rule_name + id: ["430002", "430003"] + ecs: [_temp_.cisco.rule_name] + AccessControlRuleReason: + target: access_control_rule_reason + id: ["430002", "430003"] + ApplicationProtocol: + target: application_protocol + ecs: [network.protocol] + ArchiveDepth: + target: archive_depth + id: ["430004", "430005"] + ArchiveFileName: + target: archive_file_name + id: ["430004", "430005"] + ecs: [file.name] + ArchiveFileStatus: + target: archive_file_status + id: ["430004", "430005"] + ArchiveSHA256: + target: archive_sha256 + id: ["430004", "430005"] + ecs: [file.hash.sha256] + Classification: + target: classification + id: ["430001"] + Client: + target: client + ecs: [network.application] + ClientVersion: + target: client_version + id: ["430002", "430003"] + ConnectionDuration: + target: connection_duration + id: ["430003"] + ecs: [event.duration] + DNS_Sinkhole: + target: dns_sinkhole + id: ["430002", "430003"] + DNS_TTL: + target: dns_ttl + id: ["430002", "430003"] + DNSQuery: + target: dns_query + id: ["430002", "430003"] + ecs: [dns.question.name] + DNSRecordType: + target: dns_record_type + id: ["430002", "430003"] + ecs: [dns.question.type] + DNSResponseType: + target: dns_response_type + id: ["430002", "430003"] + ecs: [dns.response_code] + DNSSICategory: + target: dnssi_category + id: ["430002", "430003"] + DstIP: + target: dst_ip + ecs: [destination.address] + DstPort: + target: dst_port + ecs: [destination.port] + EgressInterface: + target: egress_interface + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.destination_interface] + EgressZone: + target: egress_zone + id: ["430001", "430002", "430003"] + Endpoint Profile: + target: endpoint_profile + id: ["430002", "430003"] + FileAction: + target: file_action + id: ["430004", "430005"] + FileCount: + target: file_count + id: ["430002", "430003"] + FileDirection: + target: file_direction + id: ["430004", "430005"] + FileName: + target: file_name + id: ["430004", "430005"] + ecs: [file.name] + FilePolicy: + target: file_policy + id: ["430004", "430005"] + ecs: [_temp_.cisco.rule_name] + FileSHA256: + target: file_sha256 + id: ["430004", "430005"] + ecs: [file.hash.sha256] + FileSandboxStatus: + target: file_sandbox_status + id: ["430004", "430005"] + FileSize: + target: file_size + id: ["430004", "430005"] + ecs: [file.size] + FileStorageStatus: + target: file_storage_status + id: ["430004", "430005"] + FileType: + target: file_type + id: ["430004", "430005"] + FirstPacketSecond: + target: first_packet_second + id: ["430004", "430005"] + ecs: [event.start] + GID: + target: gid + id: ["430001"] + ecs: [service.id] + HTTPReferer: + target: http_referer + id: ["430002", "430003"] + ecs: [http.request.referrer] + HTTPResponse: + target: http_response + id: ["430001", "430002", "430003"] + ecs: [http.response.status_code] + ICMPCode: + target: icmp_code + id: ["430001", "430002", "430003"] + ICMPType: + target: icmp_type + id: ["430001", "430002", "430003"] + IPReputationSICategory: + target: ip_reputation_si_category + id: ["430002", "430003"] + IPSCount: + target: ips_count + id: ["430002", "430003"] + IngressInterface: + target: ingress_interface + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.source_interface] + IngressZone: + target: ingress_zone + id: ["430001", "430002", "430003"] + InitiatorBytes: + target: initiator_bytes + id: ["430003"] + ecs: [source.bytes] + InitiatorPackets: + target: initiator_packets + id: ["430003"] + ecs: [source.packets] + InlineResult: + target: inline_result + id: ["430001"] + ecs: [event.outcome] + IntrusionPolicy: + target: intrusion_policy + id: ["430001"] + ecs: [_temp_.cisco.rule_name] + MPLS_Label: + target: mpls_label + id: ["430001"] + Message: + target: message + id: ["430001"] + ecs: [message] + NAPPolicy: + target: nap_policy + id: ["430001", "430002", "430003"] + NetBIOSDomain: + target: net_bios_domain + id: ["430002", "430003"] + ecs: [host.hostname] + NumIOC: + target: num_ioc + id: ["430001"] + Prefilter Policy: + target: prefilter_policy + id: ["430002", "430003"] + Priority: + target: priority + id: ["430001"] + Protocol: + target: protocol + ecs: [network.transport] + ReferencedHost: + target: referenced_host + id: ["430002", "430003"] + ecs: [url.domain] + ResponderBytes: + target: responder_bytes + id: ["430003"] + ecs: [destination.bytes] + ResponderPackets: + target: responder_packets + id: ["430003"] + ecs: [destination.packets] + Revision: + target: revision + id: ["430001"] + SHA_Disposition: + target: sha_disposition + id: ["430004", "430005"] + SID: + target: sid + id: ["430001"] + SSLActualAction: + target: ssl_actual_action + ecs: [event.outcome] + SSLCertificate: + target: ssl_certificate + id: ["430002", "430003", "430004", "430005"] + SSLExpectedAction: + target: ssl_expected_action + id: ["430002", "430003"] + SSLFlowStatus: + target: ssl_flow_status + id: ["430002", "430003", "430004", "430005"] + SSLPolicy: + target: ssl_policy + id: ["430002", "430003"] + SSLRuleName: + target: ssl_rule_name + id: ["430002", "430003"] + SSLServerCertStatus: + target: ssl_server_cert_status + id: ["430002", "430003"] + SSLServerName: + target: ssl_server_name + id: ["430002", "430003"] + ecs: [server.domain] + SSLSessionID: + target: ssl_session_id + id: ["430002", "430003"] + SSLTicketID: + target: ssl_ticket_id + id: ["430002", "430003"] + SSLURLCategory: + target: sslurl_category + id: ["430002", "430003"] + SSLVersion: + target: ssl_version + id: ["430002", "430003"] + SSSLCipherSuite: + target: sssl_cipher_suite + id: ["430002", "430003"] + SecIntMatchingIP: + target: sec_int_matching_ip + id: ["430002", "430003"] + Security Group: + target: security_group + id: ["430002", "430003"] + SperoDisposition: + target: spero_disposition + id: ["430004", "430005"] + SrcIP: + target: src_ip + ecs: [source.address] + SrcPort: + target: src_port + ecs: [source.port] + TCPFlags: + target: tcp_flags + id: ["430002", "430003"] + ThreatName: + target: threat_name + id: ["430005"] + ecs: [_temp_.cisco.threat_category] + ThreatScore: + target: threat_score + id: ["430005"] + ecs: [_temp_.cisco.threat_level] + Tunnel or Prefilter Rule: + target: tunnel_or_prefilter_rule + id: ["430002", "430003"] + URI: + target: uri + id: ["430004", "430005"] + ecs: [url.original] + URL: + target: url + id: ["430002", "430003"] + ecs: [url.original] + URLCategory: + target: url_category + id: ["430002", "430003"] + URLReputation: + target: url_reputation + id: ["430002", "430003"] + URLSICategory: + target: urlsi_category + id: ["430002", "430003"] + User: + target: user + ecs: [user.id, user.name] + UserAgent: + target: user_agent + id: ["430002", "430003"] + ecs: [user_agent.original] + VLAN_ID: + target: vlan_id + id: ["430001", "430002", "430003"] + WebApplication: + target: web_application + ecs: [network.application] + originalClientSrcIP: + target: original_client_src_ip + id: ["430002", "430003"] + ecs: [client.address] + lang: painless + source: | + boolean isEmpty(def value) { + return (value instanceof AbstractList? value.size() : value.length()) == 0; + } + def appendOrCreate(Map dest, String[] path, def value) { + for (int i=0; i new HashMap()); + } + String key = path[path.length - 1]; + def existing = dest.get(key); + return existing == null? + dest.put(key, value) + : existing instanceof AbstractList? + existing.add(value) + : dest.put(key, new ArrayList([existing, value])); + } + def msg = ctx._temp_.orig_security; + def counters = new HashMap(); + def dest = new HashMap(); + ctx._temp_.cisco['security'] = dest; + for (entry in msg.entrySet()) { + def param = params.get(entry.getKey()); + if (param == null) { + continue; + } + param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) ); + if (!isEmpty(entry.getValue())) { + param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) ); + dest[param.target] = entry.getValue(); + } + } + if (ctx._temp_.cisco.message_id != "") return; + def best; + for (entry in counters.entrySet()) { + if (best == null || best.getValue() < entry.getValue()) best = entry; + } + if (best != null) ctx._temp_.cisco.message_id = best.getKey(); + #******************************************************************************* + # End of generated code. + #******************************************************************************* + + # + # Normalize ECS field values + # + - script: + lang: painless + params: + "ctx._temp_.cisco.message_id": + target: event.action + map: + "430001": intrusion-detected + "430002": connection-started + "430003": connection-finished + "430004": file-detected + "430005": malware-detected + "dns.question.type": + map: + "a host address": A + "ip6 address": AAAA + "text strings": TXT + "a domain name pointer": PTR + "an authoritative name server": NS + "the canonical name for an alias": CNAME + "marks the start of a zone of authority": SOA + "mail exchange": MX + "server selection": SRV + "dns.response_code": + map: + "non-existent domain": NXDOMAIN + "server failure": SERVFAIL + "query refused": REFUSED + "no error": NOERROR + source: | + def getField(Map src, String[] path) { + for (int i=0; i new HashMap()); + } + dest[path[path.length-1]] = value; + } + for (entry in params.entrySet()) { + def srcField = entry.getKey(); + def param = entry.getValue(); + String oldVal = getField(ctx, srcField.splitOnToken('.')); + if (oldVal == null) continue; + def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null); + if (newVal != null) { + def dstField = param.getOrDefault('target', srcField); + setField(ctx, dstField.splitOnToken('.'), newVal); + } + } + - set: + if: "ctx.dns?.question?.type != null && ctx.dns?.response_code == null" + field: dns.response_code + value: NOERROR + - set: + if: 'ctx._temp_.cisco.message_id == "430001"' + field: event.action + value: intrusion-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430002"' + field: event.action + value: connection-started + - set: + if: 'ctx._temp_.cisco.message_id == "430003"' + field: event.action + value: connection-finished + - set: + if: 'ctx._temp_.cisco.message_id == "430004"' + field: event.action + value: file-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430005"' + field: event.action + value: malware-detected + + # + # Handle event.duration + # + # It can be set from ConnectionDuration FTD field above. This field holds + # seconds as a string. Copy it to _temp_.duration_hms so that the following + # processor converts it to the right value and populates start and end. + - set: + field: "_temp_.duration_hms" + value: "{{event.duration}}" + ignore_empty_value: true + + # + # Process the flow duration "hh:mm:ss" present in some messages + # This will fill event.start, event.end and event.duration + # + - script: + lang: painless + if: "ctx?._temp_?.duration_hms != null" + source: > + long parse_hms(String s) { + long cur = 0, total = 0; + for (char c: s.toCharArray()) { + if (c >= (char)'0' && c <= (char)'9') { + cur = (cur*10) + (long)c - (char)'0'; + } else if (c == (char)':') { + total = (total + cur) * 60; + cur = 0; + } else { + return 0; + } + } + return total + cur; + } + if (ctx?.event == null) { + ctx['event'] = new HashMap(); + } + String end = ctx['@timestamp']; + ctx.event['end'] = end; + long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; + ctx.event['duration'] = nanos; + ctx.event['start'] = ZonedDateTime.ofInstant( + Instant.parse(end).minusNanos(nanos), + ZoneOffset.UTC); + # + # Normalize protocol names + # + - lowercase: + field: "network.transport" + ignore_failure: true + - lowercase: + field: "network.protocol" + ignore_failure: true + - lowercase: + field: "network.application" + ignore_failure: true + - lowercase: + field: "file.type" + ignore_failure: true + - lowercase: + field: "network.direction" + ignore_failure: true + - lowercase: + field: "network.type" + ignore_failure: true + # + # Populate network.iana_number from network.transport. Also does reverse + # mapping in case network.transport contains the iana_number. + # + - script: + if: "ctx?.network?.transport != null" + lang: painless + params: + icmp: 1 + igmp: 2 + ipv4: 4 + tcp: 6 + egp: 8 + igp: 9 + pup: 12 + udp: 17 + rdp: 27 + irtp: 28 + dccp: 33 + idpr: 35 + ipv6: 41 + ipv6-route: 43 + ipv6-frag: 44 + rsvp: 46 + gre: 47 + esp: 50 + ipv6-icmp: 58 + ipv6-nonxt: 59 + ipv6-opts: 60 + source: > + def net = ctx.network; + def iana = params[net.transport]; + if (iana != null) { + net['iana_number'] = iana; + return; + } + def reverse = new HashMap(); + def[] arr = new def[] { null }; + for (entry in params.entrySet()) { + arr[0] = entry.getValue(); + reverse.put(String.format("%d", arr), entry.getKey()); + } + def trans = reverse[net.transport]; + if (trans != null) { + net['iana_number'] = net.transport; + net['transport'] = trans; + } + # + # Normalize event.outcome + # + - lowercase: + field: "event.outcome" + ignore_missing: true + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "est-allowed"' + value: success + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "permitted"' + value: success + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "allow"' + value: success + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "denied"' + value: failure + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "deny"' + value: failure + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "dropped"' + value: failure + - set: + field: "network.transport" + if: 'ctx.network?.transport == "icmpv6"' + value: "ipv6-icmp" + # + # Convert numeric fields to integer or long, as output of dissect and kv processors is always a string + # + - convert: + field: source.port + type: integer + ignore_failure: true + - convert: + field: destination.port + type: integer + ignore_failure: true + - convert: + field: source.bytes + type: long + ignore_failure: true + - convert: + field: destination.bytes + type: long + ignore_failure: true + - convert: + field: network.bytes + type: long + ignore_failure: true + - convert: + field: source.packets + type: integer + ignore_failure: true + - convert: + field: destination.packets + type: integer + ignore_failure: true + - convert: + field: _temp_.cisco.mapped_source_port + type: integer + ignore_failure: true + - convert: + field: _temp_.cisco.mapped_destination_port + type: integer + ignore_failure: true + - convert: + field: _temp_.cisco.icmp_code + type: integer + ignore_failure: true + - convert: + field: _temp_.cisco.icmp_type + type: integer + ignore_failure: true + - convert: + field: http.response.status_code + type: integer + ignore_failure: true + - convert: + field: file.size + type: integer + ignore_failure: true + - convert: + field: network.iana_number + type: string + ignore_failure: true + # + # Assign ECS .ip fields from .address is a valid IP address is found, + # otherwise set .domain field. + # + - grok: + field: source.address + patterns: + - "^(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})$" + ignore_failure: true + - grok: + field: destination.address + patterns: + - "^(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})$" + ignore_failure: true + - grok: + field: client.address + patterns: + - "^(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})$" + ignore_failure: true + - grok: + field: server.address + patterns: + - "^(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})$" + ignore_failure: true + # + # Geolocation for source and destination addresses + # + - geoip: + field: "source.ip" + target_field: "source.geo" + ignore_missing: true + - geoip: + field: "destination.ip" + target_field: "destination.geo" + ignore_missing: true + # + # IP Autonomous System (AS) Lookup + # + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + # + # Set mapped_{src|dst}_ip fields only if they consist of a valid IP address. + # + - grok: + field: _temp_.natsrcip + patterns: + - "^(?:%{IP:_temp_.cisco.mapped_source_ip}|%{GREEDYDATA:_temp_.cisco.mapped_source_host})$" + ignore_failure: true + - grok: + field: _temp_.natdstip + patterns: + - "^(?:%{IP:_temp_.cisco.mapped_destination_ip}|%{GREEDYDATA:_temp_.cisco.mapped_destination_host})$" + ignore_failure: true + # + # NAT fields + # + # The firewall always populates mapped ip and port even if there was no NAT. + # This populates both nat.ip and nat.port only when some translation is done. + # Fills nat.ip and nat.port even when only the ip or port changed. + - set: + field: source.nat.ip + value: "{{_temp_.cisco.mapped_source_ip}}" + if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip" + ignore_empty_value: true + - convert: + field: source.nat.ip + type: ip + ignore_missing: true + - set: + field: source.nat.port + value: "{{_temp_.cisco.mapped_source_port}}" + if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port" + ignore_empty_value: true + - convert: + field: source.nat.port + type: long + ignore_missing: true + - set: + field: destination.nat.ip + value: "{{_temp_.cisco.mapped_destination_ip}}" + if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip" + ignore_empty_value: true + - convert: + field: destination.nat.ip + type: ip + ignore_missing: true + - set: + field: destination.nat.port + value: "{{_temp_.cisco.mapped_destination_port}}" + if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" + ignore_empty_value: true + - convert: + field: destination.nat.port + type: long + ignore_missing: true + # + # Zone-based Network Directionality + # + # If external and internal zones are specified and our ingress/egress zones are + # populated, then we can classify traffic directionality based off of our defined + # zones rather than the logs. + - set: + field: network.direction + value: inbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + - set: + field: network.direction + value: outbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: internal + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: external + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: unknown + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.egress?.zone != null && + ctx?.observer?.ingress?.zone != null && + ( + ( + !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + ) || + ( + !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + ) + ) + + - set: + field: _temp_.url_domain + value: "{{url.domain}}" + ignore_failure: true + if: ctx?.url?.domain != null + + - uri_parts: + field: url.original + ignore_failure: true + if: ctx?.url?.original != null + - append: + field: url.domain + value: "{{_temp_.url_domain}}" + ignore_failure: true + allow_duplicates: false + if: ctx?._temp_?.url_domain != null + + # + # Populate ECS event.code + # + - rename: + field: _temp_.cisco.message_id + target_field: event.code + ignore_failure: true + - remove: + field: + - _temp_.cisco.message_id + - event.code + if: 'ctx._temp_.cisco.message_id == ""' + ignore_failure: true + # + # Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd. + # + - rename: + field: _temp_.cisco + target_field: "cisco.asa" + ignore_failure: true + # + # Remove temporary fields + # + - remove: + field: _temp_ + ignore_missing: true + # + # Rename some 7.x fields + # + - rename: + field: cisco.asa.list_id + target_field: cisco.asa.rule_name + ignore_missing: true + # ECS categorization + - script: + lang: painless + params: + connection-finished: + kind: event + category: + - network + type: + - connection + - end + connection-started: + kind: event + category: + - network + type: + - connection + - start + file-detected: + kind: alert + category: + - malware + type: + - info + firewall-rule: + kind: event + category: + - network + type: + - info + flow-expiration: + kind: event + category: + - network + type: + - connection + - end + intrusion-detected: + kind: alert + category: + - intrusion_detection + type: + - info + malware-detected: + kind: alert + category: + - malware + type: + - info + bypass: + kind: event + category: + - network + type: + - info + - change + error: + kind: event + outcome: failure + category: + - network + type: + - error + deleted: + kind: event + category: + - network + type: + - info + - deletion + - user + creation: + kind: event + category: + - network + type: + - info + - creation + - user + source: >- + if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { + return; + } + ctx.event.kind = params.get(ctx.event.action).get('kind'); + ctx.event.category = params.get(ctx.event.action).get('category').clone(); + ctx.event.type = params.get(ctx.event.action).get('type').clone(); + if (ctx?.event?.outcome == null) { + return; + } + if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) { + if (ctx.event.outcome == 'success') { + ctx.event.type.add('allowed'); + } + if (ctx.event.outcome == 'failure') { + ctx.event.type.add('denied'); + } + if (ctx.event.outcome == 'block') { + ctx.event.type.add('failure'); + } + } + + - set: + description: copy destination.user.name to user.name if it is not set + field: user.name + value: "{{destination.user.name}}" + ignore_empty_value: true + if: ctx?.user?.name == null + + # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. + - set: + field: observer.hostname + value: "{{ host.hostname }}" + ignore_empty_value: true + - set: + field: observer.vendor + value: "Cisco" + ignore_empty_value: true + - set: + field: observer.type + value: "firewall" + ignore_empty_value: true + - set: + field: observer.product + value: "asa" + ignore_empty_value: true + - set: + field: observer.egress.interface.name + value: "{{ cisco.asa.destination_interface }}" + ignore_empty_value: true + - set: + field: observer.ingress.interface.name + value: "{{ cisco.asa.source_interface }}" + ignore_empty_value: true + - append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{source.nat.ip}}" + if: "ctx?.source?.nat?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{destination.nat.ip}}" + if: "ctx?.destination?.nat?.ip != null" + allow_duplicates: false + - append: + field: related.user + value: "{{user.name}}" + if: ctx?.user?.name != null && ctx?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{host.user.name}}" + if: ctx?.host?.user?.name != null && ctx?.host?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{source.user.name}}" + if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{destination.user.name}}" + if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != '' + allow_duplicates: false + - append: + field: related.hash + value: "{{file.hash.sha256}}" + if: "ctx?.file?.hash?.sha256 != null" + allow_duplicates: false + - append: + field: related.hosts + value: "{{host.hostname}}" + if: ctx.host?.hostname != null && ctx.host?.hostname != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{observer.hostname}}" + if: ctx.observer?.hostname != null && ctx.observer?.hostname != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{destination.domain}}" + if: ctx.destination?.domain != null && ctx.destination?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{source.domain}}" + if: ctx.source?.domain != null && ctx.source?.domain != '' + allow_duplicates: false + - script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + # Copy any fields under _temp_.cisco to its final destination. Those can help + # with diagnosing the failure. + - rename: + field: _temp_.cisco + target_field: "cisco.asa" + ignore_failure: true + # Remove _temp_ to avoid adding a lot of unnecessary fields to the index. + - remove: + field: _temp_ + ignore_missing: true + - append: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco/0.13.3/data_stream/asa/fields/agent.yml b/packages/cisco/0.13.3/data_stream/asa/fields/agent.yml new file mode 100755 index 0000000000..d38a70bd6b --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/asa/fields/agent.yml @@ -0,0 +1,207 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/cisco/0.13.3/data_stream/asa/fields/base-fields.yml b/packages/cisco/0.13.3/data_stream/asa/fields/base-fields.yml new file mode 100755 index 0000000000..4d6bf1902f --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/asa/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco.asa +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/cisco/0.13.3/data_stream/asa/fields/ecs.yml b/packages/cisco/0.13.3/data_stream/asa/fields/ecs.yml new file mode 100755 index 0000000000..bf9c8dcdf6 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/asa/fields/ecs.yml @@ -0,0 +1,478 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: client.user.name + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + Custom key/value pairs. + Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. + Example: `docker` and `k8s` labels. + name: labels + type: object +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + name: network.inner + type: object +- description: VLAN ID as reported by the observer. + name: network.inner.vlan.id + type: keyword +- description: Optional VLAN name as reported by the observer. + name: network.inner.vlan.name + type: keyword +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + name: observer.egress.zone + type: keyword +- description: Hostname of the observer. + name: observer.hostname + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + name: observer.ingress.zone + type: keyword +- description: IP addresses of the observer. + name: observer.ip + type: ip +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Password of the request. + name: url.password + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: Port of the request, such as 443. + name: url.port + type: long +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: url.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: Username of the request. + name: url.username + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: server.address + type: keyword +- description: Port of the server. + name: server.port + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: client.address + type: keyword +- description: Port of the client. + name: client.port + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip diff --git a/packages/cisco/0.13.3/data_stream/asa/fields/fields.yml b/packages/cisco/0.13.3/data_stream/asa/fields/fields.yml new file mode 100755 index 0000000000..232f2e3f45 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/asa/fields/fields.yml @@ -0,0 +1,185 @@ +- name: cisco.asa + type: group + fields: + - name: message_id + type: keyword + description: > + The Cisco ASA message identifier. + + - name: suffix + type: keyword + description: > + Optional suffix after %ASA identifier. + + - name: source_interface + type: keyword + description: > + Source interface for the flow or event. + + - name: destination_interface + type: keyword + description: > + Destination interface for the flow or event. + + - name: rule_name + type: keyword + description: > + Name of the Access Control List rule that matched this event. + + - name: source_username + type: keyword + description: > + Name of the user that is the source for this event. + + - name: destination_username + type: keyword + description: > + Name of the user that is the destination for this event. + + - name: mapped_source_ip + type: ip + description: > + The translated source IP address. + + - name: mapped_source_port + type: long + description: > + The translated source port. + + - name: mapped_destination_ip + type: ip + description: > + The translated destination IP address. + + - name: mapped_destination_port + type: long + description: > + The translated destination port. + + - name: threat_level + type: keyword + description: > + Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. + + - name: threat_category + type: keyword + description: > + Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. + + - name: connection_id + type: keyword + description: > + Unique identifier for a flow. + + - name: icmp_type + type: short + description: > + ICMP type. + + - name: icmp_code + type: short + description: > + ICMP code. + + - name: connection_type + type: keyword + description: > + The VPN connection type + + - name: dap_records + type: keyword + description: > + The assigned DAP records + + - name: mapped_destination_host + type: keyword + - name: username + type: keyword + - name: mapped_source_host + type: keyword + - name: command_line_arguments + default_field: false + type: keyword + description: > + The command line arguments logged by the local audit log + + - name: assigned_ip + default_field: false + type: ip + description: > + The IP address assigned to a VPN client successfully connecting + + - name: privilege.old + default_field: false + type: keyword + description: > + When a users privilege is changed this is the old value + + - name: privilege.new + default_field: false + type: keyword + description: > + When a users privilege is changed this is the new value + + - name: burst.object + default_field: false + type: keyword + description: > + The related object for burst warnings + + - name: burst.id + default_field: false + type: keyword + description: > + The related rate ID for burst warnings + + - name: burst.current_rate + default_field: false + type: keyword + description: > + The current burst rate seen + + - name: burst.configured_rate + default_field: false + type: keyword + description: > + The current configured burst rate + + - name: burst.avg_rate + default_field: false + type: keyword + description: > + The current average burst rate seen + + - name: burst.configured_avg_rate + default_field: false + type: keyword + description: > + The current configured average burst rate allowed + + - name: burst.cumulative_count + default_field: false + type: keyword + description: > + The total count of burst rate hits since the object was created or cleared + + - name: security + type: flattened + description: Cisco FTD security event fields. + - name: webvpn.group_name + type: keyword + default_field: false + description: > + The WebVPN group name the user belongs to + + - name: termination_user + default_field: false + type: keyword + description: >- + AAA name of user requesting termination +- name: syslog.facility.code + type: long + description: Syslog numeric facility of the event. +- name: syslog.priority + type: long + description: Syslog priority of the event. diff --git a/packages/cisco/0.13.3/data_stream/asa/manifest.yml b/packages/cisco/0.13.3/data_stream/asa/manifest.yml new file mode 100755 index 0000000000..da5b9c83c3 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/asa/manifest.yml @@ -0,0 +1,87 @@ +title: Cisco ASA logs +release: experimental +type: logs +streams: + - input: udp + title: Cisco ASA logs + description: Collect Cisco ASA logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-asa + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP Port to listen on + multi: false + required: true + show_user: true + default: 9001 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Cisco ASA logs + description: Collect Cisco ASA logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/cisco-asa.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-asa + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco/0.13.3/data_stream/asa/sample_event.json b/packages/cisco/0.13.3/data_stream/asa/sample_event.json new file mode 100755 index 0000000000..5e1089ec46 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/asa/sample_event.json @@ -0,0 +1,108 @@ +{ + "@timestamp": "2018-10-10T12:34:56.000Z", + "agent": { + "ephemeral_id": "a548620b-0623-4130-b586-fe233f00e6e5", + "hostname": "docker-fleet-agent", + "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.14.0" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "data_stream": { + "dataset": "cisco.asa", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "100.66.98.44", + "ip": "100.66.98.44", + "port": 8256 + }, + "ecs": { + "version": "1.10.0" + }, + "elastic_agent": { + "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", + "snapshot": true, + "version": "7.14.0" + }, + "event": { + "action": "firewall-rule", + "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "305011", + "dataset": "cisco.asa", + "ingested": "2021-07-19T08:54:36.436846422Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256\n", + "severity": 6, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost", + "name": "docker-fleet-agent" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "informational", + "source": { + "address": "172.23.0.4:59451" + } + }, + "network": { + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1772 + }, + "tags": [ + "preserve_original_event", + "cisco-asa", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/cisco/0.13.3/data_stream/ftd/agent/stream/stream.yml.hbs b/packages/cisco/0.13.3/data_stream/ftd/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..28ea4aaa98 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/ftd/agent/stream/stream.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco/0.13.3/data_stream/ftd/agent/stream/udp.yml.hbs b/packages/cisco/0.13.3/data_stream/ftd/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..e129442a23 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/ftd/agent/stream/udp.yml.hbs @@ -0,0 +1,16 @@ +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco/0.13.3/data_stream/ftd/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/0.13.3/data_stream/ftd/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..6e0f692cb5 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/ftd/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,1962 @@ +--- +description: "Pipeline for Cisco ASA logs" +processors: + - rename: + field: message + target_field: event.original + ignore_missing: true + - set: + field: ecs.version + value: '1.12.0' + # + # Parse the syslog header + # + # This populates the host.hostname, process.name, timestamp and other fields + # from the header and stores the message contents in _temp_.full_message. + - grok: + field: event.original + patterns: + - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}" + pattern_definitions: + SYSLOG_HEADER: "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?" + SYSLOGFACILITY: "<%{NONNEGINT:syslog.facility.code:int}(?:.%{NONNEGINT:syslog.priority:int})?>" + # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. + FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" + ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" + PROCESS: "(?:[^%\\s:\\[]+)" + SYSLOG_END: "(?:(:|\\s)\\s+)" + # exactly match the syntax for firepower management logs + PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})" + HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?" + + # + # Parse FTD/ASA style message + # + # This parses the header of an EMBLEM-style message for FTD and ASA prefixes. + - grok: + field: _temp_.full_message + patterns: + - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" + # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header. + - "%{GREEDYDATA:message}" + pattern_definitions: + FTD_SUFFIX: "[^0-9-]+" + # Before version 6.3, FTD used ASA prefix in syslog messages + FTD_PREFIX: "%{DATA}%(?:[A-Z]+)" + + # + # Create missing fields when no %FTD label is present + # + # message_id is needed in order for some processors below to work. + - set: + field: _temp_.cisco.message_id + value: "" + if: "ctx?._temp_?.cisco?.message_id == null" + + # + # set default event.severity to 7 (debug): + # + # This value is read from the EMBLEM header and won't be present if this is not + # an emblem message (firewalls can be configured to report other kinds of events) + - set: + field: event.severity + value: 7 + if: "ctx?.event?.severity == null" + + # + # Parse the date included in FTD logs + # + - date: + if: "ctx.event?.timezone == null && ctx._temp_?.raw_date != null" + field: "_temp_.raw_date" + target_field: "@timestamp" + formats: + - "ISO8601" + - "MMM d HH:mm:ss" + - "MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "EEE MMM dd HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + [ + { + "append": + { + "field": "error.message", + "value": "{{ _ingest.on_failure_message }}", + }, + }, + ] + - date: + if: "ctx.event?.timezone != null && ctx._temp_?.raw_date != null" + timezone: "{{ event.timezone }}" + field: "_temp_.raw_date" + target_field: "@timestamp" + formats: + - "ISO8601" + - "MMM d HH:mm:ss" + - "MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "EEE MMM dd HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + [ + { + "append": + { + "field": "error.message", + "value": "{{ _ingest.on_failure_message }}", + }, + }, + ] + + # + # Set log.level + # + - set: + field: "log.level" + if: "ctx.event.severity == 0" + value: unknown + - set: + field: "log.level" + if: "ctx.event.severity == 1" + value: alert + - set: + field: "log.level" + if: "ctx.event.severity == 2" + value: critical + - set: + field: "log.level" + if: "ctx.event.severity == 3" + value: error + - set: + field: "log.level" + if: "ctx.event.severity == 4" + value: warning + - set: + field: "log.level" + if: "ctx.event.severity == 5" + value: notification + - set: + field: "log.level" + if: "ctx.event.severity == 6" + value: informational + - set: + field: "log.level" + if: "ctx.event.severity == 7" + value: debug + + # + # Firewall messages + # + # This set of messages is shared between FTD and ASA. + - set: + if: 'ctx._temp_.cisco.message_id != ""' + field: "event.action" + value: "firewall-rule" + - dissect: + if: "ctx._temp_.cisco.message_id == '106001'" + field: "message" + description: "106001" + pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106002'" + field: "message" + description: "106002" + pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106006'" + field: "message" + description: "106006" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106007'" + field: "message" + description: "106007" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" + - grok: + if: "ctx._temp_.cisco.message_id == '106010'" + field: "message" + description: "106010" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" + - dissect: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "message" + description: "106013" + pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}" + - set: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "network.transport" + description: "106013" + value: icmp + - set: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "network.direction" + description: "106013" + value: inbound + - grok: + if: "ctx._temp_.cisco.message_id == '106014'" + field: "message" + description: "106014" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?" + - grok: + if: "ctx._temp_.cisco.message_id == '106015'" + field: "message" + description: "106015" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106016'" + field: "message" + pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106016" + - dissect: + if: "ctx._temp_.cisco.message_id == '106017'" + field: "message" + pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}" + description: "106017" + - dissect: + if: "ctx._temp_.cisco.message_id == '106018'" + field: "message" + pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" + description: "106018" + - dissect: + if: "ctx._temp_.cisco.message_id == '106020'" + field: "message" + pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}" + description: "106020" + - dissect: + if: "ctx._temp_.cisco.message_id == '106021'" + field: "message" + pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106021" + - dissect: + if: "ctx._temp_.cisco.message_id == '106022'" + field: "message" + pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106022" + - grok: + if: "ctx._temp_.cisco.message_id == '106023'" + field: "message" + description: "106023" + patterns: + - ^%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(%{GREEDYDATA:_temp_.cisco.source_username} )?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access.group "%{NOTSPACE:_temp_.cisco.list_id}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106027'" + field: "message" + description: "106027" + pattern: '%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"' + - dissect: + if: "ctx._temp_.cisco.message_id == '106100'" + field: "message" + description: "106100" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'" + field: "message" + description: "106103" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '111004'" + field: "message" + description: "111004" + pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}" + - set: + field: event.outcome + description: "111004" + value: "success" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" + - set: + field: event.outcome + description: "111004" + value: "failure" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" + - remove: + field: _temp_.cisco.cli_outcome + ignore_missing: true + - append: + field: event.type + description: "111004" + value: "change" + if: "ctx._temp_.cisco.message_id == '111004'" + - grok: + if: "ctx._temp_.cisco.message_id == '111009'" + description: "111009" + field: "message" + patterns: + - "^%{NOTSPACE} '%{NOTSPACE:host.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}" + - grok: + if: "ctx._temp_.cisco.message_id == '111010'" + field: "message" + description: "111010" + patterns: + - "User '%{NOTSPACE:host.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}" + - dissect: + if: "ctx._temp_.cisco.message_id == '113019'" + field: "message" + description: "113019" + pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}" + - grok: + if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "302013, 302015" + patterns: + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \\(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\\)(\\(%{NOTSPACE:_temp_.cisco.source_username}\\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \\(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\\)( \\(%{NOTSPACE:destination.user.name}\\))?%{GREEDYDATA}" + - dissect: + if: "ctx._temp_.cisco.message_id == '303002'" + field: "message" + description: "303002" + pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" + - dissect: + if: "ctx._temp_.cisco.message_id == '302012'" + field: "message" + description: "302012" + pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}" + - grok: + if: "ctx._temp_.cisco.message_id == '302020'" + field: "message" + description: "302020" + patterns: + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" + pattern_definitions: + NOTCOLON: "[^:]*" + ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" + ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" + MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" + - dissect: + if: "ctx._temp_.cisco.message_id == '302022'" + field: "message" + description: "302022" + pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '302023'" + field: "message" + description: "302023" + pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}" + - grok: + if: "ctx._temp_.cisco.message_id == '304001'" + field: "message" + description: "304001" + patterns: + - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" + - set: + if: "ctx._temp_.cisco.message_id == '304001'" + field: "event.outcome" + description: "304001" + value: success + - dissect: + if: "ctx._temp_.cisco.message_id == '304002'" + field: "message" + description: "304002" + pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" + - grok: + if: "ctx._temp_.cisco.message_id == '305011'" + field: "message" + description: "305011" + patterns: + - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} + - dissect: + if: "ctx._temp_.cisco.message_id == '313001'" + field: "message" + description: "313001" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313004'" + field: "message" + description: "313004" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session" + - dissect: + if: "ctx._temp_.cisco.message_id == '313005'" + field: "message" + description: "313005" + pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313008'" + field: "message" + description: "313008" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313009'" + field: "message" + description: "313009" + pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '322001'" + field: "message" + description: "322001" + pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338001'" + field: "message" + description: "338001" + pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338001'" + field: "server.domain" + description: "338001" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338002'" + field: "message" + description: "338002" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338002'" + field: "server.domain" + description: "338002" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338003'" + field: "message" + description: "338003" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338004'" + field: "message" + description: "338004" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338005'" + field: "message" + description: "338005" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338005'" + field: "server.domain" + description: "338005" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338006'" + field: "message" + description: "338006" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338006'" + field: "server.domain" + description: "338006" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338007'" + field: "message" + description: "338007" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338008'" + field: "message" + description: "338008" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338101'" + field: "message" + description: "338101" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338101'" + field: "server.domain" + description: "338101" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338102'" + field: "message" + description: "338102" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338102'" + field: "server.domain" + description: "338102" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338103'" + field: "message" + description: "338103" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338104'" + field: "message" + description: "338104" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338201'" + field: "message" + description: "338201" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338201'" + field: "server.domain" + description: "338201" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338202'" + field: "message" + description: "338202" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338202'" + field: "server.domain" + description: "338202" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338203'" + field: "message" + description: "338203" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338203'" + field: "server.domain" + description: "338203" + value: "{{source.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338204'" + field: "message" + description: "338204" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338204'" + field: "server.domain" + description: "338204" + value: "{{destination.domain}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "message" + description: "338301" + pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}" + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "client.address" + description: "338301" + value: "{{destination.address}}" + ignore_empty_value: true + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "client.port" + description: "338301" + value: "{{destination.port}}" + ignore_empty_value: true + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "server.address" + description: "338301" + value: "{{source.address}}" + ignore_empty_value: true + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "server.port" + description: "338301" + value: "{{source.port}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "message" + description: "502103" + pattern: "User priv level changed: Uname: %{host.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.type" + description: "502103" + value: + - "group" + - "change" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.category" + description: "502103" + value: "iam" + - dissect: + if: "ctx._temp_.cisco.message_id == '507003'" + field: "message" + description: "507003" + pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}" + - dissect: + if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "605004, 605005" + pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' + - dissect: + if: "ctx._temp_.cisco.message_id == '609001'" + field: "message" + description: "609001" + pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '609002'" + field: "message" + description: "609002" + pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}" + - dissect: + if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "611102, 611101" + pattern: 'User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{host.user.name}' + - dissect: + if: "ctx._temp_.cisco.message_id == '710003'" + field: "message" + description: "710003" + pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '710005'" + field: "message" + description: "710005" + pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713049'" + field: "message" + description: "713049" + pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" + - grok: + if: "ctx._temp_.cisco.message_id == '716002'" + field: "message" + description: "716002" + patterns: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> WebVPN session terminated: %{GREEDYDATA:event.reason}." + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} WebVPN session terminated: %{GREEDYDATA:event.reason}." + - grok: + if: "ctx._temp_.cisco.message_id == '722051'" + field: "message" + description: "722051" + patterns: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" + - dissect: + if: "ctx._temp_.cisco.message_id == '733100'" + field: "message" + description: "733100" + pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}" + - dissect: + if: "ctx._temp_.cisco.message_id == '734001'" + field: "message" + description: "734001" + pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" + - dissect: + if: "ctx._temp_.cisco.message_id == '805001'" + field: "message" + description: "805001" + pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - dissect: + if: "ctx._temp_.cisco.message_id == '805002'" + field: "message" + description: "805002" + pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - split: + field: "_temp_.cisco.dap_records" + separator: ",\\s+" + ignore_missing: true + - dissect: + if: "ctx._temp_.cisco.message_id == '434002'" + field: "message" + pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '434004'" + field: "message" + pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" + - dissect: + if: "ctx._temp_.cisco.message_id == '110002'" + field: "message" + pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '419002'" + field: "message" + pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}" + - dissect: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." + - dissect: + if: "ctx._temp_.cisco.message_id == '750002'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713120'" + field: "message" + pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})" + - dissect: + if: "ctx._temp_.cisco.message_id == '713202'" + field: "message" + pattern: "IP = %{source.address}, %{event.reason}. %{} packet." + - dissect: + if: "ctx._temp_.cisco.message_id == '750003'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" + - grok: + if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "message" + patterns: + - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$" + # Handle ecs action outcome protocol + - set: + if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "unknown" + - set: + if: '["419002"].contains(ctx._temp_.cisco.message_id)' + field: "network.protocol" + value: "tcp" + - set: + if: '["110002"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["713120"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["713905", "713904", "713906", "713902", "713901", "710005"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "connection-started" + - set: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "error" + - append: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.type" + value: "error" + + # + # Handle 302xxx messages (Flow expiration a.k.a "Teardown") + # + - set: + if: '["302012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "flow-expiration" + description: "302012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002" + - grok: + field: "message" + if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' + description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" + patterns: + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{NOTSPACE:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) + - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.destination_username}\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? + pattern_definitions: + NOTCOLON: "[^:]*" + ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" + ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" + MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" + + # + # Decode FTD's Security Event Syslog Messages + # + # 43000x messages are security event syslog messages specific to FTD. + # Format is a comma-separated sequence of key: value pairs. + # + # The result of this decoding is saved as _temp_.orig_security.{Key}: {Value} + - kv: + if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "430001, 430002, 430003, 430004, 430005" + field_split: ",(?=[A-za-z1-9\\s]+:)" + value_split: ":" + target_field: "_temp_.orig_security" + trim_key: " " + trim_value: " " + ignore_failure: true + + # + # Remove _temp_.full_message. + # + # The field has been used as temporary buffer while decoding. The full message + # is kept under event.original. Processors below can still add a message field, as some + # security events contain an explanatory Message field. + - remove: + field: + - message + - _temp_.full_message + ignore_missing: true + + # + # Populate ECS fields from Security Events + # + # This script uses the key-value pairs from Security Events to populate + # the appropriate ECS fields. + # + # A single key can be mapped to multiple ECS fields, and more than one key can + # map to the same ECS field, which results in an array being created. + # + # This script performs an additional job: + # + # Before FTD version 6.3, the message_id was not included in Security Events. + # As this field encodes the kind of event (intrusion, connection, malware...) + # the script below will guess the right message_id from the keys present in + # the event. + # + # The reason for overloading this script with different behaviors is + # that this pipeline is already reaching the limit on script compilations. + # + #******************************************************************************* + # Code generated by go generate. DO NOT EDIT. + #******************************************************************************* + - script: + if: ctx._temp_?.orig_security != null + params: + ACPolicy: + target: ac_policy + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.rule_name] + AccessControlRuleAction: + target: access_control_rule_action + id: ["430002", "430003"] + ecs: [event.outcome] + AccessControlRuleName: + target: access_control_rule_name + id: ["430002", "430003"] + ecs: [_temp_.cisco.rule_name] + AccessControlRuleReason: + target: access_control_rule_reason + id: ["430002", "430003"] + ApplicationProtocol: + target: application_protocol + ecs: [network.protocol] + ArchiveDepth: + target: archive_depth + id: ["430004", "430005"] + ArchiveFileName: + target: archive_file_name + id: ["430004", "430005"] + ecs: [file.name] + ArchiveFileStatus: + target: archive_file_status + id: ["430004", "430005"] + ArchiveSHA256: + target: archive_sha256 + id: ["430004", "430005"] + ecs: [file.hash.sha256] + Classification: + target: classification + id: ["430001"] + Client: + target: client + ecs: [network.application] + ClientVersion: + target: client_version + id: ["430002", "430003"] + ConnectionDuration: + target: connection_duration + id: ["430003"] + ecs: [event.duration] + DNS_Sinkhole: + target: dns_sinkhole + id: ["430002", "430003"] + DNS_TTL: + target: dns_ttl + id: ["430002", "430003"] + DNSQuery: + target: dns_query + id: ["430002", "430003"] + ecs: [dns.question.name] + DNSRecordType: + target: dns_record_type + id: ["430002", "430003"] + ecs: [dns.question.type] + DNSResponseType: + target: dns_response_type + id: ["430002", "430003"] + ecs: [dns.response_code] + DNSSICategory: + target: dnssi_category + id: ["430002", "430003"] + DstIP: + target: dst_ip + ecs: [destination.address] + DstPort: + target: dst_port + ecs: [destination.port] + EgressInterface: + target: egress_interface + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.destination_interface] + EgressZone: + target: egress_zone + id: ["430001", "430002", "430003"] + Endpoint Profile: + target: endpoint_profile + id: ["430002", "430003"] + FileAction: + target: file_action + id: ["430004", "430005"] + FileCount: + target: file_count + id: ["430002", "430003"] + FileDirection: + target: file_direction + id: ["430004", "430005"] + FileName: + target: file_name + id: ["430004", "430005"] + ecs: [file.name] + FilePolicy: + target: file_policy + id: ["430004", "430005"] + ecs: [_temp_.cisco.rule_name] + FileSHA256: + target: file_sha256 + id: ["430004", "430005"] + ecs: [file.hash.sha256] + FileSandboxStatus: + target: file_sandbox_status + id: ["430004", "430005"] + FileSize: + target: file_size + id: ["430004", "430005"] + ecs: [file.size] + FileStorageStatus: + target: file_storage_status + id: ["430004", "430005"] + FileType: + target: file_type + id: ["430004", "430005"] + FirstPacketSecond: + target: first_packet_second + id: ["430004", "430005"] + ecs: [event.start] + GID: + target: gid + id: ["430001"] + ecs: [service.id] + HTTPReferer: + target: http_referer + id: ["430002", "430003"] + ecs: [http.request.referrer] + HTTPResponse: + target: http_response + id: ["430001", "430002", "430003"] + ecs: [http.response.status_code] + ICMPCode: + target: icmp_code + id: ["430001", "430002", "430003"] + ICMPType: + target: icmp_type + id: ["430001", "430002", "430003"] + IPReputationSICategory: + target: ip_reputation_si_category + id: ["430002", "430003"] + IPSCount: + target: ips_count + id: ["430002", "430003"] + IngressInterface: + target: ingress_interface + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.source_interface] + IngressZone: + target: ingress_zone + id: ["430001", "430002", "430003"] + InitiatorBytes: + target: initiator_bytes + id: ["430003"] + ecs: [source.bytes] + InitiatorPackets: + target: initiator_packets + id: ["430003"] + ecs: [source.packets] + InlineResult: + target: inline_result + id: ["430001"] + ecs: [event.outcome] + IntrusionPolicy: + target: intrusion_policy + id: ["430001"] + ecs: [_temp_.cisco.rule_name] + MPLS_Label: + target: mpls_label + id: ["430001"] + Message: + target: message + id: ["430001"] + ecs: [message] + NAPPolicy: + target: nap_policy + id: ["430001", "430002", "430003"] + NetBIOSDomain: + target: net_bios_domain + id: ["430002", "430003"] + ecs: [host.hostname] + NumIOC: + target: num_ioc + id: ["430001"] + Prefilter Policy: + target: prefilter_policy + id: ["430002", "430003"] + Priority: + target: priority + id: ["430001"] + Protocol: + target: protocol + ecs: [network.transport] + ReferencedHost: + target: referenced_host + id: ["430002", "430003"] + ecs: [url.domain] + ResponderBytes: + target: responder_bytes + id: ["430003"] + ecs: [destination.bytes] + ResponderPackets: + target: responder_packets + id: ["430003"] + ecs: [destination.packets] + Revision: + target: revision + id: ["430001"] + SHA_Disposition: + target: sha_disposition + id: ["430004", "430005"] + SID: + target: sid + id: ["430001"] + SSLActualAction: + target: ssl_actual_action + ecs: [event.outcome] + SSLCertificate: + target: ssl_certificate + id: ["430002", "430003", "430004", "430005"] + SSLExpectedAction: + target: ssl_expected_action + id: ["430002", "430003"] + SSLFlowStatus: + target: ssl_flow_status + id: ["430002", "430003", "430004", "430005"] + SSLPolicy: + target: ssl_policy + id: ["430002", "430003"] + SSLRuleName: + target: ssl_rule_name + id: ["430002", "430003"] + SSLServerCertStatus: + target: ssl_server_cert_status + id: ["430002", "430003"] + SSLServerName: + target: ssl_server_name + id: ["430002", "430003"] + ecs: [server.domain] + SSLSessionID: + target: ssl_session_id + id: ["430002", "430003"] + SSLTicketID: + target: ssl_ticket_id + id: ["430002", "430003"] + SSLURLCategory: + target: sslurl_category + id: ["430002", "430003"] + SSLVersion: + target: ssl_version + id: ["430002", "430003"] + SSSLCipherSuite: + target: sssl_cipher_suite + id: ["430002", "430003"] + SecIntMatchingIP: + target: sec_int_matching_ip + id: ["430002", "430003"] + Security Group: + target: security_group + id: ["430002", "430003"] + SperoDisposition: + target: spero_disposition + id: ["430004", "430005"] + SrcIP: + target: src_ip + ecs: [source.address] + SrcPort: + target: src_port + ecs: [source.port] + TCPFlags: + target: tcp_flags + id: ["430002", "430003"] + ThreatName: + target: threat_name + id: ["430005"] + ecs: [_temp_.cisco.threat_category] + ThreatScore: + target: threat_score + id: ["430005"] + ecs: [_temp_.cisco.threat_level] + Tunnel or Prefilter Rule: + target: tunnel_or_prefilter_rule + id: ["430002", "430003"] + URI: + target: uri + id: ["430004", "430005"] + ecs: [url.original] + URL: + target: url + id: ["430002", "430003"] + ecs: [url.original] + URLCategory: + target: url_category + id: ["430002", "430003"] + URLReputation: + target: url_reputation + id: ["430002", "430003"] + URLSICategory: + target: urlsi_category + id: ["430002", "430003"] + User: + target: user + ecs: [user.id, user.name] + UserAgent: + target: user_agent + id: ["430002", "430003"] + ecs: [user_agent.original] + VLAN_ID: + target: vlan_id + id: ["430001", "430002", "430003"] + WebApplication: + target: web_application + ecs: [network.application] + originalClientSrcIP: + target: original_client_src_ip + id: ["430002", "430003"] + ecs: [client.address] + lang: painless + source: | + boolean isEmpty(def value) { + return (value instanceof AbstractList? value.size() : value.length()) == 0; + } + def appendOrCreate(Map dest, String[] path, def value) { + for (int i=0; i new HashMap()); + } + String key = path[path.length - 1]; + def existing = dest.get(key); + return existing == null? + dest.put(key, value) + : existing instanceof AbstractList? + existing.add(value) + : dest.put(key, new ArrayList([existing, value])); + } + def msg = ctx._temp_.orig_security; + def counters = new HashMap(); + def dest = new HashMap(); + ctx._temp_.cisco['security'] = dest; + for (entry in msg.entrySet()) { + def param = params.get(entry.getKey()); + if (param == null) { + continue; + } + param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) ); + if (!isEmpty(entry.getValue())) { + param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) ); + dest[param.target] = entry.getValue(); + } + } + if (ctx._temp_.cisco.message_id != "") return; + def best; + for (entry in counters.entrySet()) { + if (best == null || best.getValue() < entry.getValue()) best = entry; + } + if (best != null) ctx._temp_.cisco.message_id = best.getKey(); + #******************************************************************************* + # End of generated code. + #******************************************************************************* + + # + # Normalize ECS field values + # + - script: + lang: painless + params: + "ctx._temp_.cisco.message_id": + target: event.action + map: + "430001": intrusion-detected + "430002": connection-started + "430003": connection-finished + "430004": file-detected + "430005": malware-detected + "dns.question.type": + map: + "a host address": A + "ip6 address": AAAA + "text strings": TXT + "a domain name pointer": PTR + "an authoritative name server": NS + "the canonical name for an alias": CNAME + "marks the start of a zone of authority": SOA + "mail exchange": MX + "server selection": SRV + "dns.response_code": + map: + "non-existent domain": NXDOMAIN + "server failure": SERVFAIL + "query refused": REFUSED + "no error": NOERROR + source: | + def getField(Map src, String[] path) { + for (int i=0; i new HashMap()); + } + dest[path[path.length-1]] = value; + } + for (entry in params.entrySet()) { + def srcField = entry.getKey(); + def param = entry.getValue(); + String oldVal = getField(ctx, srcField.splitOnToken('.')); + if (oldVal == null) continue; + def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null); + if (newVal != null) { + def dstField = param.getOrDefault('target', srcField); + setField(ctx, dstField.splitOnToken('.'), newVal); + } + } + - set: + if: "ctx.dns?.question?.type != null && ctx.dns?.response_code == null" + field: dns.response_code + value: NOERROR + - set: + if: 'ctx._temp_.cisco.message_id == "430001"' + field: event.action + value: intrusion-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430002"' + field: event.action + value: connection-started + - set: + if: 'ctx._temp_.cisco.message_id == "430003"' + field: event.action + value: connection-finished + - set: + if: 'ctx._temp_.cisco.message_id == "430004"' + field: event.action + value: file-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430005"' + field: event.action + value: malware-detected + + # + # Handle event.duration + # + # It can be set from ConnectionDuration FTD field above. This field holds + # seconds as a string. Copy it to _temp_.duration_hms so that the following + # processor converts it to the right value and populates start and end. + - set: + field: "_temp_.duration_hms" + value: "{{event.duration}}" + ignore_empty_value: true + + # + # Process the flow duration "hh:mm:ss" present in some messages + # This will fill event.start, event.end and event.duration + # + - script: + lang: painless + if: "ctx?._temp_?.duration_hms != null" + source: > + long parse_hms(String s) { + long cur = 0, total = 0; + for (char c: s.toCharArray()) { + if (c >= (char)'0' && c <= (char)'9') { + cur = (cur*10) + (long)c - (char)'0'; + } else if (c == (char)':') { + total = (total + cur) * 60; + cur = 0; + } else { + return 0; + } + } + return total + cur; + } + if (ctx?.event == null) { + ctx['event'] = new HashMap(); + } + String end = ctx['@timestamp']; + ctx.event['end'] = end; + long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; + ctx.event['duration'] = nanos; + ctx.event['start'] = ZonedDateTime.ofInstant( + Instant.parse(end).minusNanos(nanos), + ZoneOffset.UTC); + # + # Normalize protocol names + # + - lowercase: + field: "network.transport" + ignore_failure: true + - lowercase: + field: "network.protocol" + ignore_failure: true + - lowercase: + field: "network.application" + ignore_failure: true + - lowercase: + field: "file.type" + ignore_failure: true + - lowercase: + field: "network.direction" + ignore_failure: true + - lowercase: + field: "network.type" + ignore_failure: true + # + # Populate network.iana_number from network.transport. Also does reverse + # mapping in case network.transport contains the iana_number. + # + - script: + if: "ctx?.network?.transport != null" + lang: painless + params: + icmp: 1 + igmp: 2 + ipv4: 4 + tcp: 6 + egp: 8 + igp: 9 + pup: 12 + udp: 17 + rdp: 27 + irtp: 28 + dccp: 33 + idpr: 35 + ipv6: 41 + ipv6-route: 43 + ipv6-frag: 44 + rsvp: 46 + gre: 47 + esp: 50 + ipv6-icmp: 58 + ipv6-nonxt: 59 + ipv6-opts: 60 + source: > + def net = ctx.network; + def iana = params[net.transport]; + if (iana != null) { + net['iana_number'] = iana; + return; + } + def reverse = new HashMap(); + def[] arr = new def[] { null }; + for (entry in params.entrySet()) { + arr[0] = entry.getValue(); + reverse.put(String.format("%d", arr), entry.getKey()); + } + def trans = reverse[net.transport]; + if (trans != null) { + net['iana_number'] = net.transport; + net['transport'] = trans; + } + # + # Normalize event.outcome + # + - lowercase: + field: "event.outcome" + ignore_missing: true + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "est-allowed"' + value: success + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "permitted"' + value: success + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "allow"' + value: success + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "denied"' + value: failure + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "deny"' + value: failure + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "dropped"' + value: failure + - set: + field: "network.transport" + if: 'ctx.network?.transport == "icmpv6"' + value: "ipv6-icmp" + # + # Convert numeric fields to integer or long, as output of dissect and kv processors is always a string + # + - convert: + field: source.port + type: integer + ignore_failure: true + - convert: + field: destination.port + type: integer + ignore_failure: true + - convert: + field: source.bytes + type: long + ignore_failure: true + - convert: + field: destination.bytes + type: long + ignore_failure: true + - convert: + field: network.bytes + type: long + ignore_failure: true + - convert: + field: source.packets + type: integer + ignore_failure: true + - convert: + field: destination.packets + type: integer + ignore_failure: true + - convert: + field: _temp_.cisco.mapped_source_port + type: integer + ignore_failure: true + - convert: + field: _temp_.cisco.mapped_destination_port + type: integer + ignore_failure: true + - convert: + field: _temp_.cisco.icmp_code + type: integer + ignore_failure: true + - convert: + field: _temp_.cisco.icmp_type + type: integer + ignore_failure: true + - convert: + field: http.response.status_code + type: integer + ignore_failure: true + - convert: + field: file.size + type: integer + ignore_failure: true + - convert: + field: network.iana_number + type: string + ignore_failure: true + # + # Assign ECS .ip fields from .address is a valid IP address is found, + # otherwise set .domain field. + # + - grok: + field: source.address + patterns: + - "^(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})$" + ignore_failure: true + - grok: + field: destination.address + patterns: + - "^(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})$" + ignore_failure: true + - grok: + field: client.address + patterns: + - "^(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})$" + ignore_failure: true + - grok: + field: server.address + patterns: + - "^(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})$" + ignore_failure: true + # + # Geolocation for source and destination addresses + # + - geoip: + field: "source.ip" + target_field: "source.geo" + ignore_missing: true + - geoip: + field: "destination.ip" + target_field: "destination.geo" + ignore_missing: true + # + # IP Autonomous System (AS) Lookup + # + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + # + # Set mapped_{src|dst}_ip fields only if they consist of a valid IP address. + # + - grok: + field: _temp_.natsrcip + patterns: + - "^(?:%{IP:_temp_.cisco.mapped_source_ip}|%{GREEDYDATA:_temp_.cisco.mapped_source_host})$" + ignore_failure: true + - grok: + field: _temp_.natdstip + patterns: + - "^(?:%{IP:_temp_.cisco.mapped_destination_ip}|%{GREEDYDATA:_temp_.cisco.mapped_destination_host})$" + ignore_failure: true + # + # NAT fields + # + # The firewall always populates mapped ip and port even if there was no NAT. + # This populates both nat.ip and nat.port only when some translation is done. + # Fills nat.ip and nat.port even when only the ip or port changed. + - set: + field: source.nat.ip + value: "{{_temp_.cisco.mapped_source_ip}}" + if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip" + ignore_empty_value: true + - convert: + field: source.nat.ip + type: ip + ignore_missing: true + - set: + field: source.nat.port + value: "{{_temp_.cisco.mapped_source_port}}" + if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port" + ignore_empty_value: true + - convert: + field: source.nat.port + type: long + ignore_missing: true + - set: + field: destination.nat.ip + value: "{{_temp_.cisco.mapped_destination_ip}}" + if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip" + ignore_empty_value: true + - convert: + field: destination.nat.ip + type: ip + ignore_missing: true + - set: + field: destination.nat.port + value: "{{_temp_.cisco.mapped_destination_port}}" + if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" + ignore_empty_value: true + - convert: + field: destination.nat.port + type: long + ignore_missing: true + # + # Zone-based Network Directionality + # + # If external and internal zones are specified and our ingress/egress zones are + # populated, then we can classify traffic directionality based off of our defined + # zones rather than the logs. + - set: + field: network.direction + value: inbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + - set: + field: network.direction + value: outbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: internal + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: external + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: unknown + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.egress?.zone != null && + ctx?.observer?.ingress?.zone != null && + ( + ( + !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + ) || + ( + !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + ) + ) + + - set: + field: _temp_.url_domain + value: "{{url.domain}}" + ignore_failure: true + if: ctx?.url?.domain != null + + - uri_parts: + field: url.original + ignore_failure: true + if: ctx?.url?.original != null + - append: + field: url.domain + value: "{{_temp_.url_domain}}" + ignore_failure: true + allow_duplicates: false + if: ctx?._temp_?.url_domain != null + + # + # Populate ECS event.code + # + - rename: + field: _temp_.cisco.message_id + target_field: event.code + ignore_failure: true + - remove: + field: + - _temp_.cisco.message_id + - event.code + if: 'ctx._temp_.cisco.message_id == ""' + ignore_failure: true + # + # Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd. + # + - rename: + field: _temp_.cisco + target_field: "cisco.ftd" + ignore_failure: true + # + # Remove temporary fields + # + - remove: + field: _temp_ + ignore_missing: true + # + # Rename some 7.x fields + # + - rename: + field: cisco.ftd.list_id + target_field: cisco.ftd.rule_name + ignore_missing: true + # ECS categorization + - script: + lang: painless + params: + connection-finished: + kind: event + category: + - network + type: + - connection + - end + connection-started: + kind: event + category: + - network + type: + - connection + - start + file-detected: + kind: alert + category: + - malware + type: + - info + firewall-rule: + kind: event + category: + - network + type: + - info + flow-expiration: + kind: event + category: + - network + type: + - connection + - end + intrusion-detected: + kind: alert + category: + - intrusion_detection + type: + - info + malware-detected: + kind: alert + category: + - malware + type: + - info + bypass: + kind: event + category: + - network + type: + - info + - change + error: + kind: event + outcome: failure + category: + - network + type: + - error + deleted: + kind: event + category: + - network + type: + - info + - deletion + - user + creation: + kind: event + category: + - network + type: + - info + - creation + - user + source: >- + if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { + return; + } + ctx.event.kind = params.get(ctx.event.action).get('kind'); + ctx.event.category = params.get(ctx.event.action).get('category').clone(); + ctx.event.type = params.get(ctx.event.action).get('type').clone(); + if (ctx?.event?.outcome == null) { + return; + } + if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) { + if (ctx.event.outcome == 'success') { + ctx.event.type.add('allowed'); + } + if (ctx.event.outcome == 'failure') { + ctx.event.type.add('denied'); + } + if (ctx.event.outcome == 'block') { + ctx.event.type.add('denied'); + } + } + + - set: + description: copy destination.user.name to user.name if it is not set + field: user.name + value: "{{destination.user.name}}" + ignore_empty_value: true + if: ctx?.user?.name == null + + # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. + - set: + field: observer.hostname + value: "{{ host.hostname }}" + ignore_empty_value: true + - set: + field: observer.vendor + value: "Cisco" + ignore_empty_value: true + - set: + field: observer.type + value: "firewall" + ignore_empty_value: true + - set: + field: observer.product + value: "asa" + ignore_empty_value: true + - set: + field: observer.egress.interface.name + value: "{{ cisco.ftd.destination_interface }}" + ignore_empty_value: true + - set: + field: observer.ingress.interface.name + value: "{{ cisco.ftd.source_interface }}" + ignore_empty_value: true + - append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{source.nat.ip}}" + if: "ctx?.source?.nat?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{destination.nat.ip}}" + if: "ctx?.destination?.nat?.ip != null" + allow_duplicates: false + - append: + field: related.user + value: "{{user.name}}" + if: ctx?.user?.name != null && ctx?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{host.user.name}}" + if: ctx?.host?.user?.name != null && ctx?.host?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{source.user.name}}" + if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{destination.user.name}}" + if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != '' + allow_duplicates: false + - append: + field: related.hash + value: "{{file.hash.sha256}}" + if: "ctx?.file?.hash?.sha256 != null" + allow_duplicates: false + - append: + field: related.hosts + value: "{{host.hostname}}" + if: ctx.host?.hostname != null && ctx.host?.hostname != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{observer.hostname}}" + if: ctx.observer?.hostname != null && ctx.observer?.hostname != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{destination.domain}}" + if: ctx.destination?.domain != null && ctx.destination?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{source.domain}}" + if: ctx.source?.domain != null && ctx.source?.domain != '' + allow_duplicates: false + - script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + # Copy any fields under _temp_.cisco to its final destination. Those can help + # with diagnosing the failure. + - rename: + field: _temp_.cisco + target_field: "cisco.ftd" + ignore_failure: true + # Remove _temp_ to avoid adding a lot of unnecessary fields to the index. + - remove: + field: _temp_ + ignore_missing: true + - append: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco/0.13.3/data_stream/ftd/fields/agent.yml b/packages/cisco/0.13.3/data_stream/ftd/fields/agent.yml new file mode 100755 index 0000000000..d38a70bd6b --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/ftd/fields/agent.yml @@ -0,0 +1,207 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/cisco/0.13.3/data_stream/ftd/fields/base-fields.yml b/packages/cisco/0.13.3/data_stream/ftd/fields/base-fields.yml new file mode 100755 index 0000000000..919ded43d4 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/ftd/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco.ftd +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/cisco/0.13.3/data_stream/ftd/fields/ecs.yml b/packages/cisco/0.13.3/data_stream/ftd/fields/ecs.yml new file mode 100755 index 0000000000..f190cd09ca --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/ftd/fields/ecs.yml @@ -0,0 +1,536 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: client.user.name + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Packets sent from the destination to the source. + name: destination.packets + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: The DNS response code. + name: dns.response_code + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: HTTP response status code. + name: http.response.status_code + type: long +- description: |- + Custom key/value pairs. + Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. + Example: `docker` and `k8s` labels. + name: labels + type: object +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + name: network.inner + type: object +- description: VLAN ID as reported by the observer. + name: network.inner.vlan.id + type: keyword +- description: Optional VLAN name as reported by the observer. + name: network.inner.vlan.name + type: keyword +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + name: observer.egress.zone + type: keyword +- description: Hostname of the observer. + name: observer.hostname + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + name: observer.ingress.zone + type: keyword +- description: IP addresses of the observer. + name: observer.ip + type: ip +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. + This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. + Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. + name: service.id + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Password of the request. + name: url.password + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: Port of the request, such as 443. + name: url.port + type: long +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: url.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: Username of the request. + name: url.username + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: server.address + type: keyword +- description: Port of the server. + name: server.port + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: client.address + type: keyword +- description: Port of the client. + name: client.port + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip diff --git a/packages/cisco/0.13.3/data_stream/ftd/fields/fields.yml b/packages/cisco/0.13.3/data_stream/ftd/fields/fields.yml new file mode 100755 index 0000000000..cd3a6b2e3a --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/ftd/fields/fields.yml @@ -0,0 +1,155 @@ +- name: cisco.ftd + type: group + fields: + - name: message_id + type: keyword + description: | + The Cisco FTD message identifier. + - name: suffix + type: keyword + description: | + Optional suffix after %FTD identifier. + - name: source_interface + type: keyword + description: | + Source interface for the flow or event. + - name: destination_interface + type: keyword + description: | + Destination interface for the flow or event. + - name: rule_name + type: keyword + description: | + Name of the Access Control List rule that matched this event. + - name: source_username + type: keyword + description: | + Name of the user that is the source for this event. + - name: destination_username + type: keyword + description: | + Name of the user that is the destination for this event. + - name: mapped_source_ip + type: ip + description: | + The translated source IP address. + - name: mapped_source_port + type: long + description: | + The translated source port. + - name: mapped_destination_ip + type: ip + description: | + The translated destination IP address. + - name: mapped_destination_port + type: long + description: | + The translated destination port. + - name: threat_level + type: keyword + description: | + Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. + - name: threat_category + type: keyword + description: | + Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. + - name: connection_id + type: keyword + description: | + Unique identifier for a flow. + - name: icmp_type + type: short + description: | + ICMP type. + - name: icmp_code + type: short + description: | + ICMP code. + - name: connection_type + type: keyword + description: | + The VPN connection type + - name: dap_records + type: keyword + description: | + The assigned DAP records + - name: mapped_destination_host + type: keyword + - name: username + type: keyword + - name: mapped_source_host + type: keyword + - name: command_line_arguments + default_field: false + type: keyword + description: | + The command line arguments logged by the local audit log + - name: assigned_ip + default_field: false + type: ip + description: | + The IP address assigned to a VPN client successfully connecting + - name: privilege.old + default_field: false + type: keyword + description: | + When a users privilege is changed this is the old value + - name: privilege.new + default_field: false + type: keyword + description: | + When a users privilege is changed this is the new value + - name: burst.object + default_field: false + type: keyword + description: | + The related object for burst warnings + - name: burst.id + default_field: false + type: keyword + description: | + The related rate ID for burst warnings + - name: burst.current_rate + default_field: false + type: keyword + description: | + The current burst rate seen + - name: burst.configured_rate + default_field: false + type: keyword + description: | + The current configured burst rate + - name: burst.avg_rate + default_field: false + type: keyword + description: | + The current average burst rate seen + - name: burst.configured_avg_rate + default_field: false + type: keyword + description: | + The current configured average burst rate allowed + - name: burst.cumulative_count + default_field: false + type: keyword + description: | + The total count of burst rate hits since the object was created or cleared + - name: security + type: flattened + description: Cisco FTD security event fields. + - name: webvpn.group_name + type: keyword + default_field: false + description: | + The WebVPN group name the user belongs to + - name: termination_user + default_field: false + type: keyword + description: |- + AAA name of user requesting termination +- name: syslog.facility.code + type: long + description: Syslog numeric facility of the event. +- name: syslog.priority + type: long + description: Syslog priority of the event. diff --git a/packages/cisco/0.13.3/data_stream/ftd/manifest.yml b/packages/cisco/0.13.3/data_stream/ftd/manifest.yml new file mode 100755 index 0000000000..8098dcc50c --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/ftd/manifest.yml @@ -0,0 +1,88 @@ +title: Cisco FTD logs +release: experimental +type: logs +streams: + - input: udp + title: Cisco FTD logs + description: Collect Cisco FTD logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-ftd + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP Port to listen on + multi: false + required: true + show_user: true + default: 9003 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Cisco FTD logs + description: Collect Cisco FTD logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/cisco-ftd.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-ftd + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/cisco/0.13.3/data_stream/ftd/sample_event.json b/packages/cisco/0.13.3/data_stream/ftd/sample_event.json new file mode 100755 index 0000000000..e194091dd3 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/ftd/sample_event.json @@ -0,0 +1,163 @@ +{ + "@timestamp": "2019-08-16T09:39:03.000Z", + "agent": { + "ephemeral_id": "915b9d78-907c-4615-90f8-e2997777f537", + "hostname": "docker-fleet-agent", + "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.14.0" + }, + "cisco": { + "ftd": { + "rule_name": "malware-and-file-policy", + "security": { + "application_protocol": "HTTP", + "client": "cURL", + "dst_ip": "213.211.198.62", + "dst_port": "80", + "file_action": "Malware Cloud Lookup", + "file_direction": "Download", + "file_name": "eicar_com.zip", + "file_policy": "malware-and-file-policy", + "file_sandbox_status": "File Size Is Too Small", + "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "file_size": "184", + "file_storage_status": "Not Stored (Disposition Was Pending)", + "file_type": "ZIP", + "first_packet_second": "2019-08-16T09:39:02Z", + "protocol": "tcp", + "sha_disposition": "Unavailable", + "spero_disposition": "Spero detection not performed on file", + "src_ip": "10.0.1.20", + "src_port": "46004", + "threat_name": "Win.Ransomware.Eicar::95.sbx.tg", + "uri": "http://www.eicar.org/download/eicar_com.zip", + "user": "No Authentication Required" + }, + "threat_category": "Win.Ransomware.Eicar::95.sbx.tg" + } + }, + "data_stream": { + "dataset": "cisco.ftd", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "213.211.198.62", + "as": { + "number": 43341, + "organization": { + "name": "MDlink online service center GmbH" + } + }, + "geo": { + "city_name": "Magdeburg", + "continent_name": "Europe", + "country_iso_code": "DE", + "country_name": "Germany", + "location": { + "lat": 52.1333, + "lon": 11.6167 + }, + "region_iso_code": "DE-ST", + "region_name": "Saxony-Anhalt" + }, + "ip": "213.211.198.62", + "port": 80 + }, + "ecs": { + "version": "1.10.0" + }, + "elastic_agent": { + "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", + "snapshot": true, + "version": "7.14.0" + }, + "event": { + "action": "malware-detected", + "agent_id_status": "verified", + "category": [ + "malware" + ], + "code": "430005", + "dataset": "cisco.ftd", + "ingested": "2021-07-19T08:56:32.448763106Z", + "kind": "alert", + "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip\n", + "severity": 1, + "start": "2019-08-16T09:39:02Z", + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "file": { + "hash": { + "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + }, + "name": "eicar_com.zip", + "size": 184 + }, + "host": { + "hostname": "firepower", + "name": "docker-fleet-agent" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "alert", + "source": { + "address": "172.23.0.4:41328" + } + }, + "network": { + "application": "curl", + "iana_number": "6", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "hostname": "firepower", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "hash": [ + "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + ], + "hosts": [ + "firepower" + ], + "ip": [ + "10.0.1.20", + "213.211.198.62" + ], + "user": [ + "No Authentication Required" + ] + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 46004 + }, + "tags": [ + "preserve_original_event", + "cisco-ftd", + "forwarded" + ], + "url": { + "domain": "www.eicar.org", + "extension": "zip", + "original": "http://www.eicar.org/download/eicar_com.zip", + "path": "/download/eicar_com.zip", + "scheme": "http" + }, + "user": { + "id": "No Authentication Required", + "name": "No Authentication Required" + } +} \ No newline at end of file diff --git a/packages/cisco/0.13.3/data_stream/ios/agent/stream/stream.yml.hbs b/packages/cisco/0.13.3/data_stream/ios/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..28ea4aaa98 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/ios/agent/stream/stream.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco/0.13.3/data_stream/ios/agent/stream/udp.yml.hbs b/packages/cisco/0.13.3/data_stream/ios/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..8716e7a1df --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/ios/agent/stream/udp.yml.hbs @@ -0,0 +1,16 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco/0.13.3/data_stream/ios/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/0.13.3/data_stream/ios/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..23b37b285a --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/ios/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,241 @@ +--- +description: Pipeline for Cisco IOS logs. + +processors: + - set: + field: ecs.version + value: '1.12.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - set: + field: event.category + value: network + - set: + field: event.provider + value: firewall + - set: + field: event.type + value: info + - dissect: + field: event.original + pattern: "%{_temp_.ts->} %{+_temp_.ts} %{+_temp_.ts->} %{log.source.address} %{event.sequence}: %{_temp_.timestamp}: %{_temp_.message}" + - grok: + field: _temp_.message + patterns: + - "%%{DATA:cisco.ios.facility}-%{POSINT:event.severity}-%{DATA:event.code}: %{GREEDYDATA:message}" + - convert: + field: event.severity + type: long + ignore_missing: true + - convert: + field: event.sequence + type: long + ignore_missing: true + - dissect: + field: message + pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address}(%{source.port}) %{} %{destination.address}(%{destination.port}), %{source.packets} packet" + if: "['IPACCESSLOGP', 'ACCESSLOGP'].contains(ctx.event?.code)" + - dissect: + field: message + pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address} %{} %{destination.address} (%{icmp.type}/%{icmp.code}), %{source.packets} packet" + if: "['IPACCESSLOGDP', 'ACCESSLOGDP'].contains(ctx.event?.code)" + - dissect: + field: message + pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address} %{} %{destination.address}, %{source.packets} packet" + if: "ctx.event?.code == 'IPACCESSLOGRP'" + - dissect: + field: message + pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address} %{} %{destination.address} (%{igmp.type}), %{source.packets} packet" + if: "['IPACCESSLOGSP', 'ACCESSLOGSP'].contains(ctx.event?.code)" + - dissect: + field: message + pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.iana_number} %{source.address} %{} %{destination.address}, %{source.packets} packet" + if: "['IPACCESSLOGNP', 'ACCESSLOGNP'].contains(ctx.event?.code)" + - dissect: + field: message + pattern: "%{cisco.ios.action} %{_temp_.event.action} [user: %{source.user.name}] [Source: %{source.address}] [localport: %{destination.port}] at %{}" + if: "ctx.event?.code == 'LOGIN_SUCCESS'" + - dissect: + field: message + pattern: "User %{source.user.name} has %{cisco.ios.action} %{cisco.ios.session.type} session %{cisco.ios.session.number}(%{source.address})" + if: "ctx.event?.code == 'LOGOUT'" + - grok: + field: message + patterns: + - 'Received \(%{PIM_SOURCE}, %{DATA:cisco.ios.pim.group.ip}\) %{WORD:cisco.ios.action} from %{IP:source.address} for %{DATA:cisco.ios.outcome} %{IP:destination.address}' + pattern_definitions: + PIM_SOURCE: (%{IP:cisco.ios.pim.source.ip}|%{DATA}) + if: "ctx.event?.code == 'INVALID_RP_JOIN'" + - set: + field: event.action + value: "multicast-join" + if: ctx.event?.code == "INVALID_RP_JOIN" + - set: + field: event.outcome + value: "failure" + if: ctx.event?.code == "INVALID_RP_JOIN" + - set: + field: event.reason + value: "Invalid RP" + if: ctx.event?.code == "INVALID_RP_JOIN" + - set: + field: destination.ip + value: '{{ destination.address }}' + if: ctx.destination?.address != null + - set: + field: source.ip + value: '{{ source.address }}' + if: ctx.source?.address != null + - convert: + field: cisco.ios.pim.source.ip + type: ip + ignore_missing: true + - convert: + field: source.port + type: long + ignore_missing: true + - convert: + field: source.packets + type: long + ignore_missing: true + - convert: + field: destination.port + type: long + ignore_missing: true + - set: + field: network.packets + copy_from: source.packets + if: ctx.source?.packets != null + - set: + field: network.type + value: ipv4 + if: "ctx.source?.ip != null && ctx.source?.ip.contains('.')" + - set: + field: network.type + value: ipv6 + if: "ctx.source?.ip != null && ctx.network?.type == null" + - set: + field: event.action + value: deny + if: "ctx._temp_?.event?.action == 'denied'" + - set: + field: event.type + value: denied + if: "ctx.event?.action == 'deny'" + - set: + field: event.action + value: allow + if: "ctx._temp_?.event?.action == 'permitted'" + - set: + field: event.type + value: allowed + if: "ctx.event?.action == 'allow'" + - set: + field: "log.level" + if: "ctx.event.severity == 0" + value: emergencies + - set: + field: "log.level" + if: "ctx.event.severity == 1" + value: alert + - set: + field: "log.level" + if: "ctx.event.severity == 2" + value: critical + - set: + field: "log.level" + if: "ctx.event.severity == 3" + value: error + - set: + field: "log.level" + if: "ctx.event.severity == 4" + value: warning + - set: + field: "log.level" + if: "ctx.event.severity == 5" + value: notification + - set: + field: "log.level" + if: "ctx.event.severity == 6" + value: informational + - set: + field: "log.level" + if: "ctx.event.severity == 7" + value: debug + + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + +# IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: ctx.source?.ip != null + - append: + field: related.ip + value: "{{destination.ip}}" + allow_duplicates: false + if: ctx.destination?.ip != null + - append: + field: related.user + value: "{{source.user.name}}" + allow_duplicates: false + if: ctx.source?.user?.name != null + - community_id: + ignore_missing: true + ignore_failure: true + - remove: + field: _temp_ + ignore_missing: true + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco/0.13.3/data_stream/ios/fields/agent.yml b/packages/cisco/0.13.3/data_stream/ios/fields/agent.yml new file mode 100755 index 0000000000..32d10234f9 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/ios/fields/agent.yml @@ -0,0 +1,216 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: elastic.agent.id + type: keyword +- name: elastic.agent.snapshot + type: boolean +- name: elastic.agent.version + type: keyword +- name: input.type + type: keyword +- name: log.offset + type: long +- name: log.source.address + type: keyword +- name: hostname + type: keyword + description: Hostname from syslog header. +- name: process.program + type: keyword + description: Process from syslog header. diff --git a/packages/cisco/0.13.3/data_stream/ios/fields/base-fields.yml b/packages/cisco/0.13.3/data_stream/ios/fields/base-fields.yml new file mode 100755 index 0000000000..00107880f5 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/ios/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco.ios +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/cisco/0.13.3/data_stream/ios/fields/ecs.yml b/packages/cisco/0.13.3/data_stream/ios/fields/ecs.yml new file mode 100755 index 0000000000..56f7375e87 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/ios/fields/ecs.yml @@ -0,0 +1,238 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Custom key/value pairs. + Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. + Example: `docker` and `k8s` labels. + name: labels + type: object +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: List of keywords used to tag each event. + name: tags + type: keyword diff --git a/packages/cisco/0.13.3/data_stream/ios/fields/fields.yml b/packages/cisco/0.13.3/data_stream/ios/fields/fields.yml new file mode 100755 index 0000000000..526f201e80 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/ios/fields/fields.yml @@ -0,0 +1,53 @@ +- name: cisco.ios + type: group + fields: + - name: access_list + type: keyword + description: | + Name of the IP access list. + - name: action + type: keyword + description: | + Action taken by the device + - name: facility + type: keyword + description: | + The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. + - name: pim + type: group + fields: + - name: group + type: group + fields: + - name: ip + type: ip + description: Multicast group IP + - name: source + type: group + fields: + - name: ip + type: ip + description: Multicast source IP + - name: outcome + type: keyword + description: The result of the event + - name: session + type: group + description: Fields for Session information + fields: + - name: number + type: integer + description: Session ID + - name: type + type: keyword + example: tty + description: Session type +- name: icmp.code + type: keyword + description: ICMP code. +- name: icmp.type + type: keyword + description: ICMP type. +- name: igmp.type + type: keyword + description: IGMP type. diff --git a/packages/cisco/0.13.3/data_stream/ios/manifest.yml b/packages/cisco/0.13.3/data_stream/ios/manifest.yml new file mode 100755 index 0000000000..cbbdb93b39 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/ios/manifest.yml @@ -0,0 +1,87 @@ +title: Cisco IOS logs +release: experimental +type: logs +streams: + - input: udp + title: Cisco IOS logs + description: Collect Cisco IOS logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-ios + - forwarded + - name: syslog_host + type: text + title: Host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9002 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Cisco IOS logs + description: Collect Cisco IOS logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/cisco-ios.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-ios + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco/0.13.3/data_stream/ios/sample_event.json b/packages/cisco/0.13.3/data_stream/ios/sample_event.json new file mode 100755 index 0000000000..37d6cb6a88 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/ios/sample_event.json @@ -0,0 +1,83 @@ +{ + "@timestamp": "2021-07-19T08:58:29.370Z", + "agent": { + "ephemeral_id": "7e9d4c95-b972-479d-bc6c-2ac0d05f3eb1", + "hostname": "docker-fleet-agent", + "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.14.0" + }, + "cisco": { + "ios": { + "access_list": "177", + "facility": "SEC" + } + }, + "data_stream": { + "dataset": "cisco.ios", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "224.0.0.22", + "ip": "224.0.0.22" + }, + "ecs": { + "version": "1.10.0" + }, + "elastic_agent": { + "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", + "snapshot": true, + "version": "7.14.0" + }, + "event": { + "action": "deny", + "agent_id_status": "verified", + "category": "network", + "code": "IPACCESSLOGRP", + "dataset": "cisco.ios", + "ingested": "2021-07-19T08:58:30.397370366Z", + "original": "Feb 8 04:00:48 198.51.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 198.51.100.197 -\u003e 224.0.0.22, 1 packet\n", + "provider": "firewall", + "sequence": 585917, + "severity": 6, + "timezone": "+00:00", + "type": "denied" + }, + "host": { + "name": "docker-fleet-agent" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "informational", + "source": { + "address": "198.51.100.2" + } + }, + "message": "list 177 denied igmp 198.51.100.197 -\u003e 224.0.0.22, 1 packet", + "network": { + "community_id": "1:Rt5RGlrNED3cg8Wokm4+KGsDz+4=", + "packets": 1, + "transport": "igmp", + "type": "ipv4" + }, + "related": { + "ip": [ + "198.51.100.197", + "224.0.0.22" + ] + }, + "source": { + "address": "198.51.100.197", + "ip": "198.51.100.197", + "packets": 1 + }, + "tags": [ + "preserve_original_event", + "cisco-ios", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/cisco/0.13.3/data_stream/meraki/agent/stream/stream.yml.hbs b/packages/cisco/0.13.3/data_stream/meraki/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..7789762c76 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/meraki/agent/stream/stream.yml.hbs @@ -0,0 +1,3256 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Cisco" + product: "Meraki" + type: "Wireless" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{hfld2}.%{hfld3->} %{p0}"); + + var dup2 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld4"), + constant("_appliance "), + field("p0"), + ], + }); + + var dup3 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld4"), + constant(" "), + field("p0"), + ], + }); + + var dup4 = match_copy("MESSAGE#0:flows/2_1", "nwparser.p0", "p0"); + + var dup5 = setc("eventcategory","1605020000"); + + var dup6 = setf("msg","$MSG"); + + var dup7 = setc("event_source","appliance"); + + var dup8 = setf("sensor","node"); + + var dup9 = date_time({ + dest: "event_time", + args: ["hfld2"], + fmts: [ + [dX], + ], + }); + + var dup10 = match_copy("MESSAGE#1:flows:01/1_2", "nwparser.p0", ""); + + var dup11 = match("MESSAGE#10:ids-alerts:01/1_0", "nwparser.p0", "dhost=%{dmacaddr->} direction=%{p0}"); + + var dup12 = match("MESSAGE#10:ids-alerts:01/1_1", "nwparser.p0", "shost=%{smacaddr->} direction=%{p0}"); + + var dup13 = match("MESSAGE#10:ids-alerts:01/2", "nwparser.p0", "%{direction->} protocol=%{protocol->} src=%{p0}"); + + var dup14 = match_copy("MESSAGE#10:ids-alerts:01/4", "nwparser.p0", "signame"); + + var dup15 = setc("eventcategory","1607000000"); + + var dup16 = setc("event_type","ids-alerts"); + + var dup17 = date_time({ + dest: "event_time", + args: ["fld3"], + fmts: [ + [dX], + ], + }); + + var dup18 = setc("event_type","security_event"); + + var dup19 = constant("Allow"); + + var dup20 = match("HEADER#0:0003/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}", processor_chain([ + dup2, + ])); + + var dup21 = match("HEADER#0:0003/1_1", "nwparser.p0", "%{hfld4->} %{p0}", processor_chain([ + dup3, + ])); + + var dup22 = linear_select([ + dup11, + dup12, + ]); + + var dup23 = linear_select([ + dup20, + dup21, + ]); + + var part1 = match("HEADER#0:0003/2", "nwparser.p0", "urls %{p0}"); + + var all1 = all_match({ + processors: [ + dup1, + dup23, + part1, + ], + on_success: processor_chain([ + setc("header_id","0003"), + setc("messageid","urls"), + ]), + }); + + var part2 = match("HEADER#1:0002/1_0", "nwparser.p0", "%{node}_appliance events %{p0}"); + + var part3 = match("HEADER#1:0002/1_1", "nwparser.p0", "%{node->} events %{p0}"); + + var select1 = linear_select([ + part2, + part3, + ]); + + var part4 = match_copy("HEADER#1:0002/2", "nwparser.p0", "payload"); + + var all2 = all_match({ + processors: [ + dup1, + select1, + part4, + ], + on_success: processor_chain([ + setc("header_id","0002"), + setc("messageid","events"), + ]), + }); + + var part5 = match("HEADER#2:0001/2", "nwparser.p0", "%{messageid->} %{p0}"); + + var all3 = all_match({ + processors: [ + dup1, + dup23, + part5, + ], + on_success: processor_chain([ + setc("header_id","0001"), + ]), + }); + + var part6 = match("HEADER#3:0005/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}"); + + var part7 = match("HEADER#3:0005/1_1", "nwparser.p0", "%{hfld4->} %{p0}"); + + var select2 = linear_select([ + part6, + part7, + ]); + + var part8 = match("HEADER#3:0005/2", "nwparser.p0", "%{} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld6"), + constant(" "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), + ])); + + var all4 = all_match({ + processors: [ + dup1, + select2, + part8, + ], + on_success: processor_chain([ + setc("header_id","0005"), + ]), + }); + + var hdr1 = match("HEADER#4:0004", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{hfld4}_%{space->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var select3 = linear_select([ + all1, + all2, + all3, + all4, + hdr1, + ]); + + var part9 = match("MESSAGE#0:flows/0_0", "nwparser.payload", "%{node}_appliance %{p0}"); + + var part10 = match("MESSAGE#0:flows/0_1", "nwparser.payload", "%{node->} %{p0}"); + + var select4 = linear_select([ + part9, + part10, + ]); + + var part11 = match("MESSAGE#0:flows/1", "nwparser.p0", "flows src=%{saddr->} dst=%{daddr->} %{p0}"); + + var part12 = match("MESSAGE#0:flows/2_0", "nwparser.p0", "mac=%{dmacaddr->} %{p0}"); + + var select5 = linear_select([ + part12, + dup4, + ]); + + var part13 = match("MESSAGE#0:flows/3", "nwparser.p0", "protocol=%{protocol->} %{p0}"); + + var part14 = match("MESSAGE#0:flows/4_0", "nwparser.p0", "sport=%{sport->} dport=%{dport->} %{p0}"); + + var part15 = match("MESSAGE#0:flows/4_1", "nwparser.p0", "type=%{event_type->} %{p0}"); + + var select6 = linear_select([ + part14, + part15, + dup4, + ]); + + var part16 = match("MESSAGE#0:flows/5", "nwparser.p0", "pattern: %{fld21->} %{info}"); + + var all5 = all_match({ + processors: [ + select4, + part11, + select5, + part13, + select6, + part16, + ], + on_success: processor_chain([ + dup5, + dup6, + lookup({ + dest: "nwparser.action", + map: map_actionType, + key: field("fld21"), + }), + dup7, + dup8, + dup9, + ]), + }); + + var msg1 = msg("flows", all5); + + var part17 = match("MESSAGE#1:flows:01/0", "nwparser.payload", "%{node->} flows %{action->} src=%{saddr->} dst=%{daddr->} mac=%{smacaddr->} protocol=%{protocol->} %{p0}"); + + var part18 = match("MESSAGE#1:flows:01/1_0", "nwparser.p0", "sport=%{sport->} dport=%{dport->} "); + + var part19 = match("MESSAGE#1:flows:01/1_1", "nwparser.p0", "type=%{event_type->} "); + + var select7 = linear_select([ + part18, + part19, + dup10, + ]); + + var all6 = all_match({ + processors: [ + part17, + select7, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + ]), + }); + + var msg2 = msg("flows:01", all6); + + var part20 = match("MESSAGE#2:flows:02", "nwparser.payload", "%{node->} flows %{action}", processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + ])); + + var msg3 = msg("flows:02", part20); + + var select8 = linear_select([ + msg1, + msg2, + msg3, + ]); + + var part21 = match("MESSAGE#3:urls/0_0", "nwparser.payload", "%{node}_appliance urls src=%{p0}"); + + var part22 = match("MESSAGE#3:urls/0_1", "nwparser.payload", "%{node->} urls src=%{p0}"); + + var part23 = match("MESSAGE#3:urls/0_2", "nwparser.payload", "src=%{p0}"); + + var select9 = linear_select([ + part21, + part22, + part23, + ]); + + var part24 = match("MESSAGE#3:urls/1", "nwparser.p0", "%{sport}:%{saddr->} dst=%{daddr}:%{dport->} mac=%{macaddr->} %{p0}"); + + var part25 = match("MESSAGE#3:urls/2_0", "nwparser.p0", "agent='%{user_agent}' request: %{p0}"); + + var part26 = match("MESSAGE#3:urls/2_1", "nwparser.p0", "agent=%{user_agent->} request: %{p0}"); + + var part27 = match("MESSAGE#3:urls/2_2", "nwparser.p0", "request: %{p0}"); + + var select10 = linear_select([ + part25, + part26, + part27, + ]); + + var part28 = match("MESSAGE#3:urls/3", "nwparser.p0", "%{} %{web_method}%{url}"); + + var all7 = all_match({ + processors: [ + select9, + part24, + select10, + part28, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + ]), + }); + + var msg4 = msg("urls", all7); + + var part29 = match("MESSAGE#4:events/0", "nwparser.payload", "dhcp lease of ip %{saddr->} from server mac %{smacaddr->} for client mac %{p0}"); + + var part30 = match("MESSAGE#4:events/1_0", "nwparser.p0", "%{dmacaddr->} with hostname %{hostname->} from router %{p0}"); + + var part31 = match("MESSAGE#4:events/1_1", "nwparser.p0", "%{dmacaddr->} from router %{p0}"); + + var select11 = linear_select([ + part30, + part31, + ]); + + var part32 = match("MESSAGE#4:events/2", "nwparser.p0", "%{hostip->} on subnet %{mask->} with dns %{dns_a_record}"); + + var all8 = all_match({ + processors: [ + part29, + select11, + part32, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + ]), + }); + + var msg5 = msg("events", all8); + + var part33 = match("MESSAGE#5:events:02/0", "nwparser.payload", "content_filtering_block url='%{url}' category0='%{category}' server='%{daddr}:%{dport}'%{p0}"); + + var part34 = match("MESSAGE#5:events:02/1_0", "nwparser.p0", " client_mac='%{dmacaddr}'"); + + var select12 = linear_select([ + part34, + dup10, + ]); + + var all9 = all_match({ + processors: [ + part33, + select12, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","content_filtering_block"), + dup8, + dup9, + ]), + }); + + var msg6 = msg("events:02", all9); + + var part35 = tagval("MESSAGE#6:events:01", "nwparser.payload", tvm, { + "aid": "fld1", + "arp_resp": "fld2", + "arp_src": "fld3", + "auth_neg_dur": "fld4", + "auth_neg_failed": "fld5", + "category0": "category", + "channel": "fld6", + "client_ip": "daddr", + "client_mac": "dmacaddr", + "connectivity": "fld28", + "dhcp_ip": "fld23", + "dhcp_lease_completed": "fld22", + "dhcp_resp": "fld26", + "dhcp_server": "fld24", + "dhcp_server_mac": "fld25", + "dns_req_rtt": "fld7", + "dns_resp": "fld8", + "dns_server": "fld9", + "duration": "duration", + "full_conn": "fld11", + "http_resp": "fld21", + "identity": "fld12", + "instigator": "fld20", + "ip_resp": "fld13", + "ip_src": "saddr", + "is_8021x": "fld15", + "is_wpa": "fld16", + "last_auth_ago": "fld17", + "radio": "fld18", + "reason": "fld19", + "rssi": "dclass_ratio1", + "server": "daddr", + "type": "event_type", + "url": "url", + "vap": "fld22", + "vpn_type": "fld27", + }, processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + ])); + + var msg7 = msg("events:01", part35); + + var part36 = match("MESSAGE#7:events:03", "nwparser.payload", "IDS: %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","events IDS"), + dup8, + dup9, + ])); + + var msg8 = msg("events:03", part36); + + var part37 = match("MESSAGE#8:events:04/0", "nwparser.payload", "dhcp %{p0}"); + + var part38 = match("MESSAGE#8:events:04/1_0", "nwparser.p0", "no offers%{p0}"); + + var part39 = match("MESSAGE#8:events:04/1_1", "nwparser.p0", "release%{p0}"); + + var select13 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#8:events:04/2", "nwparser.p0", "%{}for mac %{macaddr}"); + + var all10 = all_match({ + processors: [ + part37, + select13, + part40, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","events DHCP"), + dup8, + dup9, + ]), + }); + + var msg9 = msg("events:04", all10); + + var part41 = match("MESSAGE#9:events:05", "nwparser.payload", "MAC %{macaddr->} and MAC %{macaddr->} both claim IP: %{saddr}", processor_chain([ + dup5, + dup6, + setc("event_description"," events MAC"), + dup8, + dup9, + ])); + + var msg10 = msg("events:05", part41); + + var select14 = linear_select([ + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + ]); + + var part42 = match("MESSAGE#10:ids-alerts:01/0", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4->} %{p0}"); + + var part43 = match("MESSAGE#10:ids-alerts:01/3_0", "nwparser.p0", "%{saddr}:%{sport->} dst=%{daddr}:%{dport->} message: %{p0}"); + + var part44 = match("MESSAGE#10:ids-alerts:01/3_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} message: %{p0}"); + + var select15 = linear_select([ + part43, + part44, + ]); + + var all11 = all_match({ + processors: [ + part42, + dup22, + dup13, + select15, + dup14, + ], + on_success: processor_chain([ + dup15, + dup6, + dup16, + dup8, + dup17, + ]), + }); + + var msg11 = msg("ids-alerts:01", all11); + + var part45 = match("MESSAGE#11:ids-alerts:03", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4}direction=%{direction->} protocol=%{protocol->} src=%{saddr}:%{sport}", processor_chain([ + dup15, + dup6, + dup16, + dup8, + dup17, + ])); + + var msg12 = msg("ids-alerts:03", part45); + + var part46 = match("MESSAGE#12:ids-alerts:02", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4}protocol=%{protocol->} src=%{saddr->} dst=%{daddr}message: %{signame}", processor_chain([ + dup15, + dup6, + dup16, + dup8, + dup17, + ])); + + var msg13 = msg("ids-alerts:02", part46); + + var select16 = linear_select([ + msg11, + msg12, + msg13, + ]); + + var part47 = match("MESSAGE#13:security_event", "nwparser.payload", "%{node}security_event %{event_description->} url=%{url->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} mac=%{smacaddr->} name=%{fld10->} sha256=%{fld11->} disposition=%{disposition->} action=%{action}", processor_chain([ + dup5, + dup6, + dup18, + dup8, + dup9, + ])); + + var msg14 = msg("security_event", part47); + + var part48 = match("MESSAGE#14:security_event:01/0", "nwparser.payload", "%{node->} security_event %{event_description->} signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4->} %{p0}"); + + var part49 = match("MESSAGE#14:security_event:01/3_0", "nwparser.p0", "%{saddr}:%{sport->} dst=%{daddr}:%{dport->} message:%{p0}"); + + var part50 = match("MESSAGE#14:security_event:01/3_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} message:%{p0}"); + + var select17 = linear_select([ + part49, + part50, + ]); + + var all12 = all_match({ + processors: [ + part48, + dup22, + dup13, + select17, + dup14, + ], + on_success: processor_chain([ + dup15, + dup6, + dup18, + dup8, + dup17, + ]), + }); + + var msg15 = msg("security_event:01", all12); + + var select18 = linear_select([ + msg14, + msg15, + ]); + + var chain1 = processor_chain([ + select3, + msgid_select({ + "events": select14, + "flows": select8, + "ids-alerts": select16, + "security_event": select18, + "urls": msg4, + }), + ]); + + var hdr2 = match("HEADER#0:0003/0", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{p0}"); + + var part51 = match_copy("MESSAGE#0:flows/2_1", "nwparser.p0", "p0"); + + var part52 = match_copy("MESSAGE#1:flows:01/1_2", "nwparser.p0", ""); + + var part53 = match("MESSAGE#10:ids-alerts:01/1_0", "nwparser.p0", "dhost=%{dmacaddr->} direction=%{p0}"); + + var part54 = match("MESSAGE#10:ids-alerts:01/1_1", "nwparser.p0", "shost=%{smacaddr->} direction=%{p0}"); + + var part55 = match("MESSAGE#10:ids-alerts:01/2", "nwparser.p0", "%{direction->} protocol=%{protocol->} src=%{p0}"); + + var part56 = match_copy("MESSAGE#10:ids-alerts:01/4", "nwparser.p0", "signame"); + + var part57 = match("HEADER#0:0003/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}", processor_chain([ + dup2, + ])); + + var part58 = match("HEADER#0:0003/1_1", "nwparser.p0", "%{hfld4->} %{p0}", processor_chain([ + dup3, + ])); + + var select19 = linear_select([ + dup11, + dup12, + ]); + + var select20 = linear_select([ + dup20, + dup21, + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/cisco/0.13.3/data_stream/meraki/agent/stream/tcp.yml.hbs b/packages/cisco/0.13.3/data_stream/meraki/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..c835db3270 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/meraki/agent/stream/tcp.yml.hbs @@ -0,0 +1,3253 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Cisco" + product: "Meraki" + type: "Wireless" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{hfld2}.%{hfld3->} %{p0}"); + + var dup2 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld4"), + constant("_appliance "), + field("p0"), + ], + }); + + var dup3 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld4"), + constant(" "), + field("p0"), + ], + }); + + var dup4 = match_copy("MESSAGE#0:flows/2_1", "nwparser.p0", "p0"); + + var dup5 = setc("eventcategory","1605020000"); + + var dup6 = setf("msg","$MSG"); + + var dup7 = setc("event_source","appliance"); + + var dup8 = setf("sensor","node"); + + var dup9 = date_time({ + dest: "event_time", + args: ["hfld2"], + fmts: [ + [dX], + ], + }); + + var dup10 = match_copy("MESSAGE#1:flows:01/1_2", "nwparser.p0", ""); + + var dup11 = match("MESSAGE#10:ids-alerts:01/1_0", "nwparser.p0", "dhost=%{dmacaddr->} direction=%{p0}"); + + var dup12 = match("MESSAGE#10:ids-alerts:01/1_1", "nwparser.p0", "shost=%{smacaddr->} direction=%{p0}"); + + var dup13 = match("MESSAGE#10:ids-alerts:01/2", "nwparser.p0", "%{direction->} protocol=%{protocol->} src=%{p0}"); + + var dup14 = match_copy("MESSAGE#10:ids-alerts:01/4", "nwparser.p0", "signame"); + + var dup15 = setc("eventcategory","1607000000"); + + var dup16 = setc("event_type","ids-alerts"); + + var dup17 = date_time({ + dest: "event_time", + args: ["fld3"], + fmts: [ + [dX], + ], + }); + + var dup18 = setc("event_type","security_event"); + + var dup19 = constant("Allow"); + + var dup20 = match("HEADER#0:0003/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}", processor_chain([ + dup2, + ])); + + var dup21 = match("HEADER#0:0003/1_1", "nwparser.p0", "%{hfld4->} %{p0}", processor_chain([ + dup3, + ])); + + var dup22 = linear_select([ + dup11, + dup12, + ]); + + var dup23 = linear_select([ + dup20, + dup21, + ]); + + var part1 = match("HEADER#0:0003/2", "nwparser.p0", "urls %{p0}"); + + var all1 = all_match({ + processors: [ + dup1, + dup23, + part1, + ], + on_success: processor_chain([ + setc("header_id","0003"), + setc("messageid","urls"), + ]), + }); + + var part2 = match("HEADER#1:0002/1_0", "nwparser.p0", "%{node}_appliance events %{p0}"); + + var part3 = match("HEADER#1:0002/1_1", "nwparser.p0", "%{node->} events %{p0}"); + + var select1 = linear_select([ + part2, + part3, + ]); + + var part4 = match_copy("HEADER#1:0002/2", "nwparser.p0", "payload"); + + var all2 = all_match({ + processors: [ + dup1, + select1, + part4, + ], + on_success: processor_chain([ + setc("header_id","0002"), + setc("messageid","events"), + ]), + }); + + var part5 = match("HEADER#2:0001/2", "nwparser.p0", "%{messageid->} %{p0}"); + + var all3 = all_match({ + processors: [ + dup1, + dup23, + part5, + ], + on_success: processor_chain([ + setc("header_id","0001"), + ]), + }); + + var part6 = match("HEADER#3:0005/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}"); + + var part7 = match("HEADER#3:0005/1_1", "nwparser.p0", "%{hfld4->} %{p0}"); + + var select2 = linear_select([ + part6, + part7, + ]); + + var part8 = match("HEADER#3:0005/2", "nwparser.p0", "%{} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld6"), + constant(" "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), + ])); + + var all4 = all_match({ + processors: [ + dup1, + select2, + part8, + ], + on_success: processor_chain([ + setc("header_id","0005"), + ]), + }); + + var hdr1 = match("HEADER#4:0004", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{hfld4}_%{space->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var select3 = linear_select([ + all1, + all2, + all3, + all4, + hdr1, + ]); + + var part9 = match("MESSAGE#0:flows/0_0", "nwparser.payload", "%{node}_appliance %{p0}"); + + var part10 = match("MESSAGE#0:flows/0_1", "nwparser.payload", "%{node->} %{p0}"); + + var select4 = linear_select([ + part9, + part10, + ]); + + var part11 = match("MESSAGE#0:flows/1", "nwparser.p0", "flows src=%{saddr->} dst=%{daddr->} %{p0}"); + + var part12 = match("MESSAGE#0:flows/2_0", "nwparser.p0", "mac=%{dmacaddr->} %{p0}"); + + var select5 = linear_select([ + part12, + dup4, + ]); + + var part13 = match("MESSAGE#0:flows/3", "nwparser.p0", "protocol=%{protocol->} %{p0}"); + + var part14 = match("MESSAGE#0:flows/4_0", "nwparser.p0", "sport=%{sport->} dport=%{dport->} %{p0}"); + + var part15 = match("MESSAGE#0:flows/4_1", "nwparser.p0", "type=%{event_type->} %{p0}"); + + var select6 = linear_select([ + part14, + part15, + dup4, + ]); + + var part16 = match("MESSAGE#0:flows/5", "nwparser.p0", "pattern: %{fld21->} %{info}"); + + var all5 = all_match({ + processors: [ + select4, + part11, + select5, + part13, + select6, + part16, + ], + on_success: processor_chain([ + dup5, + dup6, + lookup({ + dest: "nwparser.action", + map: map_actionType, + key: field("fld21"), + }), + dup7, + dup8, + dup9, + ]), + }); + + var msg1 = msg("flows", all5); + + var part17 = match("MESSAGE#1:flows:01/0", "nwparser.payload", "%{node->} flows %{action->} src=%{saddr->} dst=%{daddr->} mac=%{smacaddr->} protocol=%{protocol->} %{p0}"); + + var part18 = match("MESSAGE#1:flows:01/1_0", "nwparser.p0", "sport=%{sport->} dport=%{dport->} "); + + var part19 = match("MESSAGE#1:flows:01/1_1", "nwparser.p0", "type=%{event_type->} "); + + var select7 = linear_select([ + part18, + part19, + dup10, + ]); + + var all6 = all_match({ + processors: [ + part17, + select7, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + ]), + }); + + var msg2 = msg("flows:01", all6); + + var part20 = match("MESSAGE#2:flows:02", "nwparser.payload", "%{node->} flows %{action}", processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + ])); + + var msg3 = msg("flows:02", part20); + + var select8 = linear_select([ + msg1, + msg2, + msg3, + ]); + + var part21 = match("MESSAGE#3:urls/0_0", "nwparser.payload", "%{node}_appliance urls src=%{p0}"); + + var part22 = match("MESSAGE#3:urls/0_1", "nwparser.payload", "%{node->} urls src=%{p0}"); + + var part23 = match("MESSAGE#3:urls/0_2", "nwparser.payload", "src=%{p0}"); + + var select9 = linear_select([ + part21, + part22, + part23, + ]); + + var part24 = match("MESSAGE#3:urls/1", "nwparser.p0", "%{sport}:%{saddr->} dst=%{daddr}:%{dport->} mac=%{macaddr->} %{p0}"); + + var part25 = match("MESSAGE#3:urls/2_0", "nwparser.p0", "agent='%{user_agent}' request: %{p0}"); + + var part26 = match("MESSAGE#3:urls/2_1", "nwparser.p0", "agent=%{user_agent->} request: %{p0}"); + + var part27 = match("MESSAGE#3:urls/2_2", "nwparser.p0", "request: %{p0}"); + + var select10 = linear_select([ + part25, + part26, + part27, + ]); + + var part28 = match("MESSAGE#3:urls/3", "nwparser.p0", "%{} %{web_method}%{url}"); + + var all7 = all_match({ + processors: [ + select9, + part24, + select10, + part28, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + ]), + }); + + var msg4 = msg("urls", all7); + + var part29 = match("MESSAGE#4:events/0", "nwparser.payload", "dhcp lease of ip %{saddr->} from server mac %{smacaddr->} for client mac %{p0}"); + + var part30 = match("MESSAGE#4:events/1_0", "nwparser.p0", "%{dmacaddr->} with hostname %{hostname->} from router %{p0}"); + + var part31 = match("MESSAGE#4:events/1_1", "nwparser.p0", "%{dmacaddr->} from router %{p0}"); + + var select11 = linear_select([ + part30, + part31, + ]); + + var part32 = match("MESSAGE#4:events/2", "nwparser.p0", "%{hostip->} on subnet %{mask->} with dns %{dns_a_record}"); + + var all8 = all_match({ + processors: [ + part29, + select11, + part32, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + ]), + }); + + var msg5 = msg("events", all8); + + var part33 = match("MESSAGE#5:events:02/0", "nwparser.payload", "content_filtering_block url='%{url}' category0='%{category}' server='%{daddr}:%{dport}'%{p0}"); + + var part34 = match("MESSAGE#5:events:02/1_0", "nwparser.p0", " client_mac='%{dmacaddr}'"); + + var select12 = linear_select([ + part34, + dup10, + ]); + + var all9 = all_match({ + processors: [ + part33, + select12, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","content_filtering_block"), + dup8, + dup9, + ]), + }); + + var msg6 = msg("events:02", all9); + + var part35 = tagval("MESSAGE#6:events:01", "nwparser.payload", tvm, { + "aid": "fld1", + "arp_resp": "fld2", + "arp_src": "fld3", + "auth_neg_dur": "fld4", + "auth_neg_failed": "fld5", + "category0": "category", + "channel": "fld6", + "client_ip": "daddr", + "client_mac": "dmacaddr", + "connectivity": "fld28", + "dhcp_ip": "fld23", + "dhcp_lease_completed": "fld22", + "dhcp_resp": "fld26", + "dhcp_server": "fld24", + "dhcp_server_mac": "fld25", + "dns_req_rtt": "fld7", + "dns_resp": "fld8", + "dns_server": "fld9", + "duration": "duration", + "full_conn": "fld11", + "http_resp": "fld21", + "identity": "fld12", + "instigator": "fld20", + "ip_resp": "fld13", + "ip_src": "saddr", + "is_8021x": "fld15", + "is_wpa": "fld16", + "last_auth_ago": "fld17", + "radio": "fld18", + "reason": "fld19", + "rssi": "dclass_ratio1", + "server": "daddr", + "type": "event_type", + "url": "url", + "vap": "fld22", + "vpn_type": "fld27", + }, processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + ])); + + var msg7 = msg("events:01", part35); + + var part36 = match("MESSAGE#7:events:03", "nwparser.payload", "IDS: %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","events IDS"), + dup8, + dup9, + ])); + + var msg8 = msg("events:03", part36); + + var part37 = match("MESSAGE#8:events:04/0", "nwparser.payload", "dhcp %{p0}"); + + var part38 = match("MESSAGE#8:events:04/1_0", "nwparser.p0", "no offers%{p0}"); + + var part39 = match("MESSAGE#8:events:04/1_1", "nwparser.p0", "release%{p0}"); + + var select13 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#8:events:04/2", "nwparser.p0", "%{}for mac %{macaddr}"); + + var all10 = all_match({ + processors: [ + part37, + select13, + part40, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","events DHCP"), + dup8, + dup9, + ]), + }); + + var msg9 = msg("events:04", all10); + + var part41 = match("MESSAGE#9:events:05", "nwparser.payload", "MAC %{macaddr->} and MAC %{macaddr->} both claim IP: %{saddr}", processor_chain([ + dup5, + dup6, + setc("event_description"," events MAC"), + dup8, + dup9, + ])); + + var msg10 = msg("events:05", part41); + + var select14 = linear_select([ + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + ]); + + var part42 = match("MESSAGE#10:ids-alerts:01/0", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4->} %{p0}"); + + var part43 = match("MESSAGE#10:ids-alerts:01/3_0", "nwparser.p0", "%{saddr}:%{sport->} dst=%{daddr}:%{dport->} message: %{p0}"); + + var part44 = match("MESSAGE#10:ids-alerts:01/3_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} message: %{p0}"); + + var select15 = linear_select([ + part43, + part44, + ]); + + var all11 = all_match({ + processors: [ + part42, + dup22, + dup13, + select15, + dup14, + ], + on_success: processor_chain([ + dup15, + dup6, + dup16, + dup8, + dup17, + ]), + }); + + var msg11 = msg("ids-alerts:01", all11); + + var part45 = match("MESSAGE#11:ids-alerts:03", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4}direction=%{direction->} protocol=%{protocol->} src=%{saddr}:%{sport}", processor_chain([ + dup15, + dup6, + dup16, + dup8, + dup17, + ])); + + var msg12 = msg("ids-alerts:03", part45); + + var part46 = match("MESSAGE#12:ids-alerts:02", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4}protocol=%{protocol->} src=%{saddr->} dst=%{daddr}message: %{signame}", processor_chain([ + dup15, + dup6, + dup16, + dup8, + dup17, + ])); + + var msg13 = msg("ids-alerts:02", part46); + + var select16 = linear_select([ + msg11, + msg12, + msg13, + ]); + + var part47 = match("MESSAGE#13:security_event", "nwparser.payload", "%{node}security_event %{event_description->} url=%{url->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} mac=%{smacaddr->} name=%{fld10->} sha256=%{fld11->} disposition=%{disposition->} action=%{action}", processor_chain([ + dup5, + dup6, + dup18, + dup8, + dup9, + ])); + + var msg14 = msg("security_event", part47); + + var part48 = match("MESSAGE#14:security_event:01/0", "nwparser.payload", "%{node->} security_event %{event_description->} signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4->} %{p0}"); + + var part49 = match("MESSAGE#14:security_event:01/3_0", "nwparser.p0", "%{saddr}:%{sport->} dst=%{daddr}:%{dport->} message:%{p0}"); + + var part50 = match("MESSAGE#14:security_event:01/3_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} message:%{p0}"); + + var select17 = linear_select([ + part49, + part50, + ]); + + var all12 = all_match({ + processors: [ + part48, + dup22, + dup13, + select17, + dup14, + ], + on_success: processor_chain([ + dup15, + dup6, + dup18, + dup8, + dup17, + ]), + }); + + var msg15 = msg("security_event:01", all12); + + var select18 = linear_select([ + msg14, + msg15, + ]); + + var chain1 = processor_chain([ + select3, + msgid_select({ + "events": select14, + "flows": select8, + "ids-alerts": select16, + "security_event": select18, + "urls": msg4, + }), + ]); + + var hdr2 = match("HEADER#0:0003/0", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{p0}"); + + var part51 = match_copy("MESSAGE#0:flows/2_1", "nwparser.p0", "p0"); + + var part52 = match_copy("MESSAGE#1:flows:01/1_2", "nwparser.p0", ""); + + var part53 = match("MESSAGE#10:ids-alerts:01/1_0", "nwparser.p0", "dhost=%{dmacaddr->} direction=%{p0}"); + + var part54 = match("MESSAGE#10:ids-alerts:01/1_1", "nwparser.p0", "shost=%{smacaddr->} direction=%{p0}"); + + var part55 = match("MESSAGE#10:ids-alerts:01/2", "nwparser.p0", "%{direction->} protocol=%{protocol->} src=%{p0}"); + + var part56 = match_copy("MESSAGE#10:ids-alerts:01/4", "nwparser.p0", "signame"); + + var part57 = match("HEADER#0:0003/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}", processor_chain([ + dup2, + ])); + + var part58 = match("HEADER#0:0003/1_1", "nwparser.p0", "%{hfld4->} %{p0}", processor_chain([ + dup3, + ])); + + var select19 = linear_select([ + dup11, + dup12, + ]); + + var select20 = linear_select([ + dup20, + dup21, + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/cisco/0.13.3/data_stream/meraki/agent/stream/udp.yml.hbs b/packages/cisco/0.13.3/data_stream/meraki/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..d88b14f802 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/meraki/agent/stream/udp.yml.hbs @@ -0,0 +1,3253 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Cisco" + product: "Meraki" + type: "Wireless" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{hfld2}.%{hfld3->} %{p0}"); + + var dup2 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld4"), + constant("_appliance "), + field("p0"), + ], + }); + + var dup3 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld4"), + constant(" "), + field("p0"), + ], + }); + + var dup4 = match_copy("MESSAGE#0:flows/2_1", "nwparser.p0", "p0"); + + var dup5 = setc("eventcategory","1605020000"); + + var dup6 = setf("msg","$MSG"); + + var dup7 = setc("event_source","appliance"); + + var dup8 = setf("sensor","node"); + + var dup9 = date_time({ + dest: "event_time", + args: ["hfld2"], + fmts: [ + [dX], + ], + }); + + var dup10 = match_copy("MESSAGE#1:flows:01/1_2", "nwparser.p0", ""); + + var dup11 = match("MESSAGE#10:ids-alerts:01/1_0", "nwparser.p0", "dhost=%{dmacaddr->} direction=%{p0}"); + + var dup12 = match("MESSAGE#10:ids-alerts:01/1_1", "nwparser.p0", "shost=%{smacaddr->} direction=%{p0}"); + + var dup13 = match("MESSAGE#10:ids-alerts:01/2", "nwparser.p0", "%{direction->} protocol=%{protocol->} src=%{p0}"); + + var dup14 = match_copy("MESSAGE#10:ids-alerts:01/4", "nwparser.p0", "signame"); + + var dup15 = setc("eventcategory","1607000000"); + + var dup16 = setc("event_type","ids-alerts"); + + var dup17 = date_time({ + dest: "event_time", + args: ["fld3"], + fmts: [ + [dX], + ], + }); + + var dup18 = setc("event_type","security_event"); + + var dup19 = constant("Allow"); + + var dup20 = match("HEADER#0:0003/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}", processor_chain([ + dup2, + ])); + + var dup21 = match("HEADER#0:0003/1_1", "nwparser.p0", "%{hfld4->} %{p0}", processor_chain([ + dup3, + ])); + + var dup22 = linear_select([ + dup11, + dup12, + ]); + + var dup23 = linear_select([ + dup20, + dup21, + ]); + + var part1 = match("HEADER#0:0003/2", "nwparser.p0", "urls %{p0}"); + + var all1 = all_match({ + processors: [ + dup1, + dup23, + part1, + ], + on_success: processor_chain([ + setc("header_id","0003"), + setc("messageid","urls"), + ]), + }); + + var part2 = match("HEADER#1:0002/1_0", "nwparser.p0", "%{node}_appliance events %{p0}"); + + var part3 = match("HEADER#1:0002/1_1", "nwparser.p0", "%{node->} events %{p0}"); + + var select1 = linear_select([ + part2, + part3, + ]); + + var part4 = match_copy("HEADER#1:0002/2", "nwparser.p0", "payload"); + + var all2 = all_match({ + processors: [ + dup1, + select1, + part4, + ], + on_success: processor_chain([ + setc("header_id","0002"), + setc("messageid","events"), + ]), + }); + + var part5 = match("HEADER#2:0001/2", "nwparser.p0", "%{messageid->} %{p0}"); + + var all3 = all_match({ + processors: [ + dup1, + dup23, + part5, + ], + on_success: processor_chain([ + setc("header_id","0001"), + ]), + }); + + var part6 = match("HEADER#3:0005/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}"); + + var part7 = match("HEADER#3:0005/1_1", "nwparser.p0", "%{hfld4->} %{p0}"); + + var select2 = linear_select([ + part6, + part7, + ]); + + var part8 = match("HEADER#3:0005/2", "nwparser.p0", "%{} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld6"), + constant(" "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), + ])); + + var all4 = all_match({ + processors: [ + dup1, + select2, + part8, + ], + on_success: processor_chain([ + setc("header_id","0005"), + ]), + }); + + var hdr1 = match("HEADER#4:0004", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{hfld4}_%{space->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var select3 = linear_select([ + all1, + all2, + all3, + all4, + hdr1, + ]); + + var part9 = match("MESSAGE#0:flows/0_0", "nwparser.payload", "%{node}_appliance %{p0}"); + + var part10 = match("MESSAGE#0:flows/0_1", "nwparser.payload", "%{node->} %{p0}"); + + var select4 = linear_select([ + part9, + part10, + ]); + + var part11 = match("MESSAGE#0:flows/1", "nwparser.p0", "flows src=%{saddr->} dst=%{daddr->} %{p0}"); + + var part12 = match("MESSAGE#0:flows/2_0", "nwparser.p0", "mac=%{dmacaddr->} %{p0}"); + + var select5 = linear_select([ + part12, + dup4, + ]); + + var part13 = match("MESSAGE#0:flows/3", "nwparser.p0", "protocol=%{protocol->} %{p0}"); + + var part14 = match("MESSAGE#0:flows/4_0", "nwparser.p0", "sport=%{sport->} dport=%{dport->} %{p0}"); + + var part15 = match("MESSAGE#0:flows/4_1", "nwparser.p0", "type=%{event_type->} %{p0}"); + + var select6 = linear_select([ + part14, + part15, + dup4, + ]); + + var part16 = match("MESSAGE#0:flows/5", "nwparser.p0", "pattern: %{fld21->} %{info}"); + + var all5 = all_match({ + processors: [ + select4, + part11, + select5, + part13, + select6, + part16, + ], + on_success: processor_chain([ + dup5, + dup6, + lookup({ + dest: "nwparser.action", + map: map_actionType, + key: field("fld21"), + }), + dup7, + dup8, + dup9, + ]), + }); + + var msg1 = msg("flows", all5); + + var part17 = match("MESSAGE#1:flows:01/0", "nwparser.payload", "%{node->} flows %{action->} src=%{saddr->} dst=%{daddr->} mac=%{smacaddr->} protocol=%{protocol->} %{p0}"); + + var part18 = match("MESSAGE#1:flows:01/1_0", "nwparser.p0", "sport=%{sport->} dport=%{dport->} "); + + var part19 = match("MESSAGE#1:flows:01/1_1", "nwparser.p0", "type=%{event_type->} "); + + var select7 = linear_select([ + part18, + part19, + dup10, + ]); + + var all6 = all_match({ + processors: [ + part17, + select7, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + ]), + }); + + var msg2 = msg("flows:01", all6); + + var part20 = match("MESSAGE#2:flows:02", "nwparser.payload", "%{node->} flows %{action}", processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + ])); + + var msg3 = msg("flows:02", part20); + + var select8 = linear_select([ + msg1, + msg2, + msg3, + ]); + + var part21 = match("MESSAGE#3:urls/0_0", "nwparser.payload", "%{node}_appliance urls src=%{p0}"); + + var part22 = match("MESSAGE#3:urls/0_1", "nwparser.payload", "%{node->} urls src=%{p0}"); + + var part23 = match("MESSAGE#3:urls/0_2", "nwparser.payload", "src=%{p0}"); + + var select9 = linear_select([ + part21, + part22, + part23, + ]); + + var part24 = match("MESSAGE#3:urls/1", "nwparser.p0", "%{sport}:%{saddr->} dst=%{daddr}:%{dport->} mac=%{macaddr->} %{p0}"); + + var part25 = match("MESSAGE#3:urls/2_0", "nwparser.p0", "agent='%{user_agent}' request: %{p0}"); + + var part26 = match("MESSAGE#3:urls/2_1", "nwparser.p0", "agent=%{user_agent->} request: %{p0}"); + + var part27 = match("MESSAGE#3:urls/2_2", "nwparser.p0", "request: %{p0}"); + + var select10 = linear_select([ + part25, + part26, + part27, + ]); + + var part28 = match("MESSAGE#3:urls/3", "nwparser.p0", "%{} %{web_method}%{url}"); + + var all7 = all_match({ + processors: [ + select9, + part24, + select10, + part28, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + ]), + }); + + var msg4 = msg("urls", all7); + + var part29 = match("MESSAGE#4:events/0", "nwparser.payload", "dhcp lease of ip %{saddr->} from server mac %{smacaddr->} for client mac %{p0}"); + + var part30 = match("MESSAGE#4:events/1_0", "nwparser.p0", "%{dmacaddr->} with hostname %{hostname->} from router %{p0}"); + + var part31 = match("MESSAGE#4:events/1_1", "nwparser.p0", "%{dmacaddr->} from router %{p0}"); + + var select11 = linear_select([ + part30, + part31, + ]); + + var part32 = match("MESSAGE#4:events/2", "nwparser.p0", "%{hostip->} on subnet %{mask->} with dns %{dns_a_record}"); + + var all8 = all_match({ + processors: [ + part29, + select11, + part32, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + ]), + }); + + var msg5 = msg("events", all8); + + var part33 = match("MESSAGE#5:events:02/0", "nwparser.payload", "content_filtering_block url='%{url}' category0='%{category}' server='%{daddr}:%{dport}'%{p0}"); + + var part34 = match("MESSAGE#5:events:02/1_0", "nwparser.p0", " client_mac='%{dmacaddr}'"); + + var select12 = linear_select([ + part34, + dup10, + ]); + + var all9 = all_match({ + processors: [ + part33, + select12, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","content_filtering_block"), + dup8, + dup9, + ]), + }); + + var msg6 = msg("events:02", all9); + + var part35 = tagval("MESSAGE#6:events:01", "nwparser.payload", tvm, { + "aid": "fld1", + "arp_resp": "fld2", + "arp_src": "fld3", + "auth_neg_dur": "fld4", + "auth_neg_failed": "fld5", + "category0": "category", + "channel": "fld6", + "client_ip": "daddr", + "client_mac": "dmacaddr", + "connectivity": "fld28", + "dhcp_ip": "fld23", + "dhcp_lease_completed": "fld22", + "dhcp_resp": "fld26", + "dhcp_server": "fld24", + "dhcp_server_mac": "fld25", + "dns_req_rtt": "fld7", + "dns_resp": "fld8", + "dns_server": "fld9", + "duration": "duration", + "full_conn": "fld11", + "http_resp": "fld21", + "identity": "fld12", + "instigator": "fld20", + "ip_resp": "fld13", + "ip_src": "saddr", + "is_8021x": "fld15", + "is_wpa": "fld16", + "last_auth_ago": "fld17", + "radio": "fld18", + "reason": "fld19", + "rssi": "dclass_ratio1", + "server": "daddr", + "type": "event_type", + "url": "url", + "vap": "fld22", + "vpn_type": "fld27", + }, processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + ])); + + var msg7 = msg("events:01", part35); + + var part36 = match("MESSAGE#7:events:03", "nwparser.payload", "IDS: %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","events IDS"), + dup8, + dup9, + ])); + + var msg8 = msg("events:03", part36); + + var part37 = match("MESSAGE#8:events:04/0", "nwparser.payload", "dhcp %{p0}"); + + var part38 = match("MESSAGE#8:events:04/1_0", "nwparser.p0", "no offers%{p0}"); + + var part39 = match("MESSAGE#8:events:04/1_1", "nwparser.p0", "release%{p0}"); + + var select13 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#8:events:04/2", "nwparser.p0", "%{}for mac %{macaddr}"); + + var all10 = all_match({ + processors: [ + part37, + select13, + part40, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","events DHCP"), + dup8, + dup9, + ]), + }); + + var msg9 = msg("events:04", all10); + + var part41 = match("MESSAGE#9:events:05", "nwparser.payload", "MAC %{macaddr->} and MAC %{macaddr->} both claim IP: %{saddr}", processor_chain([ + dup5, + dup6, + setc("event_description"," events MAC"), + dup8, + dup9, + ])); + + var msg10 = msg("events:05", part41); + + var select14 = linear_select([ + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + ]); + + var part42 = match("MESSAGE#10:ids-alerts:01/0", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4->} %{p0}"); + + var part43 = match("MESSAGE#10:ids-alerts:01/3_0", "nwparser.p0", "%{saddr}:%{sport->} dst=%{daddr}:%{dport->} message: %{p0}"); + + var part44 = match("MESSAGE#10:ids-alerts:01/3_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} message: %{p0}"); + + var select15 = linear_select([ + part43, + part44, + ]); + + var all11 = all_match({ + processors: [ + part42, + dup22, + dup13, + select15, + dup14, + ], + on_success: processor_chain([ + dup15, + dup6, + dup16, + dup8, + dup17, + ]), + }); + + var msg11 = msg("ids-alerts:01", all11); + + var part45 = match("MESSAGE#11:ids-alerts:03", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4}direction=%{direction->} protocol=%{protocol->} src=%{saddr}:%{sport}", processor_chain([ + dup15, + dup6, + dup16, + dup8, + dup17, + ])); + + var msg12 = msg("ids-alerts:03", part45); + + var part46 = match("MESSAGE#12:ids-alerts:02", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4}protocol=%{protocol->} src=%{saddr->} dst=%{daddr}message: %{signame}", processor_chain([ + dup15, + dup6, + dup16, + dup8, + dup17, + ])); + + var msg13 = msg("ids-alerts:02", part46); + + var select16 = linear_select([ + msg11, + msg12, + msg13, + ]); + + var part47 = match("MESSAGE#13:security_event", "nwparser.payload", "%{node}security_event %{event_description->} url=%{url->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} mac=%{smacaddr->} name=%{fld10->} sha256=%{fld11->} disposition=%{disposition->} action=%{action}", processor_chain([ + dup5, + dup6, + dup18, + dup8, + dup9, + ])); + + var msg14 = msg("security_event", part47); + + var part48 = match("MESSAGE#14:security_event:01/0", "nwparser.payload", "%{node->} security_event %{event_description->} signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4->} %{p0}"); + + var part49 = match("MESSAGE#14:security_event:01/3_0", "nwparser.p0", "%{saddr}:%{sport->} dst=%{daddr}:%{dport->} message:%{p0}"); + + var part50 = match("MESSAGE#14:security_event:01/3_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} message:%{p0}"); + + var select17 = linear_select([ + part49, + part50, + ]); + + var all12 = all_match({ + processors: [ + part48, + dup22, + dup13, + select17, + dup14, + ], + on_success: processor_chain([ + dup15, + dup6, + dup18, + dup8, + dup17, + ]), + }); + + var msg15 = msg("security_event:01", all12); + + var select18 = linear_select([ + msg14, + msg15, + ]); + + var chain1 = processor_chain([ + select3, + msgid_select({ + "events": select14, + "flows": select8, + "ids-alerts": select16, + "security_event": select18, + "urls": msg4, + }), + ]); + + var hdr2 = match("HEADER#0:0003/0", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{p0}"); + + var part51 = match_copy("MESSAGE#0:flows/2_1", "nwparser.p0", "p0"); + + var part52 = match_copy("MESSAGE#1:flows:01/1_2", "nwparser.p0", ""); + + var part53 = match("MESSAGE#10:ids-alerts:01/1_0", "nwparser.p0", "dhost=%{dmacaddr->} direction=%{p0}"); + + var part54 = match("MESSAGE#10:ids-alerts:01/1_1", "nwparser.p0", "shost=%{smacaddr->} direction=%{p0}"); + + var part55 = match("MESSAGE#10:ids-alerts:01/2", "nwparser.p0", "%{direction->} protocol=%{protocol->} src=%{p0}"); + + var part56 = match_copy("MESSAGE#10:ids-alerts:01/4", "nwparser.p0", "signame"); + + var part57 = match("HEADER#0:0003/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}", processor_chain([ + dup2, + ])); + + var part58 = match("HEADER#0:0003/1_1", "nwparser.p0", "%{hfld4->} %{p0}", processor_chain([ + dup3, + ])); + + var select19 = linear_select([ + dup11, + dup12, + ]); + + var select20 = linear_select([ + dup20, + dup21, + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/cisco/0.13.3/data_stream/meraki/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/0.13.3/data_stream/meraki/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..9d52405888 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/meraki/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,69 @@ +--- +description: Pipeline for Cisco Meraki + +processors: + # ECS event.ingested + - set: + field: ecs.version + value: '8.0.0' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco/0.13.3/data_stream/meraki/fields/agent.yml b/packages/cisco/0.13.3/data_stream/meraki/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/meraki/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/cisco/0.13.3/data_stream/meraki/fields/base-fields.yml b/packages/cisco/0.13.3/data_stream/meraki/fields/base-fields.yml new file mode 100755 index 0000000000..774b6eba7f --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/meraki/fields/base-fields.yml @@ -0,0 +1,46 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: cisco +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco.meraki +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/cisco/0.13.3/data_stream/meraki/fields/ecs.yml b/packages/cisco/0.13.3/data_stream/meraki/fields/ecs.yml new file mode 100755 index 0000000000..78ddffacce --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/meraki/fields/ecs.yml @@ -0,0 +1,541 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/cisco/0.13.3/data_stream/meraki/fields/fields.yml b/packages/cisco/0.13.3/data_stream/meraki/fields/fields.yml new file mode 100755 index 0000000000..f59640c275 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/meraki/fields/fields.yml @@ -0,0 +1,1753 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: network.interface.name + type: keyword +- name: dns.question.domain + type: keyword + description: Server domain. diff --git a/packages/cisco/0.13.3/data_stream/meraki/manifest.yml b/packages/cisco/0.13.3/data_stream/meraki/manifest.yml new file mode 100755 index 0000000000..1e6886498d --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/meraki/manifest.yml @@ -0,0 +1,204 @@ +title: Cisco Meraki logs +release: experimental +type: logs +streams: + - input: udp + title: Cisco Meraki logs + description: Collect Cisco Meraki logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-meraki + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9525 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Cisco Meraki logs + description: Collect Cisco Meraki logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-meraki + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9525 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Cisco Meraki logs + description: Collect Cisco Meraki logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/cisco-meraki.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-meraki + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco/0.13.3/data_stream/meraki/sample_event.json b/packages/cisco/0.13.3/data_stream/meraki/sample_event.json new file mode 100755 index 0000000000..8e037da837 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/meraki/sample_event.json @@ -0,0 +1,91 @@ +{ + "@timestamp": "2016-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "0f004ed2-0b2a-4215-8b24-e652cef37253", + "hostname": "docker-fleet-agent", + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.2" + }, + "data_stream": { + "dataset": "cisco.meraki", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": [ + "10.193.124.51" + ], + "port": 5293 + }, + "ecs": { + "version": "1.12.0" + }, + "elastic_agent": { + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "snapshot": false, + "version": "7.16.2" + }, + "event": { + "action": "deny\n", + "agent_id_status": "verified", + "code": "security_event", + "dataset": "cisco.meraki", + "ingested": "2022-01-25T09:01:37Z", + "original": "modtempo 1454047799.olab nto_ security_event olaborissecurity_event tur url=https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac src=10.15.44.253:5078 dst=10.193.124.51:5293 mac=01:00:5e:28:ae:7d name=psa sha256=umq disposition=ntium action=deny\n", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.19.0.4:59238" + } + }, + "observer": { + "product": "Meraki", + "type": "Wireless", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.193.124.51", + "10.15.44.253" + ] + }, + "rsa": { + "internal": { + "event_desc": "olaborissecurity_event tur", + "messageid": "security_event" + }, + "misc": { + "action": [ + "deny\n" + ], + "disposition": "ntium", + "event_type": "security_event", + "node": "nto_", + "sensor": "nto_" + }, + "time": { + "event_time": "2016-01-29T06:09:59.000Z" + } + }, + "source": { + "ip": [ + "10.15.44.253" + ], + "mac": "01:00:5e:28:ae:7d", + "port": 5078 + }, + "tags": [ + "preserve_original_event", + "cisco-meraki", + "forwarded" + ], + "url": { + "original": "https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac" + } +} \ No newline at end of file diff --git a/packages/cisco/0.13.3/data_stream/nexus/agent/stream/stream.yml.hbs b/packages/cisco/0.13.3/data_stream/nexus/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..d998957901 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/nexus/agent/stream/stream.yml.hbs @@ -0,0 +1,7179 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Cisco" + product: "Nexus" + type: "Switches" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} Hit-count = %{dclass_counter1}"); + + var dup60 = setc("dclass_counter1_string","Hit Count"); + + var dup61 = setc("eventcategory","1603100000"); + + var dup62 = setc("eventcategory","1701020000"); + + var dup63 = setc("eventcategory","1801000000"); + + var dup64 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); + + var dup65 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); + + var dup66 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); + + var dup67 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); + + var dup68 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); + + var dup69 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); + + var dup70 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); + + var dup71 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); + + var dup72 = setc("ec_outcome","Error"); + + var dup73 = setc("eventcategory","1703000000"); + + var dup74 = setc("obj_type","vPC"); + + var dup75 = setc("ec_subject","OS"); + + var dup76 = setc("ec_activity","Start"); + + var dup77 = setc("eventcategory","1801010000"); + + var dup78 = setc("ec_activity","Receive"); + + var dup79 = setc("ec_activity","Send"); + + var dup80 = setc("ec_activity","Create"); + + var dup81 = setc("event_description","Switchover completed."); + + var dup82 = setc("event_description","Invalid user"); + + var dup83 = setc("eventcategory","1401000000"); + + var dup84 = setc("ec_subject","Service"); + + var dup85 = setc("event_description","Duplicate address Detected."); + + var dup86 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var dup87 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup88 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup89 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup90 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup91 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var dup92 = linear_select([ + dup26, + dup27, + ]); + + var dup93 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var dup94 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var dup95 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup96 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var dup97 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var dup98 = linear_select([ + dup46, + dup47, + ]); + + var dup99 = linear_select([ + dup49, + dup50, + ]); + + var dup100 = linear_select([ + dup54, + dup55, + ]); + + var dup101 = linear_select([ + dup57, + dup58, + ]); + + var dup102 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup103 = linear_select([ + dup65, + dup66, + ]); + + var dup104 = linear_select([ + dup67, + dup68, + ]); + + var dup105 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup106 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup107 = linear_select([ + dup70, + dup71, + ]); + + var dup108 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + ])); + + var hdr1 = match("HEADER#0:0001", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0007", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0007"), + ])); + + var hdr3 = match("HEADER#2:0005", "message", "%{hfld4->} %{hfld5->} %{hfld6->} %{hfld7->} : %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0005"), + ])); + + var hdr4 = match("HEADER#3:0002", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0002"), + ])); + + var hdr5 = match("HEADER#4:0012", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0012"), + ])); + + var hdr6 = match("HEADER#5:0008", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0008"), + ])); + + var hdr7 = match("HEADER#6:0011", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}[%{hfld18}]:%{payload}", processor_chain([ + setc("header_id","0011"), + ])); + + var hdr8 = match("HEADER#7:0003", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr9 = match("HEADER#8:0004", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var hdr10 = match("HEADER#9:0009", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0009"), + ])); + + var hdr11 = match("HEADER#10:0013", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0013"), + ])); + + var hdr12 = match("HEADER#11:0010", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0010"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, + ]); + + var msg1 = msg("LOG-7-SYSTEM_MSG", dup86); + + var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup6, + ])); + + var msg2 = msg("SYSTEM_MSG", part1); + + var part2 = match("MESSAGE#2:SYSTEM_MSG:12", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{shost}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup6, + ])); + + var msg3 = msg("SYSTEM_MSG:12", part2); + + var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, + ])); + + var msg4 = msg("SYSTEM_MSG:01", part3); + + var part4 = match("MESSAGE#4:SYSTEM_MSG:11", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{shost}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, + ])); + + var msg5 = msg("SYSTEM_MSG:11", part4); + + var part5 = match("MESSAGE#5:SYSTEM_MSG:19/0", "nwparser.payload", "error: maximum authentication attempts exceeded for %{p0}"); + + var part6 = match("MESSAGE#5:SYSTEM_MSG:19/1_0", "nwparser.p0", "invalid user %{username->} from %{p0}"); + + var part7 = match("MESSAGE#5:SYSTEM_MSG:19/1_1", "nwparser.p0", "%{username->} from %{p0}"); + + var select2 = linear_select([ + part6, + part7, + ]); + + var part8 = match("MESSAGE#5:SYSTEM_MSG:19/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol->} - %{agent}[%{process_id}]"); + + var all1 = all_match({ + processors: [ + part5, + select2, + part8, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + ]), + }); + + var msg6 = msg("SYSTEM_MSG:19", all1); + + var part9 = match("MESSAGE#6:SYSTEM_MSG:02", "nwparser.payload", "error:%{result}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var msg7 = msg("SYSTEM_MSG:02", part9); + + var part10 = match("MESSAGE#7:SYSTEM_MSG:03/0_0", "nwparser.payload", "(pam_unix)%{p0}"); + + var part11 = match("MESSAGE#7:SYSTEM_MSG:03/0_1", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}):%{p0}"); + + var select3 = linear_select([ + part10, + part11, + ]); + + var part12 = match("MESSAGE#7:SYSTEM_MSG:03/1", "nwparser.p0", "%{}authentication failure; logname=%{fld20->} uid=%{fld21->} euid=%{fld22->} tty=%{terminal->} ruser=%{fld24->} rhost=%{p0}"); + + var part13 = match("MESSAGE#7:SYSTEM_MSG:03/2_0", "nwparser.p0", "%{fld25->} user=%{username->} - %{p0}"); + + var part14 = match("MESSAGE#7:SYSTEM_MSG:03/2_1", "nwparser.p0", "%{fld25->} - %{p0}"); + + var select4 = linear_select([ + part13, + part14, + ]); + + var part15 = match_copy("MESSAGE#7:SYSTEM_MSG:03/3", "nwparser.p0", "agent"); + + var all2 = all_match({ + processors: [ + select3, + part12, + select4, + part15, + ], + on_success: processor_chain([ + dup5, + dup2, + dup3, + dup4, + ]), + }); + + var msg8 = msg("SYSTEM_MSG:03", all2); + + var part16 = match("MESSAGE#8:SYSTEM_MSG:04", "nwparser.payload", "(pam_unix) %{event_description}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg9 = msg("SYSTEM_MSG:04", part16); + + var part17 = match("MESSAGE#9:SYSTEM_MSG:05/0", "nwparser.payload", "pam_aaa:Authentication failed f%{p0}"); + + var part18 = match("MESSAGE#9:SYSTEM_MSG:05/1_0", "nwparser.p0", "or user %{username->} from%{p0}"); + + var part19 = match("MESSAGE#9:SYSTEM_MSG:05/1_1", "nwparser.p0", "rom%{p0}"); + + var select5 = linear_select([ + part18, + part19, + ]); + + var part20 = match("MESSAGE#9:SYSTEM_MSG:05/2", "nwparser.p0", "%{} %{saddr->} - %{agent}[%{process_id}]"); + + var all3 = all_match({ + processors: [ + part17, + select5, + part20, + ], + on_success: processor_chain([ + dup5, + dup2, + dup3, + dup4, + ]), + }); + + var msg10 = msg("SYSTEM_MSG:05", all3); + + var part21 = match("MESSAGE#10:SYSTEM_MSG:06", "nwparser.payload", "FAILED LOGIN (%{fld20}) on %{fld21->} FOR %{username}, Authentication failure - login[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg11 = msg("SYSTEM_MSG:06", part21); + + var part22 = match("MESSAGE#11:SYSTEM_MSG:07", "nwparser.payload", "fatal:%{event_description}", processor_chain([ + dup9, + dup2, + dup3, + dup4, + ])); + + var msg12 = msg("SYSTEM_MSG:07", part22); + + var part23 = match("MESSAGE#12:SYSTEM_MSG:09", "nwparser.payload", "%{fld1}: Host name is set %{hostname->} - kernel", processor_chain([ + dup9, + dup2, + dup3, + dup4, + ])); + + var msg13 = msg("SYSTEM_MSG:09", part23); + + var part24 = match("MESSAGE#13:SYSTEM_MSG:10", "nwparser.payload", "Unauthorized access by NFS client %{saddr}.", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg14 = msg("SYSTEM_MSG:10", part24); + + var part25 = match("MESSAGE#14:SYSTEM_MSG:13", "nwparser.payload", "%{fld43->} : SNMP UDP authentication failed for %{saddr}.", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg15 = msg("SYSTEM_MSG:13", part25); + + var part26 = match("MESSAGE#15:SYSTEM_MSG:14", "nwparser.payload", "%{fld43->} : Subsequent authentication success for user (%{username}) failed.", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg16 = msg("SYSTEM_MSG:14", part26); + + var part27 = match("MESSAGE#16:SYSTEM_MSG:15", "nwparser.payload", "%{fld1->} : TTY=%{terminal->} ; PWD=%{directory->} ; USER=%{username->} ; COMMAND=%{param}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup11, + dup12, + ])); + + var msg17 = msg("SYSTEM_MSG:15", part27); + + var part28 = match("MESSAGE#17:SYSTEM_MSG:16", "nwparser.payload", "Login failed for user %{username->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup11, + dup13, + dup12, + dup14, + ])); + + var msg18 = msg("SYSTEM_MSG:16", part28); + + var part29 = match("MESSAGE#18:SYSTEM_MSG:17/0", "nwparser.payload", "NTP: Peer %{hostip->} %{p0}"); + + var part30 = match("MESSAGE#18:SYSTEM_MSG:17/1_0", "nwparser.p0", "with stratum %{fld1->} selected - %{p0}"); + + var part31 = match("MESSAGE#18:SYSTEM_MSG:17/1_1", "nwparser.p0", "is %{disposition->} - %{p0}"); + + var select6 = linear_select([ + part30, + part31, + ]); + + var part32 = match("MESSAGE#18:SYSTEM_MSG:17/2", "nwparser.p0", "%{agent}[%{process_id}]"); + + var all4 = all_match({ + processors: [ + part29, + select6, + part32, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg19 = msg("SYSTEM_MSG:17", all4); + + var part33 = match("MESSAGE#19:SYSTEM_MSG:20", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup12, + ])); + + var msg20 = msg("SYSTEM_MSG:20", part33); + + var part34 = match("MESSAGE#20:SYSTEM_MSG:21", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): password changed for %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + setc("ec_subject","Password"), + dup16, + dup12, + dup17, + ])); + + var msg21 = msg("SYSTEM_MSG:21", part34); + + var part35 = match("MESSAGE#21:SYSTEM_MSG:22", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): check pass; user %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup12, + ])); + + var msg22 = msg("SYSTEM_MSG:22", part35); + + var part36 = match("MESSAGE#22:SYSTEM_MSG:23", "nwparser.payload", "new user: name=%{username}, uid=%{uid}, gid=%{fld1}, home=%{directory}, shell=%{fld2->} - %{agent}[%{process_id}]", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup11, + ])); + + var msg23 = msg("SYSTEM_MSG:23", part36); + + var part37 = match("MESSAGE#23:SYSTEM_MSG:24/0", "nwparser.payload", "delete user %{p0}"); + + var part38 = match("MESSAGE#23:SYSTEM_MSG:24/1_0", "nwparser.p0", "`%{p0}"); + + var part39 = match("MESSAGE#23:SYSTEM_MSG:24/1_1", "nwparser.p0", "'%{p0}"); + + var select7 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#23:SYSTEM_MSG:24/2", "nwparser.p0", "'%{username->} - %{agent}[%{process_id}]"); + + var all5 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup11, + dup20, + dup17, + ]), + }); + + var msg24 = msg("SYSTEM_MSG:24", all5); + + var part41 = match("MESSAGE#24:SYSTEM_MSG:08/0_0", "nwparser.payload", "%{event_description->} - %{agent}"); + + var select8 = linear_select([ + part41, + dup21, + ]); + + var all6 = all_match({ + processors: [ + select8, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg25 = msg("SYSTEM_MSG:08", all6); + + var select9 = linear_select([ + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + ]); + + var part42 = match("MESSAGE#25:VDC_HOSTNAME_CHANGE", "nwparser.payload", "%{fld1->} hostname changed to %{hostname}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg26 = msg("VDC_HOSTNAME_CHANGE", part42); + + var part43 = match("MESSAGE#26:POLICY_ACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is activated by profile %{username}", processor_chain([ + dup22, + dup2, + dup3, + dup4, + setc("action","activated"), + setc("event_description","Policy is activated by profile"), + ])); + + var msg27 = msg("POLICY_ACTIVATE_EVENT", part43); + + var part44 = match("MESSAGE#27:POLICY_COMMIT_EVENT", "nwparser.payload", "Commit operation %{disposition}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg28 = msg("POLICY_COMMIT_EVENT", part44); + + var part45 = match("MESSAGE#28:POLICY_DEACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is de-activated by last referring profile %{username}", processor_chain([ + setc("eventcategory","1701070000"), + dup2, + dup3, + dup4, + setc("action","de-activated"), + setc("event_description","Policy is de-activated by last referring profile"), + ])); + + var msg29 = msg("POLICY_DEACTIVATE_EVENT", part45); + + var part46 = match("MESSAGE#29:POLICY_LOOKUP_EVENT:01", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2->} dst.zone.name=%{dst_zone->} src.zone.name=%{src_zone}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg30 = msg("POLICY_LOOKUP_EVENT:01", part46); + + var part47 = match("MESSAGE#30:POLICY_LOOKUP_EVENT", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg31 = msg("POLICY_LOOKUP_EVENT", part47); + + var part48 = match("MESSAGE#31:POLICY_LOOKUP_EVENT:02", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} net.ethertype=%{fld2}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg32 = msg("POLICY_LOOKUP_EVENT:02", part48); + + var select10 = linear_select([ + msg30, + msg31, + msg32, + ]); + + var msg33 = msg("NEIGHBOR_UPDATE_AUTOCOPY", dup87); + + var msg34 = msg("MTSERROR", dup86); + + var part49 = match("MESSAGE#34:IF_DOWN_ERROR_DISABLED", "nwparser.payload", "Interface %{interface->} is down (Error disabled. Reason:%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg35 = msg("IF_DOWN_ERROR_DISABLED", part49); + + var msg36 = msg("IF_DOWN_ADMIN_DOWN", dup88); + + var msg37 = msg("IF_DOWN_ADMIN_DOWN:01", dup89); + + var select11 = linear_select([ + msg36, + msg37, + ]); + + var msg38 = msg("IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", dup90); + + var msg39 = msg("IF_DOWN_INTERFACE_REMOVED", dup91); + + var part50 = match("MESSAGE#39:IF_DOWN_LINK_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + dup25, + ])); + + var msg40 = msg("IF_DOWN_LINK_FAILURE", part50); + + var msg41 = msg("IF_DOWN_LINK_FAILURE:01", dup89); + + var select12 = linear_select([ + msg40, + msg41, + ]); + + var msg42 = msg("IF_DOWN_MODULE_REMOVED", dup91); + + var msg43 = msg("IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN", dup88); + + var part51 = match("MESSAGE#43:IF_DUPLEX", "nwparser.payload", "Interface %{interface}, operational duplex mode changed to %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface duplex mode changed"), + ])); + + var msg44 = msg("IF_DUPLEX", part51); + + var part52 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Receive Flow Cont%{p0}"); + + var all7 = all_match({ + processors: [ + part52, + dup92, + dup28, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational Receive Flow Control state changed"), + ]), + }); + + var msg45 = msg("IF_RX_FLOW_CONTROL", all7); + + var part53 = match_copy("MESSAGE#45:IF_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg46 = msg("IF_SEQ_ERROR", part53); + + var part54 = match("MESSAGE#46:IF_TX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Transmit Flow Cont%{p0}"); + + var all8 = all_match({ + processors: [ + part54, + dup92, + dup28, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational Transmit Flow Control state changed"), + ]), + }); + + var msg47 = msg("IF_TX_FLOW_CONTROL", all8); + + var part55 = match("MESSAGE#47:IF_UP", "nwparser.payload", "%{fld43->} Interface %{sinterface->} is up in mode %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface is up in mode"), + ])); + + var msg48 = msg("IF_UP", part55); + + var part56 = match("MESSAGE#48:IF_UP:01", "nwparser.payload", "Interface %{sinterface->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface is up"), + ])); + + var msg49 = msg("IF_UP:01", part56); + + var select13 = linear_select([ + msg48, + msg49, + ]); + + var part57 = match("MESSAGE#49:SPEED", "nwparser.payload", "Interface %{interface}, operational speed changed to %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational speed changed"), + ])); + + var msg50 = msg("SPEED", part57); + + var part58 = match("MESSAGE#50:CREATED", "nwparser.payload", "%{group_object->} created", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg51 = msg("CREATED", part58); + + var part59 = match("MESSAGE#51:FOP_CHANGED", "nwparser.payload", "%{group_object}: first operational port changed from %{change_old->} to %{change_new}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + ])); + + var msg52 = msg("FOP_CHANGED", part59); + + var part60 = match("MESSAGE#52:PORT_DOWN", "nwparser.payload", "%{group_object}: %{interface->} is down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg53 = msg("PORT_DOWN", part60); + + var part61 = match("MESSAGE#53:PORT_UP", "nwparser.payload", "%{group_object}: %{interface->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg54 = msg("PORT_UP", part61); + + var part62 = match("MESSAGE#54:SUBGROUP_ID_PORT_ADDED", "nwparser.payload", "Interface %{interface->} is added to %{group_object->} with subgroup id %{fld20}", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg55 = msg("SUBGROUP_ID_PORT_ADDED", part62); + + var part63 = match("MESSAGE#55:SUBGROUP_ID_PORT_REMOVED", "nwparser.payload", "Interface %{interface->} is removed from %{group_object->} with subgroup id %{fld20}", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg56 = msg("SUBGROUP_ID_PORT_REMOVED", part63); + + var msg57 = msg("MTS_DROP", dup87); + + var msg58 = msg("SYSLOG_LOG_WARNING", dup87); + + var msg59 = msg("IM_SEQ_ERROR", dup93); + + var msg60 = msg("ADDON_IMG_DNLD_COMPLETE", dup87); + + var msg61 = msg("ADDON_IMG_DNLD_STARTED", dup87); + + var msg62 = msg("ADDON_IMG_DNLD_SUCCESSFUL", dup87); + + var msg63 = msg("IMG_DNLD_COMPLETE", dup87); + + var msg64 = msg("IMG_DNLD_STARTED", dup87); + + var part64 = match_copy("MESSAGE#64:PORT_SOFTWARE_FAILURE", "nwparser.payload", "result", processor_chain([ + dup31, + dup2, + dup3, + dup4, + ])); + + var msg65 = msg("PORT_SOFTWARE_FAILURE", part64); + + var msg66 = msg("MSM_CRIT", dup93); + + var part65 = match("MESSAGE#66:LOG_CMP_AAA_FAILURE", "nwparser.payload", "Authentication failed for a login from %{shost->} (%{result})", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, + ])); + + var msg67 = msg("LOG_CMP_AAA_FAILURE", part65); + + var msg68 = msg("LOG_LIC_N1K_EXPIRY_WARNING", dup87); + + var part66 = match("MESSAGE#68:MOD_FAIL", "nwparser.payload", "Initialization of module %{fld20->} (serial: %{serial_number}) failed", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg69 = msg("MOD_FAIL", part66); + + var part67 = match("MESSAGE#69:MOD_MAJORSWFAIL", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported a critical failure in service %{fld22}", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var msg70 = msg("MOD_MAJORSWFAIL", part67); + + var part68 = match("MESSAGE#70:MOD_SRG_NOT_COMPATIBLE", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) firmware is not compatible with supervisor, downloading new image", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg71 = msg("MOD_SRG_NOT_COMPATIBLE", part68); + + var part69 = match("MESSAGE#71:MOD_WARNING:01", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warnings on %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg72 = msg("MOD_WARNING:01", part69); + + var part70 = match("MESSAGE#72:MOD_WARNING", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warning %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg73 = msg("MOD_WARNING", part70); + + var select14 = linear_select([ + msg72, + msg73, + ]); + + var part71 = match("MESSAGE#73:ACTIVE_SUP_OK", "nwparser.payload", "Supervisor %{fld20->} is active (serial: %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg74 = msg("ACTIVE_SUP_OK", part71); + + var part72 = match("MESSAGE#74:MOD_OK", "nwparser.payload", "Module %{fld20->} is online (serial: %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg75 = msg("MOD_OK", part72); + + var part73 = match("MESSAGE#75:MOD_RESTART", "nwparser.payload", "Module %{fld20->} is restarting after image download", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg76 = msg("MOD_RESTART", part73); + + var part74 = match("MESSAGE#76:DISPUTE_CLEARED", "nwparser.payload", "Dispute resolved for port %{portname->} on %{vlan}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","Dispute resolved for port on VLAN"), + ])); + + var msg77 = msg("DISPUTE_CLEARED", part74); + + var part75 = match("MESSAGE#77:DISPUTE_DETECTED", "nwparser.payload", "Dispute detected on port %{portname->} on %{vlan}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","Dispute detected on port on VLAN"), + ])); + + var msg78 = msg("DISPUTE_DETECTED", part75); + + var msg79 = msg("DOMAIN_CFG_SYNC_DONE", dup87); + + var msg80 = msg("CHASSIS_CLKMODOK", dup87); + + var msg81 = msg("CHASSIS_CLKSRC", dup87); + + var msg82 = msg("FAN_OK", dup87); + + var part76 = match("MESSAGE#82:MOD_DETECT", "nwparser.payload", "Module %{fld19->} detected (Serial number %{serial_number}) Module-Type %{fld20->} Model %{fld21}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg83 = msg("MOD_DETECT", part76); + + var part77 = match("MESSAGE#83:MOD_PWRDN", "nwparser.payload", "Module %{fld19->} powered down (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg84 = msg("MOD_PWRDN", part77); + + var part78 = match("MESSAGE#84:MOD_PWRUP", "nwparser.payload", "Module %{fld19->} powered up (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg85 = msg("MOD_PWRUP", part78); + + var part79 = match("MESSAGE#85:MOD_REMOVE", "nwparser.payload", "Module %{fld19->} removed (Serial number %{serial_number})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg86 = msg("MOD_REMOVE", part79); + + var msg87 = msg("PFM_MODULE_POWER_ON", dup87); + + var msg88 = msg("PFM_SYSTEM_RESET", dup87); + + var msg89 = msg("PFM_VEM_REMOVE_NO_HB", dup94); + + var msg90 = msg("PFM_VEM_REMOVE_RESET", dup94); + + var msg91 = msg("PFM_VEM_REMOVE_STATE_CONFLICT", dup94); + + var msg92 = msg("PFM_VEM_REMOVE_TWO_ACT_VSM", dup94); + + var msg93 = msg("PFM_VEM_UNLICENSED", dup87); + + var msg94 = msg("PS_FANOK", dup87); + + var part80 = match("MESSAGE#94:PS_OK", "nwparser.payload", "Power supply %{fld19->} ok (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg95 = msg("PS_OK", part80); + + var part81 = match_copy("MESSAGE#95:MOD_BRINGUP_MULTI_LIMIT", "nwparser.payload", "event_description", processor_chain([ + dup31, + dup2, + dup3, + dup4, + ])); + + var msg96 = msg("MOD_BRINGUP_MULTI_LIMIT", part81); + + var part82 = match("MESSAGE#96:FAN_DETECT", "nwparser.payload", "Fan module %{fld19->} (Serial number %{serial_number}) %{fld20->} detected", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg97 = msg("FAN_DETECT", part82); + + var msg98 = msg("MOD_STATUS", dup87); + + var part83 = match("MESSAGE#98:PEER_VPC_CFGD_VLANS_CHANGED", "nwparser.payload", "Peer vPC %{obj_name->} configured vlans changed", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC configured vlans changed"), + ])); + + var msg99 = msg("PEER_VPC_CFGD_VLANS_CHANGED", part83); + + var part84 = match("MESSAGE#99:PEER_VPC_DELETED", "nwparser.payload", "Peer vPC %{obj_name->} deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg100 = msg("PEER_VPC_DELETED", part84); + + var msg101 = msg("PFM_VEM_DETECTED", dup87); + + var part85 = match("MESSAGE#101:PS_FOUND", "nwparser.payload", "Power supply %{fld19->} found (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg102 = msg("PS_FOUND", part85); + + var part86 = match("MESSAGE#102:PS_STATUS/0_0", "nwparser.payload", "PowerSupply %{fld1->} current-status is %{disposition}"); + + var select15 = linear_select([ + part86, + dup21, + ]); + + var all9 = all_match({ + processors: [ + select15, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg103 = msg("PS_STATUS", all9); + + var part87 = match("MESSAGE#103:PS_CAPACITY_CHANGE:01", "nwparser.payload", "Power supply %{fld1->} changed its capacity. possibly due to On/Off or power cable removal/insertion (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg104 = msg("PS_CAPACITY_CHANGE:01", part87); + + var msg105 = msg("PS_CAPACITY_CHANGE", dup87); + + var select16 = linear_select([ + msg104, + msg105, + ]); + + var msg106 = msg("IF_DOWN_FCOT_NOT_PRESENT", dup88); + + var msg107 = msg("IF_DOWN_FCOT_NOT_PRESENT:01", dup89); + + var select17 = linear_select([ + msg106, + msg107, + ]); + + var msg108 = msg("IF_DOWN_INITIALIZING", dup90); + + var msg109 = msg("IF_DOWN_INITIALIZING:01", dup95); + + var select18 = linear_select([ + msg108, + msg109, + ]); + + var part88 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var msg110 = msg("IF_DOWN_NONE", part88); + + var msg111 = msg("IF_DOWN_NONE:01", dup96); + + var select19 = linear_select([ + msg110, + msg111, + ]); + + var msg112 = msg("IF_DOWN_NOS_RCVD", dup88); + + var msg113 = msg("IF_DOWN_NOS_RCVD:01", dup89); + + var select20 = linear_select([ + msg112, + msg113, + ]); + + var msg114 = msg("IF_DOWN_OFFLINE", dup88); + + var msg115 = msg("IF_DOWN_OLS_RCVD", dup88); + + var part89 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup31, + dup2, + dup3, + dup4, + ])); + + var msg116 = msg("IF_DOWN_SOFTWARE_FAILURE", part89); + + var msg117 = msg("IF_DOWN_SRC_PORT_NOT_BOUND", dup90); + + var part90 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is down (%{info})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg118 = msg("IF_TRUNK_DOWN", part90); + + var part91 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg119 = msg("IF_TRUNK_DOWN:01", part91); + + var part92 = match("MESSAGE#119:IF_TRUNK_DOWN:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is down %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg120 = msg("IF_TRUNK_DOWN:02", part92); + + var select21 = linear_select([ + msg118, + msg119, + msg120, + ]); + + var part93 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg121 = msg("IF_TRUNK_UP", part93); + + var part94 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} up", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg122 = msg("IF_TRUNK_UP:01", part94); + + var part95 = match("MESSAGE#122:IF_TRUNK_UP:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is up %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg123 = msg("IF_TRUNK_UP:02", part95); + + var select22 = linear_select([ + msg121, + msg122, + msg123, + ]); + + var msg124 = msg("PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", dup97); + + var part96 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "Interface %{interface->} is inheriting port-profile %{fld20}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg125 = msg("IF_PORTPROFILE_ATTACHED", part96); + + var msg126 = msg("STANDBY_SUP_OK", dup87); + + var part97 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops detected in the network among ports %{portname->} and %{info->} vlan %{vlan->} - %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Loops detected in the network among ports"), + ])); + + var msg127 = msg("STM_LOOP_DETECT", part97); + + var part98 = match("MESSAGE#127:SYNC_COMPLETE", "nwparser.payload", "Sync completed.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg128 = msg("SYNC_COMPLETE", part98); + + var msg129 = msg("PVLAN_PPM_PORT_CONFIG_FAILED", dup97); + + var msg130 = msg("MESG", dup87); + + var part99 = match("MESSAGE#130:ERR_MSG", "nwparser.payload", "ERROR:%{result}", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var msg131 = msg("ERR_MSG", part99); + + var msg132 = msg("RM_VICPP_RECREATE_ERROR", dup97); + + var part100 = match("MESSAGE#132:CFGWRITE_ABORTED_LOCK", "nwparser.payload", "Unable to lock the configuration (error-id %{resultcode}). Aborting configuration copy.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg133 = msg("CFGWRITE_ABORTED_LOCK", part100); + + var part101 = match("MESSAGE#133:CFGWRITE_FAILED", "nwparser.payload", "Configuration copy failed (error-id %{resultcode}).", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg134 = msg("CFGWRITE_FAILED", part101); + + var msg135 = msg("CFGWRITE_ABORTED", dup87); + + var msg136 = msg("CFGWRITE_DONE", dup87); + + var part102 = match("MESSAGE#136:CFGWRITE_STARTED/0_0", "nwparser.payload", "%{event_description->} (PID %{process_id})."); + + var select23 = linear_select([ + part102, + dup21, + ]); + + var all10 = all_match({ + processors: [ + select23, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg137 = msg("CFGWRITE_STARTED", all10); + + var msg138 = msg("IF_ATTACHED", dup87); + + var msg139 = msg("IF_DELETE_AUTO", dup94); + + var part103 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface->} is detached", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg140 = msg("IF_DETACHED", part103); + + var msg141 = msg("IF_DETACHED_MODULE_REMOVED", dup94); + + var msg142 = msg("IF_DOWN_INACTIVE", dup88); + + var msg143 = msg("IF_DOWN_NON_PARTICIPATING", dup88); + + var part104 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface->} is down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg144 = msg("IF_DOWN_VEM_UNLICENSED", part104); + + var part105 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname->} connected to the vCenter Server.", processor_chain([ + dup36, + dup2, + dup3, + dup4, + ])); + + var msg145 = msg("CONN_CONNECT", part105); + + var part106 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname->} disconnected from the vCenter Server.", processor_chain([ + setc("eventcategory","1801030000"), + dup2, + dup3, + dup4, + ])); + + var msg146 = msg("CONN_DISCONNECT", part106); + + var part107 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info->} on the vCenter Server.", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg147 = msg("DVPG_CREATE", part107); + + var part108 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info->} from the vCenter Server.", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg148 = msg("DVPG_DELETE", part108); + + var msg149 = msg("DVS_HOSTMEMBER_INFO", dup87); + + var part109 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info->} on the vCenter Server.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg150 = msg("DVS_NAME_CHANGE", part109); + + var msg151 = msg("VMS_PPM_SYNC_COMPLETE", dup87); + + var part110 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name->} is deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg152 = msg("VPC_DELETED", part110); + + var part111 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} is up", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","VPC is up"), + ])); + + var msg153 = msg("VPC_UP", part111); + + var part112 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username->} on %{p0}"); + + var part113 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_0", "nwparser.p0", "%{saddr}@%{terminal}"); + + var part114 = match_copy("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_1", "nwparser.p0", "saddr"); + + var select24 = linear_select([ + part113, + part114, + ]); + + var all11 = all_match({ + processors: [ + part112, + select24, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg154 = msg("VSHD_SYSLOG_CONFIG_I", all11); + + var part115 = match("MESSAGE#154:VSHD_SYSLOG_CONFIG_I:01", "nwparser.payload", "Configuring console from %{fld43->} %{saddr}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg155 = msg("VSHD_SYSLOG_CONFIG_I:01", part115); + + var select25 = linear_select([ + msg154, + msg155, + ]); + + var part116 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol->} (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg156 = msg("AAA_ACCOUNTING_MESSAGE:18", part116); + + var part117 = match("MESSAGE#156:AAA_ACCOUNTING_MESSAGE:17", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:enabled telnet", processor_chain([ + dup22, + dup37, + dup38, + dup17, + dup2, + dup3, + dup4, + dup39, + dup40, + ])); + + var msg157 = msg("AAA_ACCOUNTING_MESSAGE:17", part117); + + var part118 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "start:%{saddr}@%{application}:%{username}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","program start"), + ])); + + var msg158 = msg("AAA_ACCOUNTING_MESSAGE", part118); + + var part119 = match("MESSAGE#158:AAA_ACCOUNTING_MESSAGE:08", "nwparser.payload", "start:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg159 = msg("AAA_ACCOUNTING_MESSAGE:08", part119); + + var part120 = match("MESSAGE#159:AAA_ACCOUNTING_MESSAGE:03", "nwparser.payload", "start:%{saddr}(%{terminal}):%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg160 = msg("AAA_ACCOUNTING_MESSAGE:03", part120); + + var part121 = match("MESSAGE#160:AAA_ACCOUNTING_MESSAGE:19", "nwparser.payload", "start:%{fld40}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg161 = msg("AAA_ACCOUNTING_MESSAGE:19", part121); + + var part122 = match("MESSAGE#161:AAA_ACCOUNTING_MESSAGE:22", "nwparser.payload", "update:::added user %{username}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + ])); + + var msg162 = msg("AAA_ACCOUNTING_MESSAGE:22", part122); + + var part123 = match("MESSAGE#162:AAA_ACCOUNTING_MESSAGE:23", "nwparser.payload", "update:::%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg163 = msg("AAA_ACCOUNTING_MESSAGE:23", part123); + + var part124 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport}) deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg164 = msg("AAA_ACCOUNTING_MESSAGE:11", part124); + + var part125 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport->} timeout:%{fld44->} retry:%{fld45->} tagList:trap params:%{fld46}) added", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg165 = msg("AAA_ACCOUNTING_MESSAGE:12", part125); + + var part126 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg166 = msg("AAA_ACCOUNTING_MESSAGE:13", part126); + + var part127 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to down", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg167 = msg("AAA_ACCOUNTING_MESSAGE:14", part127); + + var part128 = match("MESSAGE#167:AAA_ACCOUNTING_MESSAGE:15", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Performing configuration copy.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg168 = msg("AAA_ACCOUNTING_MESSAGE:15", part128); + + var part129 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup41, + ])); + + var msg169 = msg("AAA_ACCOUNTING_MESSAGE:16", part129); + + var part130 = match("MESSAGE#169:AAA_ACCOUNTING_MESSAGE:04", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal length %{fld5}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg170 = msg("AAA_ACCOUNTING_MESSAGE:04", part130); + + var part131 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup41, + ])); + + var msg171 = msg("AAA_ACCOUNTING_MESSAGE:01", part131); + + var part132 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_0", "nwparser.p0", "configure terminal ; ntp source-interface %{sinterface->} (%{p0}"); + + var part133 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_1", "nwparser.p0", "show ntp statistics peer ipaddr %{hostip->} (%{p0}"); + + var select26 = linear_select([ + part132, + part133, + ]); + + var all12 = all_match({ + processors: [ + dup42, + select26, + dup43, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup44, + ]), + }); + + var msg172 = msg("AAA_ACCOUNTING_MESSAGE:27", all12); + + var part134 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_0", "nwparser.p0", "clock set %{event_time_string->} (%{p0}"); + + var part135 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_1", "nwparser.p0", "show logging last %{fld1->} (%{p0}"); + + var select27 = linear_select([ + part134, + part135, + ]); + + var all13 = all_match({ + processors: [ + dup42, + select27, + dup43, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup44, + ]), + }); + + var msg173 = msg("AAA_ACCOUNTING_MESSAGE:28", all13); + + var part136 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg174 = msg("AAA_ACCOUNTING_MESSAGE:20", part136); + + var part137 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:added user %{c_username}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup11, + dup17, + setc("event_description","Added user"), + dup44, + ])); + + var msg175 = msg("AAA_ACCOUNTING_MESSAGE:30", part137); + + var part138 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:deleted user %{c_username}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup11, + dup17, + setc("event_description","Deleted user"), + dup44, + ])); + + var msg176 = msg("AAA_ACCOUNTING_MESSAGE:29", part138); + + var part139 = match("MESSAGE#176:AAA_ACCOUNTING_MESSAGE:21", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg177 = msg("AAA_ACCOUNTING_MESSAGE:21", part139); + + var part140 = match("MESSAGE#177:AAA_ACCOUNTING_MESSAGE:07", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal width %{dclass_counter1}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg178 = msg("AAA_ACCOUNTING_MESSAGE:07", part140); + + var part141 = match("MESSAGE#178:AAA_ACCOUNTING_MESSAGE:05", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal session-timeout %{fld5}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg179 = msg("AAA_ACCOUNTING_MESSAGE:05", part141); + + var part142 = match("MESSAGE#179:AAA_ACCOUNTING_MESSAGE:10", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:copy %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg180 = msg("AAA_ACCOUNTING_MESSAGE:10", part142); + + var part143 = match("MESSAGE#180:AAA_ACCOUNTING_MESSAGE:24", "nwparser.payload", "update:%{terminal}:%{username}: %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg181 = msg("AAA_ACCOUNTING_MESSAGE:24", part143); + + var part144 = match("MESSAGE#181:AAA_ACCOUNTING_MESSAGE:06", "nwparser.payload", "stop:%{saddr}(%{fld3}):%{username}:shell terminated", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg182 = msg("AAA_ACCOUNTING_MESSAGE:06", part144); + + var part145 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:shell %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","shell terminated"), + ])); + + var msg183 = msg("AAA_ACCOUNTING_MESSAGE:02", part145); + + var part146 = match("MESSAGE#183:AAA_ACCOUNTING_MESSAGE:25", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:%{fld40}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg184 = msg("AAA_ACCOUNTING_MESSAGE:25", part146); + + var part147 = match("MESSAGE#184:AAA_ACCOUNTING_MESSAGE:09", "nwparser.payload", "stop:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg185 = msg("AAA_ACCOUNTING_MESSAGE:09", part147); + + var part148 = match("MESSAGE#185:AAA_ACCOUNTING_MESSAGE:26", "nwparser.payload", "stop:%{terminal}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg186 = msg("AAA_ACCOUNTING_MESSAGE:26", part148); + + var select28 = linear_select([ + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, + msg175, + msg176, + msg177, + msg178, + msg179, + msg180, + msg181, + msg182, + msg183, + msg184, + msg185, + msg186, + ]); + + var all14 = all_match({ + processors: [ + dup45, + dup98, + dup48, + dup99, + dup51, + dup98, + dup52, + dup99, + dup53, + dup100, + dup56, + dup101, + dup59, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","ACL Log Flow Interval"), + dup60, + ]), + }); + + var msg187 = msg("ACLLOG_FLOW_INTERVAL", all14); + + var part149 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3->} reached for number of flows", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg188 = msg("ACLLOG_MAXFLOW_REACHED", part149); + + var all15 = all_match({ + processors: [ + dup45, + dup98, + dup48, + dup99, + dup51, + dup98, + dup52, + dup99, + dup53, + dup100, + dup56, + dup101, + dup59, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","ACL Lof New Flow"), + dup60, + ]), + }); + + var msg189 = msg("ACLLOG_NEW_FLOW", all15); + + var part150 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process->} [%{process_id}] Source address of packet received from %{smacaddr->} on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Source address of packet received on vlan is duplicate of local virtual ip"), + ])); + + var msg190 = msg("DUP_VADDR_SRC_IP", part150); + + var part151 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are removed from suspended state.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg191 = msg("IF_ERROR_VLANS_REMOVED", part151); + + var part152 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are being suspended. (Reason: %{info})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg192 = msg("IF_ERROR_VLANS_SUSPENDED", part152); + + var part153 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface->} is down(%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg193 = msg("IF_DOWN_CFG_CHANGE", part153); + + var part154 = match("MESSAGE#193:PFM_CLOCK_CHANGE", "nwparser.payload", "Clock setting has been changed on the system. Please be aware that clock changes will force a recheckout of all existing VEM licenses. During this recheckout procedure, licensed VEMs which are offline will lose their licenses.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg194 = msg("PFM_CLOCK_CHANGE", part154); + + var part155 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3->} causing standby to reset.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg195 = msg("SYNC_FAILURE_STANDBY_RESET", part155); + + var part156 = match("MESSAGE#195:snmpd", "nwparser.payload", "snmp_pss_snapshot : Copying local engine DB PSS file to url%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg196 = msg("snmpd", part156); + + var part157 = match("MESSAGE#196:snmpd:01", "nwparser.payload", "SNMPD_SYSLOG_CONFIG_I: Configuration update from %{fld43}_%{saddr->} %{info}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg197 = msg("snmpd:01", part157); + + var select29 = linear_select([ + msg196, + msg197, + ]); + + var part158 = match("MESSAGE#197:CFGWRITE_USER_ABORT", "nwparser.payload", "Configuration copy aborted by the user.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg198 = msg("CFGWRITE_USER_ABORT", part158); + + var msg199 = msg("IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED", dup95); + + var part159 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1->} time", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","last message repeated number of times."), + setc("dclass_counter1_string","Number of times repeated"), + ])); + + var msg200 = msg("last", part159); + + var part160 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service->} (PID %{parent_pid}) hasn't caught signal %{fld43->} (%{result}).", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg201 = msg("SERVICE_CRASHED", part160); + + var part161 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service->} lost on WCCP Client %{saddr}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + setc("event_description","Service lost on WCCP Client"), + ])); + + var msg202 = msg("SERVICELOST", part161); + + var part162 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface->} is allowed to come up even with SFP checksum error", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg203 = msg("IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", part162); + + var part163 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43->} failed or shut%{p0}"); + + var part164 = match("MESSAGE#203:PS_FAIL/1_0", "nwparser.p0", " down %{p0}"); + + var part165 = match("MESSAGE#203:PS_FAIL/1_1", "nwparser.p0", "down %{p0}"); + + var select30 = linear_select([ + part164, + part165, + ]); + + var part166 = match("MESSAGE#203:PS_FAIL/2", "nwparser.p0", "(Serial number %{serial_number})"); + + var all16 = all_match({ + processors: [ + part163, + select30, + part166, + ], + on_success: processor_chain([ + dup23, + dup2, + dup3, + dup4, + ]), + }); + + var msg204 = msg("PS_FAIL", all16); + + var msg205 = msg("INFORMATION", dup87); + + var msg206 = msg("EVENT", dup87); + + var part167 = match("MESSAGE#206:NATIVE_VLAN_MISMATCH", "nwparser.payload", "Native VLAN mismatch discovered on %{interface}, with %{fld23}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg207 = msg("NATIVE_VLAN_MISMATCH", part167); + + var part168 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22->} discovered of type %{fld23->} with port %{fld24->} on incoming port %{interface->} with ip addr %{fld25->} and mgmt ip %{hostip}", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg208 = msg("NEIGHBOR_ADDED", part168); + + var part169 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22->} on port %{interface->} has been removed", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg209 = msg("NEIGHBOR_REMOVED", part169); + + var part170 = match("MESSAGE#209:IF_BANDWIDTH_CHANGE", "nwparser.payload", "Interface %{interface},%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg210 = msg("IF_BANDWIDTH_CHANGE", part170); + + var part171 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (Parent interface down)", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg211 = msg("IF_DOWN_PARENT_ADMIN_DOWN", part171); + + var part172 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface->} is down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg212 = msg("PORT_INDIVIDUAL_DOWN", part172); + + var part173 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface->} is suspended", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg213 = msg("PORT_SUSPENDED", part173); + + var part174 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22->} of Fex %{fld23->} that is connected with %{interface->} changed its status from %{change_old->} to %{change_new}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("change_attribute","status"), + ])); + + var msg214 = msg("FEX_PORT_STATUS_NOTI", part174); + + var msg215 = msg("NOHMS_DIAG_ERR_PS_FAIL", dup102); + + var msg216 = msg("NOHMS_DIAG_ERR_PS_RECOVERED", dup87); + + var msg217 = msg("ADJCHANGE", dup87); + + var part175 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan->} with role %{fld22}, state %{disposition}, %{info}", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg218 = msg("PORT_ADDED", part175); + + var part176 = match("MESSAGE#218:PORT_DELETED", "nwparser.payload", "Interface %{interface}, removed from VLAN%{vlan}", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg219 = msg("PORT_DELETED", part176); + + var part177 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} role changed to %{fld22}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + ])); + + var msg220 = msg("PORT_ROLE", part177); + + var part178 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} moving from %{change_old->} to %{change_new}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("change_attribute","Port state"), + ])); + + var msg221 = msg("PORT_STATE", part178); + + var part179 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol->} (%{result}) %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg222 = msg("TACACS_ACCOUNTING_MESSAGE", part179); + + var part180 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}: enabled telnet", processor_chain([ + dup22, + dup37, + dup38, + dup17, + dup2, + dup3, + dup4, + dup39, + dup40, + ])); + + var msg223 = msg("TACACS_ACCOUNTING_MESSAGE:01", part180); + + var part181 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface->} (%{result})%{info}", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg224 = msg("TACACS_ACCOUNTING_MESSAGE:04", part181); + + var part182 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/0", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: show %{p0}"); + + var part183 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_0", "nwparser.p0", "ntp statistics peer ipaddr %{hostip->} (%{p0}"); + + var part184 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_1", "nwparser.p0", "logging last %{fld3->} (%{p0}"); + + var select31 = linear_select([ + part183, + part184, + ]); + + var part185 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/2", "nwparser.p0", "%{result})%{info}"); + + var all17 = all_match({ + processors: [ + part182, + select31, + part185, + ], + on_success: processor_chain([ + dup63, + dup2, + dup4, + ]), + }); + + var msg225 = msg("TACACS_ACCOUNTING_MESSAGE:05", all17); + + var part186 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string->} (%{result})%{info}", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg226 = msg("TACACS_ACCOUNTING_MESSAGE:06", part186); + + var part187 = match("MESSAGE#371:TACACS_ACCOUNTING_MESSAGE:08", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: Performing configuration copy. %{info}", processor_chain([ + dup63, + dup2, + dup4, + setc("event_description","Performing configuration copy"), + ])); + + var msg227 = msg("TACACS_ACCOUNTING_MESSAGE:08", part187); + + var part188 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/2", "nwparser.p0", "%{username}: shell terminated because of session timeout %{p0}"); + + var all18 = all_match({ + processors: [ + dup64, + dup103, + part188, + dup104, + ], + on_success: processor_chain([ + dup63, + dup2, + dup4, + setc("event_description","shell terminated because of session timeout"), + ]), + }); + + var msg228 = msg("TACACS_ACCOUNTING_MESSAGE:09", all18); + + var part189 = match("MESSAGE#373:TACACS_ACCOUNTING_MESSAGE:07/2", "nwparser.p0", "%{username}: %{event_description->} %{p0}"); + + var all19 = all_match({ + processors: [ + dup64, + dup103, + part189, + dup104, + ], + on_success: processor_chain([ + dup63, + dup2, + dup4, + ]), + }); + + var msg229 = msg("TACACS_ACCOUNTING_MESSAGE:07", all19); + + var select32 = linear_select([ + msg222, + msg223, + msg224, + msg225, + msg226, + msg227, + msg228, + msg229, + ]); + + var msg230 = msg("TACACS_ERROR_MESSAGE", dup102); + + var msg231 = msg("IF_SFP_WARNING", dup105); + + var msg232 = msg("IF_DOWN_TCP_MAX_RETRANSMIT", dup106); + + var msg233 = msg("FCIP_PEER_CAVIUM", dup87); + + var msg234 = msg("IF_DOWN_PEER_CLOSE", dup106); + + var msg235 = msg("IF_DOWN_PEER_RESET", dup106); + + var part190 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name->} configuration is not consistent (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","configuration is not consistent in domain"), + ])); + + var msg236 = msg("INTF_CONSISTENCY_FAILED", part190); + + var part191 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name->} configuration is consistent", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","configuration is consistent in domain"), + ])); + + var msg237 = msg("INTF_CONSISTENCY_SUCCESS", part191); + + var msg238 = msg("INTF_COUNTERS_CLEARED", dup105); + + var msg239 = msg("IF_HARDWARE", dup105); + + var part192 = match_copy("MESSAGE#233:HEARTBEAT_FAILURE", "nwparser.payload", "event_description", processor_chain([ + setc("eventcategory","1604010000"), + dup2, + dup3, + dup4, + ])); + + var msg240 = msg("HEARTBEAT_FAILURE", part192); + + var msg241 = msg("SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG", dup87); + + var msg242 = msg("PFM_FAN_FLTR_STATUS", dup87); + + var msg243 = msg("MOUNT", dup87); + + var msg244 = msg("LOG_CMP_UP", dup87); + + var part193 = match("MESSAGE#238:IF_XCVR_WARNING/2", "nwparser.p0", "Temperature Warning cleared%{}"); + + var all20 = all_match({ + processors: [ + dup69, + dup107, + part193, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg245 = msg("IF_XCVR_WARNING", all20); + + var msg246 = msg("IF_XCVR_WARNING:01", dup108); + + var select33 = linear_select([ + msg245, + msg246, + ]); + + var part194 = match("MESSAGE#240:IF_XCVR_ALARM/2", "nwparser.p0", "Temperature Alarm cleared%{}"); + + var all21 = all_match({ + processors: [ + dup69, + dup107, + part194, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg247 = msg("IF_XCVR_ALARM", all21); + + var msg248 = msg("IF_XCVR_ALARM:01", dup108); + + var select34 = linear_select([ + msg247, + msg248, + ]); + + var msg249 = msg("MEMORY_ALERT", dup87); + + var msg250 = msg("MEMORY_ALERT_RECOVERED", dup87); + + var part195 = match("MESSAGE#244:IF_SFP_ALARM/2", "nwparser.p0", "Rx Power Alarm cleared%{}"); + + var all22 = all_match({ + processors: [ + dup69, + dup107, + part195, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg251 = msg("IF_SFP_ALARM", all22); + + var msg252 = msg("IF_SFP_ALARM:01", dup108); + + var select35 = linear_select([ + msg251, + msg252, + ]); + + var part196 = match_copy("MESSAGE#246:NBRCHANGE_DUAL", "nwparser.payload", "event_description", processor_chain([ + dup61, + dup2, + dup3, + dup4, + ])); + + var msg253 = msg("NBRCHANGE_DUAL", part196); + + var part197 = match("MESSAGE#247:SOHMS_DIAG_ERROR/0", "nwparser.payload", "%{} %{device->} %{p0}"); + + var part198 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_0", "nwparser.p0", "%{action}: System %{p0}"); + + var part199 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_1", "nwparser.p0", "System %{p0}"); + + var select36 = linear_select([ + part198, + part199, + ]); + + var part200 = match("MESSAGE#247:SOHMS_DIAG_ERROR/2", "nwparser.p0", "minor alarm on fans in fan tray %{dclass_counter1}"); + + var all23 = all_match({ + processors: [ + part197, + select36, + part200, + ], + on_success: processor_chain([ + dup61, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","System minor alarm on fans in fan tray"), + ]), + }); + + var msg254 = msg("SOHMS_DIAG_ERROR", all23); + + var part201 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{device->} System minor alarm on power supply %{fld42}: %{result}", processor_chain([ + dup61, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","FEX-System minor alarm on power supply."), + ])); + + var msg255 = msg("SOHMS_DIAG_ERROR:01", part201); + + var part202 = match("MESSAGE#249:SOHMS_DIAG_ERROR:02", "nwparser.payload", "%{device}: %{event_description}", processor_chain([ + dup61, + dup38, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg256 = msg("SOHMS_DIAG_ERROR:02", part202); + + var select37 = linear_select([ + msg254, + msg255, + msg256, + ]); + + var part203 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Failed to program the mac table on %{device->} for group: %{fld1}, (%{fld2->} (%{fld3}), %{fld4}, %{hostip}). Error: %{result}. %{info}", processor_chain([ + dup73, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Failed to program the mac table"), + ])); + + var msg257 = msg("M2FIB_MAC_TBL_PRGMING", part203); + + var part204 = match("MESSAGE#251:DELETE_STALE_USER_ACCOUNT", "nwparser.payload", "deleting expired user account:%{username}", processor_chain([ + dup19, + dup11, + dup20, + setc("ec_theme","UserGroup"), + dup2, + dup3, + dup4, + setc("event_description","deleting expired user account"), + ])); + + var msg258 = msg("DELETE_STALE_USER_ACCOUNT", part204); + + var part205 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{interface->} is admin up", processor_chain([ + dup30, + dup34, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","Interface is admin up."), + ])); + + var msg259 = msg("IF_ADMIN_UP", part205); + + var part206 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name->} is configured", processor_chain([ + dup30, + dup34, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","vPC is configured"), + dup74, + ])); + + var msg260 = msg("VPC_CFGD", part206); + + var part207 = match("MESSAGE#254:MODULE_ONLINE", "nwparser.payload", "System Manager has received notification of %{info}", processor_chain([ + dup30, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","System Manager has received notification of local module becoming online."), + ])); + + var msg261 = msg("MODULE_ONLINE", part207); + + var part208 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", "System booted from Primary BIOS Flash%{}", processor_chain([ + dup30, + dup75, + dup76, + dup2, + dup3, + dup4, + setc("event_description","System booted from Primary BIOS Flash"), + ])); + + var msg262 = msg("BIOS_DAEMON_LC_PRI_BOOT", part208); + + var part209 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj_name->} is down ()", processor_chain([ + dup77, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC is down"), + dup74, + ])); + + var msg263 = msg("PEER_VPC_DOWN", part209); + + var part210 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/0", "nwparser.payload", "In domain %{domain}, %{p0}"); + + var part211 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_0", "nwparser.p0", "VPC%{p0}"); + + var part212 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_1", "nwparser.p0", "vPC%{p0}"); + + var select38 = linear_select([ + part211, + part212, + ]); + + var part213 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/2", "nwparser.p0", "%{}peer%{p0}"); + + var part214 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_0", "nwparser.p0", "-keepalive%{p0}"); + + var part215 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_1", "nwparser.p0", " keep-alive%{p0}"); + + var select39 = linear_select([ + part214, + part215, + ]); + + var part216 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/4", "nwparser.p0", "%{}received on interface %{interface}"); + + var all24 = all_match({ + processors: [ + part210, + select38, + part213, + select39, + part216, + ], + on_success: processor_chain([ + dup36, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer-keepalive received on interface"), + ]), + }); + + var msg264 = msg("PEER_KEEP_ALIVE_RECV_INT_LATEST", all24); + + var part217 = match("MESSAGE#258:PEER_KEEP_ALIVE_RECV_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive receive is successful", processor_chain([ + dup36, + dup34, + dup78, + dup35, + dup17, + dup2, + dup3, + dup4, + setc("event_description","In domain, vPC peer keep-alive receive is successful"), + ])); + + var msg265 = msg("PEER_KEEP_ALIVE_RECV_SUCCESS", part217); + + var part218 = match("MESSAGE#259:PEER_KEEP_ALIVE_RECV_FAIL", "nwparser.payload", "In domain %{domain}, VPC peer keep-alive receive has failed", processor_chain([ + dup77, + dup34, + dup78, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer keep-alive receive has failed"), + ])); + + var msg266 = msg("PEER_KEEP_ALIVE_RECV_FAIL", part218); + + var part219 = match("MESSAGE#260:PEER_KEEP_ALIVE_SEND_INT_LATEST", "nwparser.payload", "In domain %{domain}, VPC peer-keepalive sent on interface %{interface}", processor_chain([ + dup36, + dup34, + dup79, + dup35, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer-keepalive sent on interface"), + ])); + + var msg267 = msg("PEER_KEEP_ALIVE_SEND_INT_LATEST", part219); + + var part220 = match("MESSAGE#261:PEER_KEEP_ALIVE_SEND_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive send is successful", processor_chain([ + dup36, + dup34, + dup79, + dup35, + dup17, + dup2, + dup3, + dup4, + setc("event_description","In domain, vPC peer keep-alive send is successful"), + ])); + + var msg268 = msg("PEER_KEEP_ALIVE_SEND_SUCCESS", part220); + + var part221 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "In domain %{domain}, peer keep-alive status changed to %{change_new}", processor_chain([ + dup30, + dup34, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Peer keep-alive status changed."), + setc("change_attribute","peer keep-alive status"), + ])); + + var msg269 = msg("PEER_KEEP_ALIVE_STATUS", part221); + + var part222 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Ejectors' status in slot %{fld47->} has changed, %{info}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Ejectors' status in slot has changed."), + ])); + + var msg270 = msg("EJECTOR_STAT_CHANGED", part222); + + var part223 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41->} detected (Serial number %{fld42})", processor_chain([ + dup29, + setc("ec_activity","Detect"), + dup38, + dup2, + dup3, + dup4, + setc("event_description","Xbar detected"), + ])); + + var msg271 = msg("XBAR_DETECT", part223); + + var part224 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41->} powered up (Serial number %{fld42})", processor_chain([ + dup15, + dup75, + dup76, + dup2, + dup3, + dup4, + setc("event_description","Xbar powered up"), + ])); + + var msg272 = msg("XBAR_PWRUP", part224); + + var part225 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41->} powered down (Serial number %{fld42})", processor_chain([ + dup15, + dup75, + setc("ec_activity","Stop"), + dup2, + dup3, + dup4, + setc("event_description","Xbar powered down"), + ])); + + var msg273 = msg("XBAR_PWRDN", part225); + + var part226 = match("MESSAGE#267:XBAR_OK", "nwparser.payload", "Xbar %{fld41->} is online (serial: %{fld42})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Xbar is online"), + ])); + + var msg274 = msg("XBAR_OK", part226); + + var part227 = match("MESSAGE#268:VPC_ISSU_START", "nwparser.payload", "Peer vPC switch ISSU start, locking configuration%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC switch ISSU start, locking configuration"), + ])); + + var msg275 = msg("VPC_ISSU_START", part227); + + var part228 = match("MESSAGE#269:VPC_ISSU_END", "nwparser.payload", "Peer vPC switch ISSU end, unlocking configuration%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC switch ISSU end, unlocking configuration"), + ])); + + var msg276 = msg("VPC_ISSU_END", part228); + + var part229 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("obj_type","new_role"), + ])); + + var msg277 = msg("PORT_RANGE_ROLE", part229); + + var part230 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_state=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("obj_type","new_state"), + ])); + + var msg278 = msg("PORT_RANGE_STATE", part230); + + var part231 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Interface %{interface->} removed from mst=%{fld42}", processor_chain([ + dup24, + dup34, + dup20, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Interface removed from MST."), + ])); + + var msg279 = msg("PORT_RANGE_DELETED", part231); + + var part232 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interface %{interface->} added to mst=%{fld42->} with %{info}", processor_chain([ + dup29, + dup34, + dup80, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Interface added to MST."), + ])); + + var msg280 = msg("PORT_RANGE_ADDED", part232); + + var part233 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port %{portname->} removed as MST Boundary port", processor_chain([ + dup24, + dup34, + dup20, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Port removed as MST Boundary port"), + ])); + + var msg281 = msg("MST_PORT_BOUNDARY", part233); + + var part234 = match("MESSAGE#275:PIXM_SYSLOG_MESSAGE_TYPE_CRIT", "nwparser.payload", "Non-transactional PIXM Error. Error Type: %{result}.%{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Non-transactional PIXM Error"), + ])); + + var msg282 = msg("PIXM_SYSLOG_MESSAGE_TYPE_CRIT", part234); + + var part235 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interface->} is %{obj_name->} in vdc %{fld43}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("obj_type"," Interface state"), + ])); + + var msg283 = msg("IM_INTF_STATE", part235); + + var part236 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{fld43->} state changed to %{obj_name}", processor_chain([ + dup62, + dup34, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","VDC state changed."), + setc("obj_type"," VDC state"), + ])); + + var msg284 = msg("VDC_STATE_CHANGE", part236); + + var part237 = match("MESSAGE#278:SWITCHOVER_OVER", "nwparser.payload", "Switchover completed.%{}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup81, + ])); + + var msg285 = msg("SWITCHOVER_OVER", part237); + + var part238 = match("MESSAGE#279:VDC_MODULETYPE", "nwparser.payload", "%{process}: Module type changed to %{obj_name}", processor_chain([ + dup62, + dup16, + dup38, + dup2, + dup3, + dup4, + dup81, + setc("obj_type"," New Module type"), + ])); + + var msg286 = msg("VDC_MODULETYPE", part238); + + var part239 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unable to sync HA sequence number %{fld44->} for service \"%{service}\" (PID %{process_id}): %{result}.", processor_chain([ + dup77, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Unable to sync HA sequence number for service"), + ])); + + var msg287 = msg("HASEQNO_SYNC_FAILED", part239); + + var part240 = match("MESSAGE#281:MSG_SEND_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in sending message to standby causing standby to reset.%{}", processor_chain([ + dup1, + dup34, + dup79, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Failure in sending message to standby causing standby to reset."), + ])); + + var msg288 = msg("MSG_SEND_FAILURE_STANDBY_RESET", part240); + + var part241 = match("MESSAGE#282:MODULE_LOCK_FAILED", "nwparser.payload", "Failed to lock the local module to avoid reset (error-id %{resultcode}).", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Failed to lock the local module to avoid reset"), + ])); + + var msg289 = msg("MODULE_LOCK_FAILED", part241); + + var part242 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", "Failed to send Mac New Learns/Mac moves due to mts send failure errno %{resultcode}", processor_chain([ + dup1, + dup34, + dup79, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Failed to send Mac New Learns/Mac moves due to mts send failure."), + ])); + + var msg290 = msg("L2FMC_NL_MTS_SEND_FAILURE", part242); + + var part243 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} management address %{fld46->} discovered on local port %{portname->} in vlan %{vlan->} %{info}", processor_chain([ + dup29, + dup80, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Server discovered on local in vlan 0 with enabled capability Station"), + ])); + + var msg291 = msg("SERVER_ADDED", part243); + + var part244 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} on local port %{portname->} has been removed", processor_chain([ + dup24, + dup20, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Server on local port has been removed"), + ])); + + var msg292 = msg("SERVER_REMOVED", part244); + + var part245 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ + dup23, + dup34, + dup72, + dup2, + dup3, + dup4, + dup25, + ])); + + var msg293 = msg("IF_DOWN_SUSPENDED_BY_SPEED", part245); + + var part246 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{portname->} is operationally individual", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","port is operationally individual"), + ])); + + var msg294 = msg("PORT_INDIVIDUAL", part246); + + var part247 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ + dup23, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + dup25, + ])); + + var msg295 = msg("IF_DOWN_CHANNEL_ADMIN_DOWN", part247); + + var part248 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Interface %{interface->} is being recovered from error disabled state %{info}", processor_chain([ + dup22, + dup2, + dup3, + dup4, + setc("event_description","Interface is being recovered from error disabled state"), + ])); + + var msg296 = msg("IF_ERRDIS_RECOVERY", part248); + + var part249 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", "Non-Cisco transceiver on interface %{interface->} is detected", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Non-Cisco transceiver on interface is detected"), + ])); + + var msg297 = msg("IF_NON_CISCO_TRANSCEIVER", part249); + + var part250 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.payload", "Active supervisor in slot %{fld47->} is running with less memory than standby supervisor in slot %{fld48}.", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Active supervisor is running with less memory than standby supervisor."), + ])); + + var msg298 = msg("ACTIVE_LOWER_MEM_THAN_STANDBY", part250); + + var part251 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configuration update started (PID %{process_id}).", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Configuration update started."), + ])); + + var msg299 = msg("READCONF_STARTED", part251); + + var part252 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor in slot %{fld47->} is running with less memory than active supervisor in slot %{fld48}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Supervisor is running with less memory than active supervisor."), + ])); + + var msg300 = msg("SUP_POWERDOWN", part252); + + var part253 = match("MESSAGE#294:LC_UPGRADE_START", "nwparser.payload", "Starting linecard upgrade%{}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Starting linecard upgrade"), + ])); + + var msg301 = msg("LC_UPGRADE_START", part253); + + var part254 = match("MESSAGE#295:LC_UPGRADE_REBOOT", "nwparser.payload", "Rebooting linecard as a part of upgrade%{}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Rebooting linecard as a part of upgrade"), + ])); + + var msg302 = msg("LC_UPGRADE_REBOOT", part254); + + var part255 = match("MESSAGE#296:RUNTIME_DB_RESTORE_STARTED", "nwparser.payload", "Runtime database controller started (PID %{process_id}).", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Runtime database controller started."), + ])); + + var msg303 = msg("RUNTIME_DB_RESTORE_STARTED", part255); + + var part256 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload", "Runtime database successfully restored.%{}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Runtime database successfully restored."), + ])); + + var msg304 = msg("RUNTIME_DB_RESTORE_SUCCESS", part256); + + var part257 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", "Upgrade of module %{fld49->} started", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Upgrade of module started"), + ])); + + var msg305 = msg("LCM_MODULE_UPGRADE_START", part257); + + var part258 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "Upgrade of module %{fld49->} ended", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Upgrade of module ended"), + ])); + + var msg306 = msg("LCM_MODULE_UPGRADE_END", part258); + + var part259 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recieved insert for %{fld50}", processor_chain([ + dup63, + dup34, + dup78, + dup35, + dup2, + dup3, + dup4, + setc("event_description","Recieved insert for lc mod"), + ])); + + var msg307 = msg("FIPS_POST_INFO_MSG", part259); + + var part260 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC %{obj_name->} is configured", processor_chain([ + dup30, + dup34, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","peer vPC is configured"), + dup74, + ])); + + var msg308 = msg("PEER_VPC_CFGD", part260); + + var part261 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: Potential Interop issue on [%{interface}]: %{result}", processor_chain([ + dup73, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Potential Interop issue on interface."), + ])); + + var msg309 = msg("SYN_COLL_DIS_EN", part261); + + var part262 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{device->} Off-line (Serial Number %{fld42})", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","FEX OFFLINE"), + ])); + + var msg310 = msg("NOHMS_ENV_FEX_OFFLINE", part262); + + var part263 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{device->} On-line", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","FEX ONLINE"), + ])); + + var msg311 = msg("NOHMS_ENV_FEX_ONLINE", part263); + + var part264 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{device->} is online", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Fex is online"), + ])); + + var msg312 = msg("FEX_STATUS_online", part264); + + var part265 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{device->} is offline", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Fex is offline"), + ])); + + var msg313 = msg("FEX_STATUS_offline", part265); + + var select40 = linear_select([ + msg312, + msg313, + ]); + + var part266 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Power supply %{fld41->} present but all AC/DC inputs are not connected, power redundancy might be affected", processor_chain([ + dup73, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Power supply present but all AC/DC inputs are not connected, power redundancy might be affected"), + ])); + + var msg314 = msg("PS_PWR_INPUT_MISSING", part266); + + var part267 = match("MESSAGE#308:PS_RED_MODE_RESTORED", "nwparser.payload", "Power redundancy operational mode changed to %{change_new}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Power redundancy operational mode changed."), + setc("change_attribute","operational mode"), + ])); + + var msg315 = msg("PS_RED_MODE_RESTORED", part267); + + var part268 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", "All ejectors open, Module %{fld41->} will not be powered up (Serial number %{fld42})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","All ejectors open, Module will not be powered up."), + ])); + + var msg316 = msg("MOD_PWRFAIL_EJECTORS_OPEN", part268); + + var part269 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device->} pinning information is changed", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Fex pinning information is changed"), + ])); + + var msg317 = msg("PINNING_CHANGED", part269); + + var part270 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device->} Module %{fld41}: Cold boot", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","FEX-100 Module -Cold boot"), + ])); + + var msg318 = msg("SATCTRL", part270); + + var part271 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51->} [%{fld52}] Client %{fld43->} register more than once with same pid%{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Client register more than once with same pid"), + ])); + + var msg319 = msg("DUP_REGISTER", part271); + + var part272 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51->} [%{fld52}] Unknown mtype: %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Unknown mtype"), + ])); + + var msg320 = msg("UNKNOWN_MTYPE", part272); + + var part273 = match("MESSAGE#314:SATCTRL_IMAGE", "nwparser.payload", "%{fld51->} %{event_description}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + ])); + + var msg321 = msg("SATCTRL_IMAGE", part273); + + var part274 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ + dup1, + setc("ec_subject","Process"), + dup14, + dup2, + dup3, + dup4, + ])); + + var msg322 = msg("API_FAILED", part274); + + var part275 = match_copy("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "event_description", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg323 = msg("SENSOR_MSG1", part275); + + var part276 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + ])); + + var msg324 = msg("API_INIT_SEM_CLEAR", part276); + + var part277 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51->} has come online", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","vdc has come online"), + ])); + + var msg325 = msg("VDC_ONLINE", part277); + + var part278 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", "LACP port %{portname->} of port-channel %{interface->} not receiving any LACP BPDUs %{result}", processor_chain([ + dup77, + dup34, + dup78, + dup35, + dup72, + dup2, + dup3, + dup4, + setc("event_description","LACP port of port-channel not receiving any LACP BPDUs."), + ])); + + var msg326 = msg("LACP_SUSPEND_INDIVIDUAL", part278); + + var part279 = match("MESSAGE#320:dstats", "nwparser.payload", "%{process}: %{info}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg327 = msg("dstats", part279); + + var part280 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} logged OUT.", processor_chain([ + dup77, + dup34, + setc("ec_activity","Logoff"), + dup35, + dup2, + dup3, + dup4, + ])); + + var msg328 = msg("MSG_PORT_LOGGED_OUT", part280); + + var part281 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} with FCID %{fld54->} logged IN.", processor_chain([ + dup77, + dup34, + dup13, + dup35, + dup2, + dup3, + dup4, + ])); + + var msg329 = msg("MSG_PORT_LOGGED_IN", part281); + + var msg330 = msg("IF_DOWN_ELP_FAILURE_ISOLATION", dup96); + + var part282 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52->} Zone merge failure, isolating interface %{interface->} reason: %{result}:[%{resultcode}]", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var msg331 = msg("ZS_MERGE_FAILED", part282); + + var msg332 = msg("IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION", dup96); + + var part283 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Host %{hostname->} in vlan %{vlan->} is flapping between port %{change_old->} and port %{change_new}", processor_chain([ + dup23, + dup34, + dup35, + dup2, + dup3, + dup4, + setc("change_attribute","Port"), + ])); + + var msg333 = msg("MAC_MOVE_NOTIFICATION", part283); + + var part284 = match("MESSAGE#327:zone", "nwparser.payload", "num_tlv greater than 1, %{result}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg334 = msg("zone", part284); + + var part285 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_description}: %{info}", processor_chain([ + dup1, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg335 = msg("ERROR", part285); + + var part286 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid destination IP address (%{daddr}) from %{smacaddr->} on %{interface}", processor_chain([ + dup77, + dup34, + dup78, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg336 = msg("INVAL_IP", part286); + + var part287 = match("MESSAGE#330:SYSLOG_SL_MSG_WARNING", "nwparser.payload", "%{process}: message repeated %{dclass_counter1->} times in last %{duration}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var msg337 = msg("SYSLOG_SL_MSG_WARNING", part287); + + var part288 = match("MESSAGE#331:DUPLEX_MISMATCH", "nwparser.payload", "Duplex mismatch discovered on %{interface}, with %{fld55}", processor_chain([ + dup77, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg338 = msg("DUPLEX_MISMATCH", part288); + + var part289 = match("MESSAGE#332:NOHMS_DIAG_ERROR", "nwparser.payload", "Module %{fld20}: Runtime diag detected major event: Fabric port failure %{interface}", processor_chain([ + dup77, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg339 = msg("NOHMS_DIAG_ERROR", part289); + + var part290 = match("MESSAGE#333:STM_LEARNING_RE_ENABLE", "nwparser.payload", "Re enabling dynamic learning on all interfaces%{}", processor_chain([ + dup15, + dup34, + dup35, + dup2, + dup3, + dup4, + ])); + + var msg340 = msg("STM_LEARNING_RE_ENABLE", part290); + + var part291 = match("MESSAGE#334:UDLD_PORT_DISABLED", "nwparser.payload", "UDLD disabled interface %{interface}, %{result}", processor_chain([ + dup77, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg341 = msg("UDLD_PORT_DISABLED", part291); + + var part292 = match("MESSAGE#335:ntpd", "nwparser.payload", "ntp:no servers reachable%{}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg342 = msg("ntpd", part292); + + var part293 = match("MESSAGE#336:ntpd:01", "nwparser.payload", "ntp:event EVNT_UNREACH %{saddr}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg343 = msg("ntpd:01", part293); + + var part294 = match("MESSAGE#337:ntpd:02", "nwparser.payload", "ntp:event EVNT_REACH %{saddr}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg344 = msg("ntpd:02", part294); + + var part295 = match("MESSAGE#338:ntpd:03", "nwparser.payload", "ntp:synchronized to %{saddr}, stratum %{fld9}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg345 = msg("ntpd:03", part295); + + var part296 = match("MESSAGE#339:ntpd:04", "nwparser.payload", "ntp:%{event_description}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg346 = msg("ntpd:04", part296); + + var select41 = linear_select([ + msg342, + msg343, + msg344, + msg345, + msg346, + ]); + + var part297 = match_copy("MESSAGE#340:PFM_ALERT", "nwparser.payload", "event_description", processor_chain([ + dup9, + dup2, + dup3, + dup4, + ])); + + var msg347 = msg("PFM_ALERT", part297); + + var part298 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Client %{saddr}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + setc("event_description","Service acquired on WCCP Client"), + ])); + + var msg348 = msg("SERVICEFOUND", part298); + + var part299 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Router %{saddr}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + setc("event_description","Service acquired on WCCP Router"), + ])); + + var msg349 = msg("ROUTERFOUND", part299); + + var part300 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "pam_aaa:Authentication failed from %{shost->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + setc("event_description","Authentication failed"), + ])); + + var msg350 = msg("%AUTHPRIV-3-SYSTEM_MSG", part300); + + var part301 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ + dup18, + dup2, + dup12, + dup3, + dup4, + setc("event_description","New user added"), + ])); + + var msg351 = msg("%AUTHPRIV-5-SYSTEM_MSG", part301); + + var part302 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", "%{action}: %{service->} pid=%{process_id->} from=::ffff:%{saddr->} - %{agent}", processor_chain([ + dup10, + dup2, + dup12, + dup3, + dup4, + ])); + + var msg352 = msg("%AUTHPRIV-6-SYSTEM_MSG:01", part302); + + var part303 = match("MESSAGE#346:%AUTHPRIV-6-SYSTEM_MSG", "nwparser.payload", "pam_unix(%{fld1}:session): session opened for user %{username->} by (uid=%{uid}) - %{agent}", processor_chain([ + dup10, + dup2, + dup12, + dup3, + dup4, + setc("event_description","session opened for user"), + ])); + + var msg353 = msg("%AUTHPRIV-6-SYSTEM_MSG", part303); + + var select42 = linear_select([ + msg352, + msg353, + ]); + + var part304 = match("MESSAGE#347:%USER-3-SYSTEM_MSG", "nwparser.payload", "error: %{result}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg354 = msg("%USER-3-SYSTEM_MSG", part304); + + var part305 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Invalid user %{username->} from %{saddr->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup82, + ])); + + var msg355 = msg("%USER-6-SYSTEM_MSG", part305); + + var part306 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "input_userauth_request: invalid user %{username->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup82, + ])); + + var msg356 = msg("%USER-6-SYSTEM_MSG:01", part306); + + var part307 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Failed none for invalid user %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + setc("event_description","Failed none for invalid user"), + ])); + + var msg357 = msg("%USER-6-SYSTEM_MSG:02", part307); + + var part308 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + setc("event_description","Accepted password for user"), + ])); + + var msg358 = msg("%USER-6-SYSTEM_MSG:03", part308); + + var part309 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "lastlog_openseek: Couldn't stat %{directory}: No such file or directory - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + setc("event_description","No such file or directory"), + ])); + + var msg359 = msg("%USER-6-SYSTEM_MSG:04", part309); + + var part310 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Could not load host key: %{encryption_type->} - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + setc("event_description","Could not load host key"), + ])); + + var msg360 = msg("%USER-6-SYSTEM_MSG:05", part310); + + var part311 = match("MESSAGE#354:%USER-6-SYSTEM_MSG:06", "nwparser.payload", "%{event_description->} - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + ])); + + var msg361 = msg("%USER-6-SYSTEM_MSG:06", part311); + + var select43 = linear_select([ + msg355, + msg356, + msg357, + msg358, + msg359, + msg360, + msg361, + ]); + + var part312 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload", "Disabling learning in vlan %{vlan->} for %{duration}s due to too many mac moves", processor_chain([ + dup30, + dup2, + dup4, + setc("ec_activity","Disable"), + ])); + + var msg362 = msg("L2FM_MAC_FLAP_DISABLE_LEARN", part312); + + var part313 = match("MESSAGE#356:L2FM_MAC_FLAP_RE_ENABLE_LEARN", "nwparser.payload", "Re-enabling learning in vlan %{vlan}", processor_chain([ + dup30, + dup2, + dup4, + dup37, + ])); + + var msg363 = msg("L2FM_MAC_FLAP_RE_ENABLE_LEARN", part313); + + var part314 = match("MESSAGE#357:PS_ABSENT", "nwparser.payload", "Power supply %{fld1->} is %{disposition}, ps-redundancy might be affected", processor_chain([ + dup1, + dup2, + dup4, + ])); + + var msg364 = msg("PS_ABSENT", part314); + + var part315 = match("MESSAGE#358:PS_DETECT", "nwparser.payload", "Power supply %{fld1->} detected but %{disposition->} (Serial number %{serial_number})", processor_chain([ + dup1, + dup2, + dup4, + ])); + + var msg365 = msg("PS_DETECT", part315); + + var part316 = match("MESSAGE#359:SUBPROC_TERMINATED", "nwparser.payload", "\"System Manager (configuration controller)\" (PID %{process_id}) has finished with error code %{result->} (%{resultcode}).", processor_chain([ + dup1, + dup2, + dup4, + ])); + + var msg366 = msg("SUBPROC_TERMINATED", part316); + + var part317 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"%{service}\" (PID %{process_id}) has successfully exited with exit code %{result->} (%{resultcode}).", processor_chain([ + dup15, + dup2, + dup4, + dup84, + dup17, + ])); + + var msg367 = msg("SUBPROC_SUCCESS_EXIT", part317); + + var part318 = match("MESSAGE#361:UPDOWN", "nwparser.payload", "Line Protocol on Interface vlan %{vlan}, changed state to %{disposition}", processor_chain([ + dup30, + dup2, + dup4, + ])); + + var msg368 = msg("UPDOWN", part318); + + var part319 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{smacaddr->} in vlan %{vlan->} has moved between %{change_old->} to %{change_new}", processor_chain([ + dup30, + dup2, + dup4, + setc("change_attribute","Interface"), + ])); + + var msg369 = msg("L2FM_MAC_MOVE2", part319); + + var part320 = match("MESSAGE#363:PFM_PS_RED_MODE_CHG", "nwparser.payload", "Power redundancy configured mode changed to %{event_state}", processor_chain([ + dup30, + dup2, + dup4, + dup38, + ])); + + var msg370 = msg("PFM_PS_RED_MODE_CHG", part320); + + var part321 = match("MESSAGE#364:PS_RED_MODE_CHG", "nwparser.payload", "Power supply operational redundancy mode changed to %{event_state}", processor_chain([ + dup30, + dup2, + dup4, + dup38, + ])); + + var msg371 = msg("PS_RED_MODE_CHG", part321); + + var part322 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid source MAC address (%{smacaddr}) from %{saddr->} on %{vlan}", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg372 = msg("INVAL_MAC", part322); + + var part323 = match("MESSAGE#366:SRVSTATE_CHANGED", "nwparser.payload", "State for service \"%{service}\" changed from %{change_old->} to %{change_new->} in vdc %{fld1}.", processor_chain([ + dup15, + dup2, + dup4, + setc("change_attribute","Service status"), + ])); + + var msg373 = msg("SRVSTATE_CHANGED", part323); + + var part324 = match_copy("MESSAGE#367:INFO", "nwparser.payload", "event_description", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg374 = msg("INFO", part324); + + var part325 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service \"%{service}\" in vdc %{fld1->} started with PID(%{process_id}).", processor_chain([ + dup15, + dup2, + dup4, + dup84, + dup76, + dup17, + ])); + + var msg375 = msg("SERVICE_STARTED", part325); + + var part326 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local Virtual ip, %{saddr}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup85, + ])); + + var msg376 = msg("DUP_VADDR_SRCIP_PROBE", part326); + + var part327 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local ip, %{saddr}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup85, + ])); + + var msg377 = msg("DUP_SRCIP_PROBE", part327); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "%AUTHPRIV-3-SYSTEM_MSG": msg350, + "%AUTHPRIV-5-SYSTEM_MSG": msg351, + "%AUTHPRIV-6-SYSTEM_MSG": select42, + "%USER-3-SYSTEM_MSG": msg354, + "%USER-6-SYSTEM_MSG": select43, + "AAA_ACCOUNTING_MESSAGE": select28, + "ACLLOG_FLOW_INTERVAL": msg187, + "ACLLOG_MAXFLOW_REACHED": msg188, + "ACLLOG_NEW_FLOW": msg189, + "ACTIVE_LOWER_MEM_THAN_STANDBY": msg298, + "ACTIVE_SUP_OK": msg74, + "ADDON_IMG_DNLD_COMPLETE": msg60, + "ADDON_IMG_DNLD_STARTED": msg61, + "ADDON_IMG_DNLD_SUCCESSFUL": msg62, + "ADJCHANGE": msg217, + "API_FAILED": msg322, + "API_INIT_SEM_CLEAR": msg324, + "BIOS_DAEMON_LC_PRI_BOOT": msg262, + "CFGWRITE_ABORTED": msg135, + "CFGWRITE_ABORTED_LOCK": msg133, + "CFGWRITE_DONE": msg136, + "CFGWRITE_FAILED": msg134, + "CFGWRITE_STARTED": msg137, + "CFGWRITE_USER_ABORT": msg198, + "CHASSIS_CLKMODOK": msg80, + "CHASSIS_CLKSRC": msg81, + "CONN_CONNECT": msg145, + "CONN_DISCONNECT": msg146, + "CREATED": msg51, + "DELETE_STALE_USER_ACCOUNT": msg258, + "DISPUTE_CLEARED": msg77, + "DISPUTE_DETECTED": msg78, + "DOMAIN_CFG_SYNC_DONE": msg79, + "DUPLEX_MISMATCH": msg338, + "DUP_REGISTER": msg319, + "DUP_SRCIP_PROBE": msg377, + "DUP_VADDR_SRCIP_PROBE": msg376, + "DUP_VADDR_SRC_IP": msg190, + "DVPG_CREATE": msg147, + "DVPG_DELETE": msg148, + "DVS_HOSTMEMBER_INFO": msg149, + "DVS_NAME_CHANGE": msg150, + "EJECTOR_STAT_CHANGED": msg270, + "ERROR": msg335, + "ERR_MSG": msg131, + "EVENT": msg206, + "FAN_DETECT": msg97, + "FAN_OK": msg82, + "FCIP_PEER_CAVIUM": msg233, + "FEX_PORT_STATUS_NOTI": msg214, + "FEX_STATUS": select40, + "FIPS_POST_INFO_MSG": msg307, + "FOP_CHANGED": msg52, + "HASEQNO_SYNC_FAILED": msg287, + "HEARTBEAT_FAILURE": msg240, + "IF_ADMIN_UP": msg259, + "IF_ATTACHED": msg138, + "IF_BANDWIDTH_CHANGE": msg210, + "IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR": msg203, + "IF_DELETE_AUTO": msg139, + "IF_DETACHED": msg140, + "IF_DETACHED_MODULE_REMOVED": msg141, + "IF_DOWN_ADMIN_DOWN": select11, + "IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED": msg199, + "IF_DOWN_CFG_CHANGE": msg193, + "IF_DOWN_CHANNEL_ADMIN_DOWN": msg295, + "IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS": msg38, + "IF_DOWN_ELP_FAILURE_ISOLATION": msg330, + "IF_DOWN_ERROR_DISABLED": msg35, + "IF_DOWN_FCOT_NOT_PRESENT": select17, + "IF_DOWN_INACTIVE": msg142, + "IF_DOWN_INITIALIZING": select18, + "IF_DOWN_INTERFACE_REMOVED": msg39, + "IF_DOWN_LINK_FAILURE": select12, + "IF_DOWN_MODULE_REMOVED": msg42, + "IF_DOWN_NONE": select19, + "IF_DOWN_NON_PARTICIPATING": msg143, + "IF_DOWN_NOS_RCVD": select20, + "IF_DOWN_OFFLINE": msg114, + "IF_DOWN_OLS_RCVD": msg115, + "IF_DOWN_PARENT_ADMIN_DOWN": msg211, + "IF_DOWN_PEER_CLOSE": msg234, + "IF_DOWN_PEER_RESET": msg235, + "IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN": msg43, + "IF_DOWN_SOFTWARE_FAILURE": msg116, + "IF_DOWN_SRC_PORT_NOT_BOUND": msg117, + "IF_DOWN_SUSPENDED_BY_SPEED": msg293, + "IF_DOWN_TCP_MAX_RETRANSMIT": msg232, + "IF_DOWN_VEM_UNLICENSED": msg144, + "IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION": msg332, + "IF_DUPLEX": msg44, + "IF_ERRDIS_RECOVERY": msg296, + "IF_ERROR_VLANS_REMOVED": msg191, + "IF_ERROR_VLANS_SUSPENDED": msg192, + "IF_HARDWARE": msg239, + "IF_NON_CISCO_TRANSCEIVER": msg297, + "IF_PORTPROFILE_ATTACHED": msg125, + "IF_RX_FLOW_CONTROL": msg45, + "IF_SEQ_ERROR": msg46, + "IF_SFP_ALARM": select35, + "IF_SFP_WARNING": msg231, + "IF_TRUNK_DOWN": select21, + "IF_TRUNK_UP": select22, + "IF_TX_FLOW_CONTROL": msg47, + "IF_UP": select13, + "IF_XCVR_ALARM": select34, + "IF_XCVR_WARNING": select33, + "IMG_DNLD_COMPLETE": msg63, + "IMG_DNLD_STARTED": msg64, + "IM_INTF_STATE": msg283, + "IM_SEQ_ERROR": msg59, + "INFO": msg374, + "INFORMATION": msg205, + "INTF_CONSISTENCY_FAILED": msg236, + "INTF_CONSISTENCY_SUCCESS": msg237, + "INTF_COUNTERS_CLEARED": msg238, + "INVAL_IP": msg336, + "INVAL_MAC": msg372, + "L2FMC_NL_MTS_SEND_FAILURE": msg290, + "L2FM_MAC_FLAP_DISABLE_LEARN": msg362, + "L2FM_MAC_FLAP_RE_ENABLE_LEARN": msg363, + "L2FM_MAC_MOVE2": msg369, + "LACP_SUSPEND_INDIVIDUAL": msg326, + "LCM_MODULE_UPGRADE_END": msg306, + "LCM_MODULE_UPGRADE_START": msg305, + "LC_UPGRADE_REBOOT": msg302, + "LC_UPGRADE_START": msg301, + "LOG-7-SYSTEM_MSG": msg1, + "LOG_CMP_AAA_FAILURE": msg67, + "LOG_CMP_UP": msg244, + "LOG_LIC_N1K_EXPIRY_WARNING": msg68, + "M2FIB_MAC_TBL_PRGMING": msg257, + "MAC_MOVE_NOTIFICATION": msg333, + "MEMORY_ALERT": msg249, + "MEMORY_ALERT_RECOVERED": msg250, + "MESG": msg130, + "MODULE_LOCK_FAILED": msg289, + "MODULE_ONLINE": msg261, + "MOD_BRINGUP_MULTI_LIMIT": msg96, + "MOD_DETECT": msg83, + "MOD_FAIL": msg69, + "MOD_MAJORSWFAIL": msg70, + "MOD_OK": msg75, + "MOD_PWRDN": msg84, + "MOD_PWRFAIL_EJECTORS_OPEN": msg316, + "MOD_PWRUP": msg85, + "MOD_REMOVE": msg86, + "MOD_RESTART": msg76, + "MOD_SRG_NOT_COMPATIBLE": msg71, + "MOD_STATUS": msg98, + "MOD_WARNING": select14, + "MOUNT": msg243, + "MSG_PORT_LOGGED_IN": msg329, + "MSG_PORT_LOGGED_OUT": msg328, + "MSG_SEND_FAILURE_STANDBY_RESET": msg288, + "MSM_CRIT": msg66, + "MST_PORT_BOUNDARY": msg281, + "MTSERROR": msg34, + "MTS_DROP": msg57, + "NATIVE_VLAN_MISMATCH": msg207, + "NBRCHANGE_DUAL": msg253, + "NEIGHBOR_ADDED": msg208, + "NEIGHBOR_REMOVED": msg209, + "NEIGHBOR_UPDATE_AUTOCOPY": msg33, + "NOHMS_DIAG_ERROR": msg339, + "NOHMS_DIAG_ERR_PS_FAIL": msg215, + "NOHMS_DIAG_ERR_PS_RECOVERED": msg216, + "NOHMS_ENV_FEX_OFFLINE": msg310, + "NOHMS_ENV_FEX_ONLINE": msg311, + "PEER_KEEP_ALIVE_RECV_FAIL": msg266, + "PEER_KEEP_ALIVE_RECV_INT_LATEST": msg264, + "PEER_KEEP_ALIVE_RECV_SUCCESS": msg265, + "PEER_KEEP_ALIVE_SEND_INT_LATEST": msg267, + "PEER_KEEP_ALIVE_SEND_SUCCESS": msg268, + "PEER_KEEP_ALIVE_STATUS": msg269, + "PEER_VPC_CFGD": msg308, + "PEER_VPC_CFGD_VLANS_CHANGED": msg99, + "PEER_VPC_DELETED": msg100, + "PEER_VPC_DOWN": msg263, + "PFM_ALERT": msg347, + "PFM_CLOCK_CHANGE": msg194, + "PFM_FAN_FLTR_STATUS": msg242, + "PFM_MODULE_POWER_ON": msg87, + "PFM_PS_RED_MODE_CHG": msg370, + "PFM_SYSTEM_RESET": msg88, + "PFM_VEM_DETECTED": msg101, + "PFM_VEM_REMOVE_NO_HB": msg89, + "PFM_VEM_REMOVE_RESET": msg90, + "PFM_VEM_REMOVE_STATE_CONFLICT": msg91, + "PFM_VEM_REMOVE_TWO_ACT_VSM": msg92, + "PFM_VEM_UNLICENSED": msg93, + "PINNING_CHANGED": msg317, + "PIXM_SYSLOG_MESSAGE_TYPE_CRIT": msg282, + "POLICY_ACTIVATE_EVENT": msg27, + "POLICY_COMMIT_EVENT": msg28, + "POLICY_DEACTIVATE_EVENT": msg29, + "POLICY_LOOKUP_EVENT": select10, + "PORT_ADDED": msg218, + "PORT_DELETED": msg219, + "PORT_DOWN": msg53, + "PORT_INDIVIDUAL": msg294, + "PORT_INDIVIDUAL_DOWN": msg212, + "PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE": msg124, + "PORT_RANGE_ADDED": msg280, + "PORT_RANGE_DELETED": msg279, + "PORT_RANGE_ROLE": msg277, + "PORT_RANGE_STATE": msg278, + "PORT_ROLE": msg220, + "PORT_SOFTWARE_FAILURE": msg65, + "PORT_STATE": msg221, + "PORT_SUSPENDED": msg213, + "PORT_UP": msg54, + "PS_ABSENT": msg364, + "PS_CAPACITY_CHANGE": select16, + "PS_DETECT": msg365, + "PS_FAIL": msg204, + "PS_FANOK": msg94, + "PS_FOUND": msg102, + "PS_OK": msg95, + "PS_PWR_INPUT_MISSING": msg314, + "PS_RED_MODE_CHG": msg371, + "PS_RED_MODE_RESTORED": msg315, + "PS_STATUS": msg103, + "PVLAN_PPM_PORT_CONFIG_FAILED": msg129, + "READCONF_STARTED": msg299, + "RM_VICPP_RECREATE_ERROR": msg132, + "ROUTERFOUND": msg349, + "RUNTIME_DB_RESTORE_STARTED": msg303, + "RUNTIME_DB_RESTORE_SUCCESS": msg304, + "SATCTRL": msg318, + "SATCTRL_IMAGE": msg321, + "SENSOR_MSG1": msg323, + "SERVER_ADDED": msg291, + "SERVER_REMOVED": msg292, + "SERVICEFOUND": msg348, + "SERVICELOST": msg202, + "SERVICE_CRASHED": msg201, + "SERVICE_STARTED": msg375, + "SOHMS_DIAG_ERROR": select37, + "SPEED": msg50, + "SRVSTATE_CHANGED": msg373, + "STANDBY_SUP_OK": msg126, + "STM_LEARNING_RE_ENABLE": msg340, + "STM_LOOP_DETECT": msg127, + "SUBGROUP_ID_PORT_ADDED": msg55, + "SUBGROUP_ID_PORT_REMOVED": msg56, + "SUBPROC_SUCCESS_EXIT": msg367, + "SUBPROC_TERMINATED": msg366, + "SUP_POWERDOWN": msg300, + "SWITCHOVER_OVER": msg285, + "SYNC_COMPLETE": msg128, + "SYNC_FAILURE_STANDBY_RESET": msg195, + "SYN_COLL_DIS_EN": msg309, + "SYSLOG_LOG_WARNING": msg58, + "SYSLOG_SL_MSG_WARNING": msg337, + "SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG": msg241, + "SYSTEM_MSG": select9, + "TACACS_ACCOUNTING_MESSAGE": select32, + "TACACS_ERROR_MESSAGE": msg230, + "UDLD_PORT_DISABLED": msg341, + "UNKNOWN_MTYPE": msg320, + "UPDOWN": msg368, + "VDC_HOSTNAME_CHANGE": msg26, + "VDC_MODULETYPE": msg286, + "VDC_ONLINE": msg325, + "VDC_STATE_CHANGE": msg284, + "VMS_PPM_SYNC_COMPLETE": msg151, + "VPC_CFGD": msg260, + "VPC_DELETED": msg152, + "VPC_ISSU_END": msg276, + "VPC_ISSU_START": msg275, + "VPC_UP": msg153, + "VSHD_SYSLOG_CONFIG_I": select25, + "XBAR_DETECT": msg271, + "XBAR_OK": msg274, + "XBAR_PWRDN": msg273, + "XBAR_PWRUP": msg272, + "ZS_MERGE_FAILED": msg331, + "dstats": msg327, + "last": msg200, + "ntpd": select41, + "snmpd": select29, + "zone": msg334, + }), + ]); + + var part328 = match_copy("MESSAGE#24:SYSTEM_MSG:08/0_1", "nwparser.payload", "event_description"); + + var part329 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); + + var part330 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); + + var part331 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); + + var part332 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); + + var part333 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); + + var part334 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); + + var part335 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); + + var part336 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); + + var part337 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); + + var part338 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); + + var part339 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); + + var part340 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); + + var part341 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); + + var part342 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); + + var part343 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); + + var part344 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); + + var part345 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); + + var part346 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); + + var part347 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); + + var part348 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); + + var part349 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); + + var part350 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); + + var part351 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); + + var part352 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); + + var part353 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); + + var part354 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); + + var part355 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); + + var part356 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); + + var part357 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var part358 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part359 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var part360 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var part361 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part362 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var select44 = linear_select([ + dup26, + dup27, + ]); + + var part363 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var part364 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var part365 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part366 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var part367 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var select45 = linear_select([ + dup46, + dup47, + ]); + + var select46 = linear_select([ + dup49, + dup50, + ]); + + var select47 = linear_select([ + dup54, + dup55, + ]); + + var select48 = linear_select([ + dup57, + dup58, + ]); + + var part368 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var select49 = linear_select([ + dup65, + dup66, + ]); + + var select50 = linear_select([ + dup67, + dup68, + ]); + + var part369 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part370 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var select51 = linear_select([ + dup70, + dup71, + ]); + + var part371 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/cisco/0.13.3/data_stream/nexus/agent/stream/tcp.yml.hbs b/packages/cisco/0.13.3/data_stream/nexus/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..9de232f8f2 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/nexus/agent/stream/tcp.yml.hbs @@ -0,0 +1,7176 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Cisco" + product: "Nexus" + type: "Switches" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} Hit-count = %{dclass_counter1}"); + + var dup60 = setc("dclass_counter1_string","Hit Count"); + + var dup61 = setc("eventcategory","1603100000"); + + var dup62 = setc("eventcategory","1701020000"); + + var dup63 = setc("eventcategory","1801000000"); + + var dup64 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); + + var dup65 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); + + var dup66 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); + + var dup67 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); + + var dup68 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); + + var dup69 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); + + var dup70 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); + + var dup71 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); + + var dup72 = setc("ec_outcome","Error"); + + var dup73 = setc("eventcategory","1703000000"); + + var dup74 = setc("obj_type","vPC"); + + var dup75 = setc("ec_subject","OS"); + + var dup76 = setc("ec_activity","Start"); + + var dup77 = setc("eventcategory","1801010000"); + + var dup78 = setc("ec_activity","Receive"); + + var dup79 = setc("ec_activity","Send"); + + var dup80 = setc("ec_activity","Create"); + + var dup81 = setc("event_description","Switchover completed."); + + var dup82 = setc("event_description","Invalid user"); + + var dup83 = setc("eventcategory","1401000000"); + + var dup84 = setc("ec_subject","Service"); + + var dup85 = setc("event_description","Duplicate address Detected."); + + var dup86 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var dup87 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup88 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup89 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup90 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup91 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var dup92 = linear_select([ + dup26, + dup27, + ]); + + var dup93 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var dup94 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var dup95 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup96 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var dup97 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var dup98 = linear_select([ + dup46, + dup47, + ]); + + var dup99 = linear_select([ + dup49, + dup50, + ]); + + var dup100 = linear_select([ + dup54, + dup55, + ]); + + var dup101 = linear_select([ + dup57, + dup58, + ]); + + var dup102 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup103 = linear_select([ + dup65, + dup66, + ]); + + var dup104 = linear_select([ + dup67, + dup68, + ]); + + var dup105 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup106 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup107 = linear_select([ + dup70, + dup71, + ]); + + var dup108 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + ])); + + var hdr1 = match("HEADER#0:0001", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0007", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0007"), + ])); + + var hdr3 = match("HEADER#2:0005", "message", "%{hfld4->} %{hfld5->} %{hfld6->} %{hfld7->} : %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0005"), + ])); + + var hdr4 = match("HEADER#3:0002", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0002"), + ])); + + var hdr5 = match("HEADER#4:0012", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0012"), + ])); + + var hdr6 = match("HEADER#5:0008", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0008"), + ])); + + var hdr7 = match("HEADER#6:0011", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}[%{hfld18}]:%{payload}", processor_chain([ + setc("header_id","0011"), + ])); + + var hdr8 = match("HEADER#7:0003", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr9 = match("HEADER#8:0004", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var hdr10 = match("HEADER#9:0009", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0009"), + ])); + + var hdr11 = match("HEADER#10:0013", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0013"), + ])); + + var hdr12 = match("HEADER#11:0010", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0010"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, + ]); + + var msg1 = msg("LOG-7-SYSTEM_MSG", dup86); + + var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup6, + ])); + + var msg2 = msg("SYSTEM_MSG", part1); + + var part2 = match("MESSAGE#2:SYSTEM_MSG:12", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{shost}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup6, + ])); + + var msg3 = msg("SYSTEM_MSG:12", part2); + + var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, + ])); + + var msg4 = msg("SYSTEM_MSG:01", part3); + + var part4 = match("MESSAGE#4:SYSTEM_MSG:11", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{shost}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, + ])); + + var msg5 = msg("SYSTEM_MSG:11", part4); + + var part5 = match("MESSAGE#5:SYSTEM_MSG:19/0", "nwparser.payload", "error: maximum authentication attempts exceeded for %{p0}"); + + var part6 = match("MESSAGE#5:SYSTEM_MSG:19/1_0", "nwparser.p0", "invalid user %{username->} from %{p0}"); + + var part7 = match("MESSAGE#5:SYSTEM_MSG:19/1_1", "nwparser.p0", "%{username->} from %{p0}"); + + var select2 = linear_select([ + part6, + part7, + ]); + + var part8 = match("MESSAGE#5:SYSTEM_MSG:19/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol->} - %{agent}[%{process_id}]"); + + var all1 = all_match({ + processors: [ + part5, + select2, + part8, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + ]), + }); + + var msg6 = msg("SYSTEM_MSG:19", all1); + + var part9 = match("MESSAGE#6:SYSTEM_MSG:02", "nwparser.payload", "error:%{result}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var msg7 = msg("SYSTEM_MSG:02", part9); + + var part10 = match("MESSAGE#7:SYSTEM_MSG:03/0_0", "nwparser.payload", "(pam_unix)%{p0}"); + + var part11 = match("MESSAGE#7:SYSTEM_MSG:03/0_1", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}):%{p0}"); + + var select3 = linear_select([ + part10, + part11, + ]); + + var part12 = match("MESSAGE#7:SYSTEM_MSG:03/1", "nwparser.p0", "%{}authentication failure; logname=%{fld20->} uid=%{fld21->} euid=%{fld22->} tty=%{terminal->} ruser=%{fld24->} rhost=%{p0}"); + + var part13 = match("MESSAGE#7:SYSTEM_MSG:03/2_0", "nwparser.p0", "%{fld25->} user=%{username->} - %{p0}"); + + var part14 = match("MESSAGE#7:SYSTEM_MSG:03/2_1", "nwparser.p0", "%{fld25->} - %{p0}"); + + var select4 = linear_select([ + part13, + part14, + ]); + + var part15 = match_copy("MESSAGE#7:SYSTEM_MSG:03/3", "nwparser.p0", "agent"); + + var all2 = all_match({ + processors: [ + select3, + part12, + select4, + part15, + ], + on_success: processor_chain([ + dup5, + dup2, + dup3, + dup4, + ]), + }); + + var msg8 = msg("SYSTEM_MSG:03", all2); + + var part16 = match("MESSAGE#8:SYSTEM_MSG:04", "nwparser.payload", "(pam_unix) %{event_description}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg9 = msg("SYSTEM_MSG:04", part16); + + var part17 = match("MESSAGE#9:SYSTEM_MSG:05/0", "nwparser.payload", "pam_aaa:Authentication failed f%{p0}"); + + var part18 = match("MESSAGE#9:SYSTEM_MSG:05/1_0", "nwparser.p0", "or user %{username->} from%{p0}"); + + var part19 = match("MESSAGE#9:SYSTEM_MSG:05/1_1", "nwparser.p0", "rom%{p0}"); + + var select5 = linear_select([ + part18, + part19, + ]); + + var part20 = match("MESSAGE#9:SYSTEM_MSG:05/2", "nwparser.p0", "%{} %{saddr->} - %{agent}[%{process_id}]"); + + var all3 = all_match({ + processors: [ + part17, + select5, + part20, + ], + on_success: processor_chain([ + dup5, + dup2, + dup3, + dup4, + ]), + }); + + var msg10 = msg("SYSTEM_MSG:05", all3); + + var part21 = match("MESSAGE#10:SYSTEM_MSG:06", "nwparser.payload", "FAILED LOGIN (%{fld20}) on %{fld21->} FOR %{username}, Authentication failure - login[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg11 = msg("SYSTEM_MSG:06", part21); + + var part22 = match("MESSAGE#11:SYSTEM_MSG:07", "nwparser.payload", "fatal:%{event_description}", processor_chain([ + dup9, + dup2, + dup3, + dup4, + ])); + + var msg12 = msg("SYSTEM_MSG:07", part22); + + var part23 = match("MESSAGE#12:SYSTEM_MSG:09", "nwparser.payload", "%{fld1}: Host name is set %{hostname->} - kernel", processor_chain([ + dup9, + dup2, + dup3, + dup4, + ])); + + var msg13 = msg("SYSTEM_MSG:09", part23); + + var part24 = match("MESSAGE#13:SYSTEM_MSG:10", "nwparser.payload", "Unauthorized access by NFS client %{saddr}.", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg14 = msg("SYSTEM_MSG:10", part24); + + var part25 = match("MESSAGE#14:SYSTEM_MSG:13", "nwparser.payload", "%{fld43->} : SNMP UDP authentication failed for %{saddr}.", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg15 = msg("SYSTEM_MSG:13", part25); + + var part26 = match("MESSAGE#15:SYSTEM_MSG:14", "nwparser.payload", "%{fld43->} : Subsequent authentication success for user (%{username}) failed.", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg16 = msg("SYSTEM_MSG:14", part26); + + var part27 = match("MESSAGE#16:SYSTEM_MSG:15", "nwparser.payload", "%{fld1->} : TTY=%{terminal->} ; PWD=%{directory->} ; USER=%{username->} ; COMMAND=%{param}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup11, + dup12, + ])); + + var msg17 = msg("SYSTEM_MSG:15", part27); + + var part28 = match("MESSAGE#17:SYSTEM_MSG:16", "nwparser.payload", "Login failed for user %{username->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup11, + dup13, + dup12, + dup14, + ])); + + var msg18 = msg("SYSTEM_MSG:16", part28); + + var part29 = match("MESSAGE#18:SYSTEM_MSG:17/0", "nwparser.payload", "NTP: Peer %{hostip->} %{p0}"); + + var part30 = match("MESSAGE#18:SYSTEM_MSG:17/1_0", "nwparser.p0", "with stratum %{fld1->} selected - %{p0}"); + + var part31 = match("MESSAGE#18:SYSTEM_MSG:17/1_1", "nwparser.p0", "is %{disposition->} - %{p0}"); + + var select6 = linear_select([ + part30, + part31, + ]); + + var part32 = match("MESSAGE#18:SYSTEM_MSG:17/2", "nwparser.p0", "%{agent}[%{process_id}]"); + + var all4 = all_match({ + processors: [ + part29, + select6, + part32, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg19 = msg("SYSTEM_MSG:17", all4); + + var part33 = match("MESSAGE#19:SYSTEM_MSG:20", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup12, + ])); + + var msg20 = msg("SYSTEM_MSG:20", part33); + + var part34 = match("MESSAGE#20:SYSTEM_MSG:21", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): password changed for %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + setc("ec_subject","Password"), + dup16, + dup12, + dup17, + ])); + + var msg21 = msg("SYSTEM_MSG:21", part34); + + var part35 = match("MESSAGE#21:SYSTEM_MSG:22", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): check pass; user %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup12, + ])); + + var msg22 = msg("SYSTEM_MSG:22", part35); + + var part36 = match("MESSAGE#22:SYSTEM_MSG:23", "nwparser.payload", "new user: name=%{username}, uid=%{uid}, gid=%{fld1}, home=%{directory}, shell=%{fld2->} - %{agent}[%{process_id}]", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup11, + ])); + + var msg23 = msg("SYSTEM_MSG:23", part36); + + var part37 = match("MESSAGE#23:SYSTEM_MSG:24/0", "nwparser.payload", "delete user %{p0}"); + + var part38 = match("MESSAGE#23:SYSTEM_MSG:24/1_0", "nwparser.p0", "`%{p0}"); + + var part39 = match("MESSAGE#23:SYSTEM_MSG:24/1_1", "nwparser.p0", "'%{p0}"); + + var select7 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#23:SYSTEM_MSG:24/2", "nwparser.p0", "'%{username->} - %{agent}[%{process_id}]"); + + var all5 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup11, + dup20, + dup17, + ]), + }); + + var msg24 = msg("SYSTEM_MSG:24", all5); + + var part41 = match("MESSAGE#24:SYSTEM_MSG:08/0_0", "nwparser.payload", "%{event_description->} - %{agent}"); + + var select8 = linear_select([ + part41, + dup21, + ]); + + var all6 = all_match({ + processors: [ + select8, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg25 = msg("SYSTEM_MSG:08", all6); + + var select9 = linear_select([ + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + ]); + + var part42 = match("MESSAGE#25:VDC_HOSTNAME_CHANGE", "nwparser.payload", "%{fld1->} hostname changed to %{hostname}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg26 = msg("VDC_HOSTNAME_CHANGE", part42); + + var part43 = match("MESSAGE#26:POLICY_ACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is activated by profile %{username}", processor_chain([ + dup22, + dup2, + dup3, + dup4, + setc("action","activated"), + setc("event_description","Policy is activated by profile"), + ])); + + var msg27 = msg("POLICY_ACTIVATE_EVENT", part43); + + var part44 = match("MESSAGE#27:POLICY_COMMIT_EVENT", "nwparser.payload", "Commit operation %{disposition}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg28 = msg("POLICY_COMMIT_EVENT", part44); + + var part45 = match("MESSAGE#28:POLICY_DEACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is de-activated by last referring profile %{username}", processor_chain([ + setc("eventcategory","1701070000"), + dup2, + dup3, + dup4, + setc("action","de-activated"), + setc("event_description","Policy is de-activated by last referring profile"), + ])); + + var msg29 = msg("POLICY_DEACTIVATE_EVENT", part45); + + var part46 = match("MESSAGE#29:POLICY_LOOKUP_EVENT:01", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2->} dst.zone.name=%{dst_zone->} src.zone.name=%{src_zone}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg30 = msg("POLICY_LOOKUP_EVENT:01", part46); + + var part47 = match("MESSAGE#30:POLICY_LOOKUP_EVENT", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg31 = msg("POLICY_LOOKUP_EVENT", part47); + + var part48 = match("MESSAGE#31:POLICY_LOOKUP_EVENT:02", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} net.ethertype=%{fld2}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg32 = msg("POLICY_LOOKUP_EVENT:02", part48); + + var select10 = linear_select([ + msg30, + msg31, + msg32, + ]); + + var msg33 = msg("NEIGHBOR_UPDATE_AUTOCOPY", dup87); + + var msg34 = msg("MTSERROR", dup86); + + var part49 = match("MESSAGE#34:IF_DOWN_ERROR_DISABLED", "nwparser.payload", "Interface %{interface->} is down (Error disabled. Reason:%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg35 = msg("IF_DOWN_ERROR_DISABLED", part49); + + var msg36 = msg("IF_DOWN_ADMIN_DOWN", dup88); + + var msg37 = msg("IF_DOWN_ADMIN_DOWN:01", dup89); + + var select11 = linear_select([ + msg36, + msg37, + ]); + + var msg38 = msg("IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", dup90); + + var msg39 = msg("IF_DOWN_INTERFACE_REMOVED", dup91); + + var part50 = match("MESSAGE#39:IF_DOWN_LINK_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + dup25, + ])); + + var msg40 = msg("IF_DOWN_LINK_FAILURE", part50); + + var msg41 = msg("IF_DOWN_LINK_FAILURE:01", dup89); + + var select12 = linear_select([ + msg40, + msg41, + ]); + + var msg42 = msg("IF_DOWN_MODULE_REMOVED", dup91); + + var msg43 = msg("IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN", dup88); + + var part51 = match("MESSAGE#43:IF_DUPLEX", "nwparser.payload", "Interface %{interface}, operational duplex mode changed to %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface duplex mode changed"), + ])); + + var msg44 = msg("IF_DUPLEX", part51); + + var part52 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Receive Flow Cont%{p0}"); + + var all7 = all_match({ + processors: [ + part52, + dup92, + dup28, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational Receive Flow Control state changed"), + ]), + }); + + var msg45 = msg("IF_RX_FLOW_CONTROL", all7); + + var part53 = match_copy("MESSAGE#45:IF_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg46 = msg("IF_SEQ_ERROR", part53); + + var part54 = match("MESSAGE#46:IF_TX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Transmit Flow Cont%{p0}"); + + var all8 = all_match({ + processors: [ + part54, + dup92, + dup28, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational Transmit Flow Control state changed"), + ]), + }); + + var msg47 = msg("IF_TX_FLOW_CONTROL", all8); + + var part55 = match("MESSAGE#47:IF_UP", "nwparser.payload", "%{fld43->} Interface %{sinterface->} is up in mode %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface is up in mode"), + ])); + + var msg48 = msg("IF_UP", part55); + + var part56 = match("MESSAGE#48:IF_UP:01", "nwparser.payload", "Interface %{sinterface->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface is up"), + ])); + + var msg49 = msg("IF_UP:01", part56); + + var select13 = linear_select([ + msg48, + msg49, + ]); + + var part57 = match("MESSAGE#49:SPEED", "nwparser.payload", "Interface %{interface}, operational speed changed to %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational speed changed"), + ])); + + var msg50 = msg("SPEED", part57); + + var part58 = match("MESSAGE#50:CREATED", "nwparser.payload", "%{group_object->} created", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg51 = msg("CREATED", part58); + + var part59 = match("MESSAGE#51:FOP_CHANGED", "nwparser.payload", "%{group_object}: first operational port changed from %{change_old->} to %{change_new}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + ])); + + var msg52 = msg("FOP_CHANGED", part59); + + var part60 = match("MESSAGE#52:PORT_DOWN", "nwparser.payload", "%{group_object}: %{interface->} is down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg53 = msg("PORT_DOWN", part60); + + var part61 = match("MESSAGE#53:PORT_UP", "nwparser.payload", "%{group_object}: %{interface->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg54 = msg("PORT_UP", part61); + + var part62 = match("MESSAGE#54:SUBGROUP_ID_PORT_ADDED", "nwparser.payload", "Interface %{interface->} is added to %{group_object->} with subgroup id %{fld20}", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg55 = msg("SUBGROUP_ID_PORT_ADDED", part62); + + var part63 = match("MESSAGE#55:SUBGROUP_ID_PORT_REMOVED", "nwparser.payload", "Interface %{interface->} is removed from %{group_object->} with subgroup id %{fld20}", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg56 = msg("SUBGROUP_ID_PORT_REMOVED", part63); + + var msg57 = msg("MTS_DROP", dup87); + + var msg58 = msg("SYSLOG_LOG_WARNING", dup87); + + var msg59 = msg("IM_SEQ_ERROR", dup93); + + var msg60 = msg("ADDON_IMG_DNLD_COMPLETE", dup87); + + var msg61 = msg("ADDON_IMG_DNLD_STARTED", dup87); + + var msg62 = msg("ADDON_IMG_DNLD_SUCCESSFUL", dup87); + + var msg63 = msg("IMG_DNLD_COMPLETE", dup87); + + var msg64 = msg("IMG_DNLD_STARTED", dup87); + + var part64 = match_copy("MESSAGE#64:PORT_SOFTWARE_FAILURE", "nwparser.payload", "result", processor_chain([ + dup31, + dup2, + dup3, + dup4, + ])); + + var msg65 = msg("PORT_SOFTWARE_FAILURE", part64); + + var msg66 = msg("MSM_CRIT", dup93); + + var part65 = match("MESSAGE#66:LOG_CMP_AAA_FAILURE", "nwparser.payload", "Authentication failed for a login from %{shost->} (%{result})", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, + ])); + + var msg67 = msg("LOG_CMP_AAA_FAILURE", part65); + + var msg68 = msg("LOG_LIC_N1K_EXPIRY_WARNING", dup87); + + var part66 = match("MESSAGE#68:MOD_FAIL", "nwparser.payload", "Initialization of module %{fld20->} (serial: %{serial_number}) failed", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg69 = msg("MOD_FAIL", part66); + + var part67 = match("MESSAGE#69:MOD_MAJORSWFAIL", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported a critical failure in service %{fld22}", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var msg70 = msg("MOD_MAJORSWFAIL", part67); + + var part68 = match("MESSAGE#70:MOD_SRG_NOT_COMPATIBLE", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) firmware is not compatible with supervisor, downloading new image", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg71 = msg("MOD_SRG_NOT_COMPATIBLE", part68); + + var part69 = match("MESSAGE#71:MOD_WARNING:01", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warnings on %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg72 = msg("MOD_WARNING:01", part69); + + var part70 = match("MESSAGE#72:MOD_WARNING", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warning %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg73 = msg("MOD_WARNING", part70); + + var select14 = linear_select([ + msg72, + msg73, + ]); + + var part71 = match("MESSAGE#73:ACTIVE_SUP_OK", "nwparser.payload", "Supervisor %{fld20->} is active (serial: %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg74 = msg("ACTIVE_SUP_OK", part71); + + var part72 = match("MESSAGE#74:MOD_OK", "nwparser.payload", "Module %{fld20->} is online (serial: %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg75 = msg("MOD_OK", part72); + + var part73 = match("MESSAGE#75:MOD_RESTART", "nwparser.payload", "Module %{fld20->} is restarting after image download", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg76 = msg("MOD_RESTART", part73); + + var part74 = match("MESSAGE#76:DISPUTE_CLEARED", "nwparser.payload", "Dispute resolved for port %{portname->} on %{vlan}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","Dispute resolved for port on VLAN"), + ])); + + var msg77 = msg("DISPUTE_CLEARED", part74); + + var part75 = match("MESSAGE#77:DISPUTE_DETECTED", "nwparser.payload", "Dispute detected on port %{portname->} on %{vlan}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","Dispute detected on port on VLAN"), + ])); + + var msg78 = msg("DISPUTE_DETECTED", part75); + + var msg79 = msg("DOMAIN_CFG_SYNC_DONE", dup87); + + var msg80 = msg("CHASSIS_CLKMODOK", dup87); + + var msg81 = msg("CHASSIS_CLKSRC", dup87); + + var msg82 = msg("FAN_OK", dup87); + + var part76 = match("MESSAGE#82:MOD_DETECT", "nwparser.payload", "Module %{fld19->} detected (Serial number %{serial_number}) Module-Type %{fld20->} Model %{fld21}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg83 = msg("MOD_DETECT", part76); + + var part77 = match("MESSAGE#83:MOD_PWRDN", "nwparser.payload", "Module %{fld19->} powered down (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg84 = msg("MOD_PWRDN", part77); + + var part78 = match("MESSAGE#84:MOD_PWRUP", "nwparser.payload", "Module %{fld19->} powered up (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg85 = msg("MOD_PWRUP", part78); + + var part79 = match("MESSAGE#85:MOD_REMOVE", "nwparser.payload", "Module %{fld19->} removed (Serial number %{serial_number})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg86 = msg("MOD_REMOVE", part79); + + var msg87 = msg("PFM_MODULE_POWER_ON", dup87); + + var msg88 = msg("PFM_SYSTEM_RESET", dup87); + + var msg89 = msg("PFM_VEM_REMOVE_NO_HB", dup94); + + var msg90 = msg("PFM_VEM_REMOVE_RESET", dup94); + + var msg91 = msg("PFM_VEM_REMOVE_STATE_CONFLICT", dup94); + + var msg92 = msg("PFM_VEM_REMOVE_TWO_ACT_VSM", dup94); + + var msg93 = msg("PFM_VEM_UNLICENSED", dup87); + + var msg94 = msg("PS_FANOK", dup87); + + var part80 = match("MESSAGE#94:PS_OK", "nwparser.payload", "Power supply %{fld19->} ok (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg95 = msg("PS_OK", part80); + + var part81 = match_copy("MESSAGE#95:MOD_BRINGUP_MULTI_LIMIT", "nwparser.payload", "event_description", processor_chain([ + dup31, + dup2, + dup3, + dup4, + ])); + + var msg96 = msg("MOD_BRINGUP_MULTI_LIMIT", part81); + + var part82 = match("MESSAGE#96:FAN_DETECT", "nwparser.payload", "Fan module %{fld19->} (Serial number %{serial_number}) %{fld20->} detected", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg97 = msg("FAN_DETECT", part82); + + var msg98 = msg("MOD_STATUS", dup87); + + var part83 = match("MESSAGE#98:PEER_VPC_CFGD_VLANS_CHANGED", "nwparser.payload", "Peer vPC %{obj_name->} configured vlans changed", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC configured vlans changed"), + ])); + + var msg99 = msg("PEER_VPC_CFGD_VLANS_CHANGED", part83); + + var part84 = match("MESSAGE#99:PEER_VPC_DELETED", "nwparser.payload", "Peer vPC %{obj_name->} deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg100 = msg("PEER_VPC_DELETED", part84); + + var msg101 = msg("PFM_VEM_DETECTED", dup87); + + var part85 = match("MESSAGE#101:PS_FOUND", "nwparser.payload", "Power supply %{fld19->} found (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg102 = msg("PS_FOUND", part85); + + var part86 = match("MESSAGE#102:PS_STATUS/0_0", "nwparser.payload", "PowerSupply %{fld1->} current-status is %{disposition}"); + + var select15 = linear_select([ + part86, + dup21, + ]); + + var all9 = all_match({ + processors: [ + select15, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg103 = msg("PS_STATUS", all9); + + var part87 = match("MESSAGE#103:PS_CAPACITY_CHANGE:01", "nwparser.payload", "Power supply %{fld1->} changed its capacity. possibly due to On/Off or power cable removal/insertion (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg104 = msg("PS_CAPACITY_CHANGE:01", part87); + + var msg105 = msg("PS_CAPACITY_CHANGE", dup87); + + var select16 = linear_select([ + msg104, + msg105, + ]); + + var msg106 = msg("IF_DOWN_FCOT_NOT_PRESENT", dup88); + + var msg107 = msg("IF_DOWN_FCOT_NOT_PRESENT:01", dup89); + + var select17 = linear_select([ + msg106, + msg107, + ]); + + var msg108 = msg("IF_DOWN_INITIALIZING", dup90); + + var msg109 = msg("IF_DOWN_INITIALIZING:01", dup95); + + var select18 = linear_select([ + msg108, + msg109, + ]); + + var part88 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var msg110 = msg("IF_DOWN_NONE", part88); + + var msg111 = msg("IF_DOWN_NONE:01", dup96); + + var select19 = linear_select([ + msg110, + msg111, + ]); + + var msg112 = msg("IF_DOWN_NOS_RCVD", dup88); + + var msg113 = msg("IF_DOWN_NOS_RCVD:01", dup89); + + var select20 = linear_select([ + msg112, + msg113, + ]); + + var msg114 = msg("IF_DOWN_OFFLINE", dup88); + + var msg115 = msg("IF_DOWN_OLS_RCVD", dup88); + + var part89 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup31, + dup2, + dup3, + dup4, + ])); + + var msg116 = msg("IF_DOWN_SOFTWARE_FAILURE", part89); + + var msg117 = msg("IF_DOWN_SRC_PORT_NOT_BOUND", dup90); + + var part90 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is down (%{info})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg118 = msg("IF_TRUNK_DOWN", part90); + + var part91 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg119 = msg("IF_TRUNK_DOWN:01", part91); + + var part92 = match("MESSAGE#119:IF_TRUNK_DOWN:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is down %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg120 = msg("IF_TRUNK_DOWN:02", part92); + + var select21 = linear_select([ + msg118, + msg119, + msg120, + ]); + + var part93 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg121 = msg("IF_TRUNK_UP", part93); + + var part94 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} up", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg122 = msg("IF_TRUNK_UP:01", part94); + + var part95 = match("MESSAGE#122:IF_TRUNK_UP:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is up %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg123 = msg("IF_TRUNK_UP:02", part95); + + var select22 = linear_select([ + msg121, + msg122, + msg123, + ]); + + var msg124 = msg("PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", dup97); + + var part96 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "Interface %{interface->} is inheriting port-profile %{fld20}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg125 = msg("IF_PORTPROFILE_ATTACHED", part96); + + var msg126 = msg("STANDBY_SUP_OK", dup87); + + var part97 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops detected in the network among ports %{portname->} and %{info->} vlan %{vlan->} - %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Loops detected in the network among ports"), + ])); + + var msg127 = msg("STM_LOOP_DETECT", part97); + + var part98 = match("MESSAGE#127:SYNC_COMPLETE", "nwparser.payload", "Sync completed.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg128 = msg("SYNC_COMPLETE", part98); + + var msg129 = msg("PVLAN_PPM_PORT_CONFIG_FAILED", dup97); + + var msg130 = msg("MESG", dup87); + + var part99 = match("MESSAGE#130:ERR_MSG", "nwparser.payload", "ERROR:%{result}", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var msg131 = msg("ERR_MSG", part99); + + var msg132 = msg("RM_VICPP_RECREATE_ERROR", dup97); + + var part100 = match("MESSAGE#132:CFGWRITE_ABORTED_LOCK", "nwparser.payload", "Unable to lock the configuration (error-id %{resultcode}). Aborting configuration copy.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg133 = msg("CFGWRITE_ABORTED_LOCK", part100); + + var part101 = match("MESSAGE#133:CFGWRITE_FAILED", "nwparser.payload", "Configuration copy failed (error-id %{resultcode}).", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg134 = msg("CFGWRITE_FAILED", part101); + + var msg135 = msg("CFGWRITE_ABORTED", dup87); + + var msg136 = msg("CFGWRITE_DONE", dup87); + + var part102 = match("MESSAGE#136:CFGWRITE_STARTED/0_0", "nwparser.payload", "%{event_description->} (PID %{process_id})."); + + var select23 = linear_select([ + part102, + dup21, + ]); + + var all10 = all_match({ + processors: [ + select23, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg137 = msg("CFGWRITE_STARTED", all10); + + var msg138 = msg("IF_ATTACHED", dup87); + + var msg139 = msg("IF_DELETE_AUTO", dup94); + + var part103 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface->} is detached", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg140 = msg("IF_DETACHED", part103); + + var msg141 = msg("IF_DETACHED_MODULE_REMOVED", dup94); + + var msg142 = msg("IF_DOWN_INACTIVE", dup88); + + var msg143 = msg("IF_DOWN_NON_PARTICIPATING", dup88); + + var part104 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface->} is down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg144 = msg("IF_DOWN_VEM_UNLICENSED", part104); + + var part105 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname->} connected to the vCenter Server.", processor_chain([ + dup36, + dup2, + dup3, + dup4, + ])); + + var msg145 = msg("CONN_CONNECT", part105); + + var part106 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname->} disconnected from the vCenter Server.", processor_chain([ + setc("eventcategory","1801030000"), + dup2, + dup3, + dup4, + ])); + + var msg146 = msg("CONN_DISCONNECT", part106); + + var part107 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info->} on the vCenter Server.", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg147 = msg("DVPG_CREATE", part107); + + var part108 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info->} from the vCenter Server.", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg148 = msg("DVPG_DELETE", part108); + + var msg149 = msg("DVS_HOSTMEMBER_INFO", dup87); + + var part109 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info->} on the vCenter Server.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg150 = msg("DVS_NAME_CHANGE", part109); + + var msg151 = msg("VMS_PPM_SYNC_COMPLETE", dup87); + + var part110 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name->} is deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg152 = msg("VPC_DELETED", part110); + + var part111 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} is up", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","VPC is up"), + ])); + + var msg153 = msg("VPC_UP", part111); + + var part112 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username->} on %{p0}"); + + var part113 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_0", "nwparser.p0", "%{saddr}@%{terminal}"); + + var part114 = match_copy("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_1", "nwparser.p0", "saddr"); + + var select24 = linear_select([ + part113, + part114, + ]); + + var all11 = all_match({ + processors: [ + part112, + select24, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg154 = msg("VSHD_SYSLOG_CONFIG_I", all11); + + var part115 = match("MESSAGE#154:VSHD_SYSLOG_CONFIG_I:01", "nwparser.payload", "Configuring console from %{fld43->} %{saddr}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg155 = msg("VSHD_SYSLOG_CONFIG_I:01", part115); + + var select25 = linear_select([ + msg154, + msg155, + ]); + + var part116 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol->} (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg156 = msg("AAA_ACCOUNTING_MESSAGE:18", part116); + + var part117 = match("MESSAGE#156:AAA_ACCOUNTING_MESSAGE:17", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:enabled telnet", processor_chain([ + dup22, + dup37, + dup38, + dup17, + dup2, + dup3, + dup4, + dup39, + dup40, + ])); + + var msg157 = msg("AAA_ACCOUNTING_MESSAGE:17", part117); + + var part118 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "start:%{saddr}@%{application}:%{username}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","program start"), + ])); + + var msg158 = msg("AAA_ACCOUNTING_MESSAGE", part118); + + var part119 = match("MESSAGE#158:AAA_ACCOUNTING_MESSAGE:08", "nwparser.payload", "start:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg159 = msg("AAA_ACCOUNTING_MESSAGE:08", part119); + + var part120 = match("MESSAGE#159:AAA_ACCOUNTING_MESSAGE:03", "nwparser.payload", "start:%{saddr}(%{terminal}):%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg160 = msg("AAA_ACCOUNTING_MESSAGE:03", part120); + + var part121 = match("MESSAGE#160:AAA_ACCOUNTING_MESSAGE:19", "nwparser.payload", "start:%{fld40}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg161 = msg("AAA_ACCOUNTING_MESSAGE:19", part121); + + var part122 = match("MESSAGE#161:AAA_ACCOUNTING_MESSAGE:22", "nwparser.payload", "update:::added user %{username}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + ])); + + var msg162 = msg("AAA_ACCOUNTING_MESSAGE:22", part122); + + var part123 = match("MESSAGE#162:AAA_ACCOUNTING_MESSAGE:23", "nwparser.payload", "update:::%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg163 = msg("AAA_ACCOUNTING_MESSAGE:23", part123); + + var part124 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport}) deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg164 = msg("AAA_ACCOUNTING_MESSAGE:11", part124); + + var part125 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport->} timeout:%{fld44->} retry:%{fld45->} tagList:trap params:%{fld46}) added", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg165 = msg("AAA_ACCOUNTING_MESSAGE:12", part125); + + var part126 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg166 = msg("AAA_ACCOUNTING_MESSAGE:13", part126); + + var part127 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to down", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg167 = msg("AAA_ACCOUNTING_MESSAGE:14", part127); + + var part128 = match("MESSAGE#167:AAA_ACCOUNTING_MESSAGE:15", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Performing configuration copy.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg168 = msg("AAA_ACCOUNTING_MESSAGE:15", part128); + + var part129 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup41, + ])); + + var msg169 = msg("AAA_ACCOUNTING_MESSAGE:16", part129); + + var part130 = match("MESSAGE#169:AAA_ACCOUNTING_MESSAGE:04", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal length %{fld5}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg170 = msg("AAA_ACCOUNTING_MESSAGE:04", part130); + + var part131 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup41, + ])); + + var msg171 = msg("AAA_ACCOUNTING_MESSAGE:01", part131); + + var part132 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_0", "nwparser.p0", "configure terminal ; ntp source-interface %{sinterface->} (%{p0}"); + + var part133 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_1", "nwparser.p0", "show ntp statistics peer ipaddr %{hostip->} (%{p0}"); + + var select26 = linear_select([ + part132, + part133, + ]); + + var all12 = all_match({ + processors: [ + dup42, + select26, + dup43, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup44, + ]), + }); + + var msg172 = msg("AAA_ACCOUNTING_MESSAGE:27", all12); + + var part134 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_0", "nwparser.p0", "clock set %{event_time_string->} (%{p0}"); + + var part135 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_1", "nwparser.p0", "show logging last %{fld1->} (%{p0}"); + + var select27 = linear_select([ + part134, + part135, + ]); + + var all13 = all_match({ + processors: [ + dup42, + select27, + dup43, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup44, + ]), + }); + + var msg173 = msg("AAA_ACCOUNTING_MESSAGE:28", all13); + + var part136 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg174 = msg("AAA_ACCOUNTING_MESSAGE:20", part136); + + var part137 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:added user %{c_username}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup11, + dup17, + setc("event_description","Added user"), + dup44, + ])); + + var msg175 = msg("AAA_ACCOUNTING_MESSAGE:30", part137); + + var part138 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:deleted user %{c_username}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup11, + dup17, + setc("event_description","Deleted user"), + dup44, + ])); + + var msg176 = msg("AAA_ACCOUNTING_MESSAGE:29", part138); + + var part139 = match("MESSAGE#176:AAA_ACCOUNTING_MESSAGE:21", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg177 = msg("AAA_ACCOUNTING_MESSAGE:21", part139); + + var part140 = match("MESSAGE#177:AAA_ACCOUNTING_MESSAGE:07", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal width %{dclass_counter1}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg178 = msg("AAA_ACCOUNTING_MESSAGE:07", part140); + + var part141 = match("MESSAGE#178:AAA_ACCOUNTING_MESSAGE:05", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal session-timeout %{fld5}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg179 = msg("AAA_ACCOUNTING_MESSAGE:05", part141); + + var part142 = match("MESSAGE#179:AAA_ACCOUNTING_MESSAGE:10", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:copy %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg180 = msg("AAA_ACCOUNTING_MESSAGE:10", part142); + + var part143 = match("MESSAGE#180:AAA_ACCOUNTING_MESSAGE:24", "nwparser.payload", "update:%{terminal}:%{username}: %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg181 = msg("AAA_ACCOUNTING_MESSAGE:24", part143); + + var part144 = match("MESSAGE#181:AAA_ACCOUNTING_MESSAGE:06", "nwparser.payload", "stop:%{saddr}(%{fld3}):%{username}:shell terminated", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg182 = msg("AAA_ACCOUNTING_MESSAGE:06", part144); + + var part145 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:shell %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","shell terminated"), + ])); + + var msg183 = msg("AAA_ACCOUNTING_MESSAGE:02", part145); + + var part146 = match("MESSAGE#183:AAA_ACCOUNTING_MESSAGE:25", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:%{fld40}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg184 = msg("AAA_ACCOUNTING_MESSAGE:25", part146); + + var part147 = match("MESSAGE#184:AAA_ACCOUNTING_MESSAGE:09", "nwparser.payload", "stop:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg185 = msg("AAA_ACCOUNTING_MESSAGE:09", part147); + + var part148 = match("MESSAGE#185:AAA_ACCOUNTING_MESSAGE:26", "nwparser.payload", "stop:%{terminal}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg186 = msg("AAA_ACCOUNTING_MESSAGE:26", part148); + + var select28 = linear_select([ + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, + msg175, + msg176, + msg177, + msg178, + msg179, + msg180, + msg181, + msg182, + msg183, + msg184, + msg185, + msg186, + ]); + + var all14 = all_match({ + processors: [ + dup45, + dup98, + dup48, + dup99, + dup51, + dup98, + dup52, + dup99, + dup53, + dup100, + dup56, + dup101, + dup59, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","ACL Log Flow Interval"), + dup60, + ]), + }); + + var msg187 = msg("ACLLOG_FLOW_INTERVAL", all14); + + var part149 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3->} reached for number of flows", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg188 = msg("ACLLOG_MAXFLOW_REACHED", part149); + + var all15 = all_match({ + processors: [ + dup45, + dup98, + dup48, + dup99, + dup51, + dup98, + dup52, + dup99, + dup53, + dup100, + dup56, + dup101, + dup59, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","ACL Lof New Flow"), + dup60, + ]), + }); + + var msg189 = msg("ACLLOG_NEW_FLOW", all15); + + var part150 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process->} [%{process_id}] Source address of packet received from %{smacaddr->} on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Source address of packet received on vlan is duplicate of local virtual ip"), + ])); + + var msg190 = msg("DUP_VADDR_SRC_IP", part150); + + var part151 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are removed from suspended state.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg191 = msg("IF_ERROR_VLANS_REMOVED", part151); + + var part152 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are being suspended. (Reason: %{info})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg192 = msg("IF_ERROR_VLANS_SUSPENDED", part152); + + var part153 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface->} is down(%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg193 = msg("IF_DOWN_CFG_CHANGE", part153); + + var part154 = match("MESSAGE#193:PFM_CLOCK_CHANGE", "nwparser.payload", "Clock setting has been changed on the system. Please be aware that clock changes will force a recheckout of all existing VEM licenses. During this recheckout procedure, licensed VEMs which are offline will lose their licenses.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg194 = msg("PFM_CLOCK_CHANGE", part154); + + var part155 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3->} causing standby to reset.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg195 = msg("SYNC_FAILURE_STANDBY_RESET", part155); + + var part156 = match("MESSAGE#195:snmpd", "nwparser.payload", "snmp_pss_snapshot : Copying local engine DB PSS file to url%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg196 = msg("snmpd", part156); + + var part157 = match("MESSAGE#196:snmpd:01", "nwparser.payload", "SNMPD_SYSLOG_CONFIG_I: Configuration update from %{fld43}_%{saddr->} %{info}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg197 = msg("snmpd:01", part157); + + var select29 = linear_select([ + msg196, + msg197, + ]); + + var part158 = match("MESSAGE#197:CFGWRITE_USER_ABORT", "nwparser.payload", "Configuration copy aborted by the user.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg198 = msg("CFGWRITE_USER_ABORT", part158); + + var msg199 = msg("IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED", dup95); + + var part159 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1->} time", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","last message repeated number of times."), + setc("dclass_counter1_string","Number of times repeated"), + ])); + + var msg200 = msg("last", part159); + + var part160 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service->} (PID %{parent_pid}) hasn't caught signal %{fld43->} (%{result}).", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg201 = msg("SERVICE_CRASHED", part160); + + var part161 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service->} lost on WCCP Client %{saddr}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + setc("event_description","Service lost on WCCP Client"), + ])); + + var msg202 = msg("SERVICELOST", part161); + + var part162 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface->} is allowed to come up even with SFP checksum error", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg203 = msg("IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", part162); + + var part163 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43->} failed or shut%{p0}"); + + var part164 = match("MESSAGE#203:PS_FAIL/1_0", "nwparser.p0", " down %{p0}"); + + var part165 = match("MESSAGE#203:PS_FAIL/1_1", "nwparser.p0", "down %{p0}"); + + var select30 = linear_select([ + part164, + part165, + ]); + + var part166 = match("MESSAGE#203:PS_FAIL/2", "nwparser.p0", "(Serial number %{serial_number})"); + + var all16 = all_match({ + processors: [ + part163, + select30, + part166, + ], + on_success: processor_chain([ + dup23, + dup2, + dup3, + dup4, + ]), + }); + + var msg204 = msg("PS_FAIL", all16); + + var msg205 = msg("INFORMATION", dup87); + + var msg206 = msg("EVENT", dup87); + + var part167 = match("MESSAGE#206:NATIVE_VLAN_MISMATCH", "nwparser.payload", "Native VLAN mismatch discovered on %{interface}, with %{fld23}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg207 = msg("NATIVE_VLAN_MISMATCH", part167); + + var part168 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22->} discovered of type %{fld23->} with port %{fld24->} on incoming port %{interface->} with ip addr %{fld25->} and mgmt ip %{hostip}", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg208 = msg("NEIGHBOR_ADDED", part168); + + var part169 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22->} on port %{interface->} has been removed", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg209 = msg("NEIGHBOR_REMOVED", part169); + + var part170 = match("MESSAGE#209:IF_BANDWIDTH_CHANGE", "nwparser.payload", "Interface %{interface},%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg210 = msg("IF_BANDWIDTH_CHANGE", part170); + + var part171 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (Parent interface down)", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg211 = msg("IF_DOWN_PARENT_ADMIN_DOWN", part171); + + var part172 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface->} is down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg212 = msg("PORT_INDIVIDUAL_DOWN", part172); + + var part173 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface->} is suspended", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg213 = msg("PORT_SUSPENDED", part173); + + var part174 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22->} of Fex %{fld23->} that is connected with %{interface->} changed its status from %{change_old->} to %{change_new}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("change_attribute","status"), + ])); + + var msg214 = msg("FEX_PORT_STATUS_NOTI", part174); + + var msg215 = msg("NOHMS_DIAG_ERR_PS_FAIL", dup102); + + var msg216 = msg("NOHMS_DIAG_ERR_PS_RECOVERED", dup87); + + var msg217 = msg("ADJCHANGE", dup87); + + var part175 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan->} with role %{fld22}, state %{disposition}, %{info}", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg218 = msg("PORT_ADDED", part175); + + var part176 = match("MESSAGE#218:PORT_DELETED", "nwparser.payload", "Interface %{interface}, removed from VLAN%{vlan}", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg219 = msg("PORT_DELETED", part176); + + var part177 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} role changed to %{fld22}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + ])); + + var msg220 = msg("PORT_ROLE", part177); + + var part178 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} moving from %{change_old->} to %{change_new}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("change_attribute","Port state"), + ])); + + var msg221 = msg("PORT_STATE", part178); + + var part179 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol->} (%{result}) %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg222 = msg("TACACS_ACCOUNTING_MESSAGE", part179); + + var part180 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}: enabled telnet", processor_chain([ + dup22, + dup37, + dup38, + dup17, + dup2, + dup3, + dup4, + dup39, + dup40, + ])); + + var msg223 = msg("TACACS_ACCOUNTING_MESSAGE:01", part180); + + var part181 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface->} (%{result})%{info}", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg224 = msg("TACACS_ACCOUNTING_MESSAGE:04", part181); + + var part182 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/0", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: show %{p0}"); + + var part183 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_0", "nwparser.p0", "ntp statistics peer ipaddr %{hostip->} (%{p0}"); + + var part184 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_1", "nwparser.p0", "logging last %{fld3->} (%{p0}"); + + var select31 = linear_select([ + part183, + part184, + ]); + + var part185 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/2", "nwparser.p0", "%{result})%{info}"); + + var all17 = all_match({ + processors: [ + part182, + select31, + part185, + ], + on_success: processor_chain([ + dup63, + dup2, + dup4, + ]), + }); + + var msg225 = msg("TACACS_ACCOUNTING_MESSAGE:05", all17); + + var part186 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string->} (%{result})%{info}", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg226 = msg("TACACS_ACCOUNTING_MESSAGE:06", part186); + + var part187 = match("MESSAGE#371:TACACS_ACCOUNTING_MESSAGE:08", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: Performing configuration copy. %{info}", processor_chain([ + dup63, + dup2, + dup4, + setc("event_description","Performing configuration copy"), + ])); + + var msg227 = msg("TACACS_ACCOUNTING_MESSAGE:08", part187); + + var part188 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/2", "nwparser.p0", "%{username}: shell terminated because of session timeout %{p0}"); + + var all18 = all_match({ + processors: [ + dup64, + dup103, + part188, + dup104, + ], + on_success: processor_chain([ + dup63, + dup2, + dup4, + setc("event_description","shell terminated because of session timeout"), + ]), + }); + + var msg228 = msg("TACACS_ACCOUNTING_MESSAGE:09", all18); + + var part189 = match("MESSAGE#373:TACACS_ACCOUNTING_MESSAGE:07/2", "nwparser.p0", "%{username}: %{event_description->} %{p0}"); + + var all19 = all_match({ + processors: [ + dup64, + dup103, + part189, + dup104, + ], + on_success: processor_chain([ + dup63, + dup2, + dup4, + ]), + }); + + var msg229 = msg("TACACS_ACCOUNTING_MESSAGE:07", all19); + + var select32 = linear_select([ + msg222, + msg223, + msg224, + msg225, + msg226, + msg227, + msg228, + msg229, + ]); + + var msg230 = msg("TACACS_ERROR_MESSAGE", dup102); + + var msg231 = msg("IF_SFP_WARNING", dup105); + + var msg232 = msg("IF_DOWN_TCP_MAX_RETRANSMIT", dup106); + + var msg233 = msg("FCIP_PEER_CAVIUM", dup87); + + var msg234 = msg("IF_DOWN_PEER_CLOSE", dup106); + + var msg235 = msg("IF_DOWN_PEER_RESET", dup106); + + var part190 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name->} configuration is not consistent (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","configuration is not consistent in domain"), + ])); + + var msg236 = msg("INTF_CONSISTENCY_FAILED", part190); + + var part191 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name->} configuration is consistent", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","configuration is consistent in domain"), + ])); + + var msg237 = msg("INTF_CONSISTENCY_SUCCESS", part191); + + var msg238 = msg("INTF_COUNTERS_CLEARED", dup105); + + var msg239 = msg("IF_HARDWARE", dup105); + + var part192 = match_copy("MESSAGE#233:HEARTBEAT_FAILURE", "nwparser.payload", "event_description", processor_chain([ + setc("eventcategory","1604010000"), + dup2, + dup3, + dup4, + ])); + + var msg240 = msg("HEARTBEAT_FAILURE", part192); + + var msg241 = msg("SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG", dup87); + + var msg242 = msg("PFM_FAN_FLTR_STATUS", dup87); + + var msg243 = msg("MOUNT", dup87); + + var msg244 = msg("LOG_CMP_UP", dup87); + + var part193 = match("MESSAGE#238:IF_XCVR_WARNING/2", "nwparser.p0", "Temperature Warning cleared%{}"); + + var all20 = all_match({ + processors: [ + dup69, + dup107, + part193, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg245 = msg("IF_XCVR_WARNING", all20); + + var msg246 = msg("IF_XCVR_WARNING:01", dup108); + + var select33 = linear_select([ + msg245, + msg246, + ]); + + var part194 = match("MESSAGE#240:IF_XCVR_ALARM/2", "nwparser.p0", "Temperature Alarm cleared%{}"); + + var all21 = all_match({ + processors: [ + dup69, + dup107, + part194, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg247 = msg("IF_XCVR_ALARM", all21); + + var msg248 = msg("IF_XCVR_ALARM:01", dup108); + + var select34 = linear_select([ + msg247, + msg248, + ]); + + var msg249 = msg("MEMORY_ALERT", dup87); + + var msg250 = msg("MEMORY_ALERT_RECOVERED", dup87); + + var part195 = match("MESSAGE#244:IF_SFP_ALARM/2", "nwparser.p0", "Rx Power Alarm cleared%{}"); + + var all22 = all_match({ + processors: [ + dup69, + dup107, + part195, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg251 = msg("IF_SFP_ALARM", all22); + + var msg252 = msg("IF_SFP_ALARM:01", dup108); + + var select35 = linear_select([ + msg251, + msg252, + ]); + + var part196 = match_copy("MESSAGE#246:NBRCHANGE_DUAL", "nwparser.payload", "event_description", processor_chain([ + dup61, + dup2, + dup3, + dup4, + ])); + + var msg253 = msg("NBRCHANGE_DUAL", part196); + + var part197 = match("MESSAGE#247:SOHMS_DIAG_ERROR/0", "nwparser.payload", "%{} %{device->} %{p0}"); + + var part198 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_0", "nwparser.p0", "%{action}: System %{p0}"); + + var part199 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_1", "nwparser.p0", "System %{p0}"); + + var select36 = linear_select([ + part198, + part199, + ]); + + var part200 = match("MESSAGE#247:SOHMS_DIAG_ERROR/2", "nwparser.p0", "minor alarm on fans in fan tray %{dclass_counter1}"); + + var all23 = all_match({ + processors: [ + part197, + select36, + part200, + ], + on_success: processor_chain([ + dup61, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","System minor alarm on fans in fan tray"), + ]), + }); + + var msg254 = msg("SOHMS_DIAG_ERROR", all23); + + var part201 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{device->} System minor alarm on power supply %{fld42}: %{result}", processor_chain([ + dup61, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","FEX-System minor alarm on power supply."), + ])); + + var msg255 = msg("SOHMS_DIAG_ERROR:01", part201); + + var part202 = match("MESSAGE#249:SOHMS_DIAG_ERROR:02", "nwparser.payload", "%{device}: %{event_description}", processor_chain([ + dup61, + dup38, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg256 = msg("SOHMS_DIAG_ERROR:02", part202); + + var select37 = linear_select([ + msg254, + msg255, + msg256, + ]); + + var part203 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Failed to program the mac table on %{device->} for group: %{fld1}, (%{fld2->} (%{fld3}), %{fld4}, %{hostip}). Error: %{result}. %{info}", processor_chain([ + dup73, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Failed to program the mac table"), + ])); + + var msg257 = msg("M2FIB_MAC_TBL_PRGMING", part203); + + var part204 = match("MESSAGE#251:DELETE_STALE_USER_ACCOUNT", "nwparser.payload", "deleting expired user account:%{username}", processor_chain([ + dup19, + dup11, + dup20, + setc("ec_theme","UserGroup"), + dup2, + dup3, + dup4, + setc("event_description","deleting expired user account"), + ])); + + var msg258 = msg("DELETE_STALE_USER_ACCOUNT", part204); + + var part205 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{interface->} is admin up", processor_chain([ + dup30, + dup34, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","Interface is admin up."), + ])); + + var msg259 = msg("IF_ADMIN_UP", part205); + + var part206 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name->} is configured", processor_chain([ + dup30, + dup34, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","vPC is configured"), + dup74, + ])); + + var msg260 = msg("VPC_CFGD", part206); + + var part207 = match("MESSAGE#254:MODULE_ONLINE", "nwparser.payload", "System Manager has received notification of %{info}", processor_chain([ + dup30, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","System Manager has received notification of local module becoming online."), + ])); + + var msg261 = msg("MODULE_ONLINE", part207); + + var part208 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", "System booted from Primary BIOS Flash%{}", processor_chain([ + dup30, + dup75, + dup76, + dup2, + dup3, + dup4, + setc("event_description","System booted from Primary BIOS Flash"), + ])); + + var msg262 = msg("BIOS_DAEMON_LC_PRI_BOOT", part208); + + var part209 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj_name->} is down ()", processor_chain([ + dup77, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC is down"), + dup74, + ])); + + var msg263 = msg("PEER_VPC_DOWN", part209); + + var part210 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/0", "nwparser.payload", "In domain %{domain}, %{p0}"); + + var part211 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_0", "nwparser.p0", "VPC%{p0}"); + + var part212 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_1", "nwparser.p0", "vPC%{p0}"); + + var select38 = linear_select([ + part211, + part212, + ]); + + var part213 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/2", "nwparser.p0", "%{}peer%{p0}"); + + var part214 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_0", "nwparser.p0", "-keepalive%{p0}"); + + var part215 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_1", "nwparser.p0", " keep-alive%{p0}"); + + var select39 = linear_select([ + part214, + part215, + ]); + + var part216 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/4", "nwparser.p0", "%{}received on interface %{interface}"); + + var all24 = all_match({ + processors: [ + part210, + select38, + part213, + select39, + part216, + ], + on_success: processor_chain([ + dup36, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer-keepalive received on interface"), + ]), + }); + + var msg264 = msg("PEER_KEEP_ALIVE_RECV_INT_LATEST", all24); + + var part217 = match("MESSAGE#258:PEER_KEEP_ALIVE_RECV_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive receive is successful", processor_chain([ + dup36, + dup34, + dup78, + dup35, + dup17, + dup2, + dup3, + dup4, + setc("event_description","In domain, vPC peer keep-alive receive is successful"), + ])); + + var msg265 = msg("PEER_KEEP_ALIVE_RECV_SUCCESS", part217); + + var part218 = match("MESSAGE#259:PEER_KEEP_ALIVE_RECV_FAIL", "nwparser.payload", "In domain %{domain}, VPC peer keep-alive receive has failed", processor_chain([ + dup77, + dup34, + dup78, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer keep-alive receive has failed"), + ])); + + var msg266 = msg("PEER_KEEP_ALIVE_RECV_FAIL", part218); + + var part219 = match("MESSAGE#260:PEER_KEEP_ALIVE_SEND_INT_LATEST", "nwparser.payload", "In domain %{domain}, VPC peer-keepalive sent on interface %{interface}", processor_chain([ + dup36, + dup34, + dup79, + dup35, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer-keepalive sent on interface"), + ])); + + var msg267 = msg("PEER_KEEP_ALIVE_SEND_INT_LATEST", part219); + + var part220 = match("MESSAGE#261:PEER_KEEP_ALIVE_SEND_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive send is successful", processor_chain([ + dup36, + dup34, + dup79, + dup35, + dup17, + dup2, + dup3, + dup4, + setc("event_description","In domain, vPC peer keep-alive send is successful"), + ])); + + var msg268 = msg("PEER_KEEP_ALIVE_SEND_SUCCESS", part220); + + var part221 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "In domain %{domain}, peer keep-alive status changed to %{change_new}", processor_chain([ + dup30, + dup34, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Peer keep-alive status changed."), + setc("change_attribute","peer keep-alive status"), + ])); + + var msg269 = msg("PEER_KEEP_ALIVE_STATUS", part221); + + var part222 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Ejectors' status in slot %{fld47->} has changed, %{info}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Ejectors' status in slot has changed."), + ])); + + var msg270 = msg("EJECTOR_STAT_CHANGED", part222); + + var part223 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41->} detected (Serial number %{fld42})", processor_chain([ + dup29, + setc("ec_activity","Detect"), + dup38, + dup2, + dup3, + dup4, + setc("event_description","Xbar detected"), + ])); + + var msg271 = msg("XBAR_DETECT", part223); + + var part224 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41->} powered up (Serial number %{fld42})", processor_chain([ + dup15, + dup75, + dup76, + dup2, + dup3, + dup4, + setc("event_description","Xbar powered up"), + ])); + + var msg272 = msg("XBAR_PWRUP", part224); + + var part225 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41->} powered down (Serial number %{fld42})", processor_chain([ + dup15, + dup75, + setc("ec_activity","Stop"), + dup2, + dup3, + dup4, + setc("event_description","Xbar powered down"), + ])); + + var msg273 = msg("XBAR_PWRDN", part225); + + var part226 = match("MESSAGE#267:XBAR_OK", "nwparser.payload", "Xbar %{fld41->} is online (serial: %{fld42})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Xbar is online"), + ])); + + var msg274 = msg("XBAR_OK", part226); + + var part227 = match("MESSAGE#268:VPC_ISSU_START", "nwparser.payload", "Peer vPC switch ISSU start, locking configuration%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC switch ISSU start, locking configuration"), + ])); + + var msg275 = msg("VPC_ISSU_START", part227); + + var part228 = match("MESSAGE#269:VPC_ISSU_END", "nwparser.payload", "Peer vPC switch ISSU end, unlocking configuration%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC switch ISSU end, unlocking configuration"), + ])); + + var msg276 = msg("VPC_ISSU_END", part228); + + var part229 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("obj_type","new_role"), + ])); + + var msg277 = msg("PORT_RANGE_ROLE", part229); + + var part230 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_state=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("obj_type","new_state"), + ])); + + var msg278 = msg("PORT_RANGE_STATE", part230); + + var part231 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Interface %{interface->} removed from mst=%{fld42}", processor_chain([ + dup24, + dup34, + dup20, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Interface removed from MST."), + ])); + + var msg279 = msg("PORT_RANGE_DELETED", part231); + + var part232 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interface %{interface->} added to mst=%{fld42->} with %{info}", processor_chain([ + dup29, + dup34, + dup80, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Interface added to MST."), + ])); + + var msg280 = msg("PORT_RANGE_ADDED", part232); + + var part233 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port %{portname->} removed as MST Boundary port", processor_chain([ + dup24, + dup34, + dup20, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Port removed as MST Boundary port"), + ])); + + var msg281 = msg("MST_PORT_BOUNDARY", part233); + + var part234 = match("MESSAGE#275:PIXM_SYSLOG_MESSAGE_TYPE_CRIT", "nwparser.payload", "Non-transactional PIXM Error. Error Type: %{result}.%{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Non-transactional PIXM Error"), + ])); + + var msg282 = msg("PIXM_SYSLOG_MESSAGE_TYPE_CRIT", part234); + + var part235 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interface->} is %{obj_name->} in vdc %{fld43}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("obj_type"," Interface state"), + ])); + + var msg283 = msg("IM_INTF_STATE", part235); + + var part236 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{fld43->} state changed to %{obj_name}", processor_chain([ + dup62, + dup34, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","VDC state changed."), + setc("obj_type"," VDC state"), + ])); + + var msg284 = msg("VDC_STATE_CHANGE", part236); + + var part237 = match("MESSAGE#278:SWITCHOVER_OVER", "nwparser.payload", "Switchover completed.%{}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup81, + ])); + + var msg285 = msg("SWITCHOVER_OVER", part237); + + var part238 = match("MESSAGE#279:VDC_MODULETYPE", "nwparser.payload", "%{process}: Module type changed to %{obj_name}", processor_chain([ + dup62, + dup16, + dup38, + dup2, + dup3, + dup4, + dup81, + setc("obj_type"," New Module type"), + ])); + + var msg286 = msg("VDC_MODULETYPE", part238); + + var part239 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unable to sync HA sequence number %{fld44->} for service \"%{service}\" (PID %{process_id}): %{result}.", processor_chain([ + dup77, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Unable to sync HA sequence number for service"), + ])); + + var msg287 = msg("HASEQNO_SYNC_FAILED", part239); + + var part240 = match("MESSAGE#281:MSG_SEND_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in sending message to standby causing standby to reset.%{}", processor_chain([ + dup1, + dup34, + dup79, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Failure in sending message to standby causing standby to reset."), + ])); + + var msg288 = msg("MSG_SEND_FAILURE_STANDBY_RESET", part240); + + var part241 = match("MESSAGE#282:MODULE_LOCK_FAILED", "nwparser.payload", "Failed to lock the local module to avoid reset (error-id %{resultcode}).", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Failed to lock the local module to avoid reset"), + ])); + + var msg289 = msg("MODULE_LOCK_FAILED", part241); + + var part242 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", "Failed to send Mac New Learns/Mac moves due to mts send failure errno %{resultcode}", processor_chain([ + dup1, + dup34, + dup79, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Failed to send Mac New Learns/Mac moves due to mts send failure."), + ])); + + var msg290 = msg("L2FMC_NL_MTS_SEND_FAILURE", part242); + + var part243 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} management address %{fld46->} discovered on local port %{portname->} in vlan %{vlan->} %{info}", processor_chain([ + dup29, + dup80, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Server discovered on local in vlan 0 with enabled capability Station"), + ])); + + var msg291 = msg("SERVER_ADDED", part243); + + var part244 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} on local port %{portname->} has been removed", processor_chain([ + dup24, + dup20, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Server on local port has been removed"), + ])); + + var msg292 = msg("SERVER_REMOVED", part244); + + var part245 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ + dup23, + dup34, + dup72, + dup2, + dup3, + dup4, + dup25, + ])); + + var msg293 = msg("IF_DOWN_SUSPENDED_BY_SPEED", part245); + + var part246 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{portname->} is operationally individual", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","port is operationally individual"), + ])); + + var msg294 = msg("PORT_INDIVIDUAL", part246); + + var part247 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ + dup23, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + dup25, + ])); + + var msg295 = msg("IF_DOWN_CHANNEL_ADMIN_DOWN", part247); + + var part248 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Interface %{interface->} is being recovered from error disabled state %{info}", processor_chain([ + dup22, + dup2, + dup3, + dup4, + setc("event_description","Interface is being recovered from error disabled state"), + ])); + + var msg296 = msg("IF_ERRDIS_RECOVERY", part248); + + var part249 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", "Non-Cisco transceiver on interface %{interface->} is detected", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Non-Cisco transceiver on interface is detected"), + ])); + + var msg297 = msg("IF_NON_CISCO_TRANSCEIVER", part249); + + var part250 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.payload", "Active supervisor in slot %{fld47->} is running with less memory than standby supervisor in slot %{fld48}.", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Active supervisor is running with less memory than standby supervisor."), + ])); + + var msg298 = msg("ACTIVE_LOWER_MEM_THAN_STANDBY", part250); + + var part251 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configuration update started (PID %{process_id}).", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Configuration update started."), + ])); + + var msg299 = msg("READCONF_STARTED", part251); + + var part252 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor in slot %{fld47->} is running with less memory than active supervisor in slot %{fld48}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Supervisor is running with less memory than active supervisor."), + ])); + + var msg300 = msg("SUP_POWERDOWN", part252); + + var part253 = match("MESSAGE#294:LC_UPGRADE_START", "nwparser.payload", "Starting linecard upgrade%{}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Starting linecard upgrade"), + ])); + + var msg301 = msg("LC_UPGRADE_START", part253); + + var part254 = match("MESSAGE#295:LC_UPGRADE_REBOOT", "nwparser.payload", "Rebooting linecard as a part of upgrade%{}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Rebooting linecard as a part of upgrade"), + ])); + + var msg302 = msg("LC_UPGRADE_REBOOT", part254); + + var part255 = match("MESSAGE#296:RUNTIME_DB_RESTORE_STARTED", "nwparser.payload", "Runtime database controller started (PID %{process_id}).", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Runtime database controller started."), + ])); + + var msg303 = msg("RUNTIME_DB_RESTORE_STARTED", part255); + + var part256 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload", "Runtime database successfully restored.%{}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Runtime database successfully restored."), + ])); + + var msg304 = msg("RUNTIME_DB_RESTORE_SUCCESS", part256); + + var part257 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", "Upgrade of module %{fld49->} started", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Upgrade of module started"), + ])); + + var msg305 = msg("LCM_MODULE_UPGRADE_START", part257); + + var part258 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "Upgrade of module %{fld49->} ended", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Upgrade of module ended"), + ])); + + var msg306 = msg("LCM_MODULE_UPGRADE_END", part258); + + var part259 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recieved insert for %{fld50}", processor_chain([ + dup63, + dup34, + dup78, + dup35, + dup2, + dup3, + dup4, + setc("event_description","Recieved insert for lc mod"), + ])); + + var msg307 = msg("FIPS_POST_INFO_MSG", part259); + + var part260 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC %{obj_name->} is configured", processor_chain([ + dup30, + dup34, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","peer vPC is configured"), + dup74, + ])); + + var msg308 = msg("PEER_VPC_CFGD", part260); + + var part261 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: Potential Interop issue on [%{interface}]: %{result}", processor_chain([ + dup73, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Potential Interop issue on interface."), + ])); + + var msg309 = msg("SYN_COLL_DIS_EN", part261); + + var part262 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{device->} Off-line (Serial Number %{fld42})", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","FEX OFFLINE"), + ])); + + var msg310 = msg("NOHMS_ENV_FEX_OFFLINE", part262); + + var part263 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{device->} On-line", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","FEX ONLINE"), + ])); + + var msg311 = msg("NOHMS_ENV_FEX_ONLINE", part263); + + var part264 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{device->} is online", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Fex is online"), + ])); + + var msg312 = msg("FEX_STATUS_online", part264); + + var part265 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{device->} is offline", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Fex is offline"), + ])); + + var msg313 = msg("FEX_STATUS_offline", part265); + + var select40 = linear_select([ + msg312, + msg313, + ]); + + var part266 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Power supply %{fld41->} present but all AC/DC inputs are not connected, power redundancy might be affected", processor_chain([ + dup73, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Power supply present but all AC/DC inputs are not connected, power redundancy might be affected"), + ])); + + var msg314 = msg("PS_PWR_INPUT_MISSING", part266); + + var part267 = match("MESSAGE#308:PS_RED_MODE_RESTORED", "nwparser.payload", "Power redundancy operational mode changed to %{change_new}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Power redundancy operational mode changed."), + setc("change_attribute","operational mode"), + ])); + + var msg315 = msg("PS_RED_MODE_RESTORED", part267); + + var part268 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", "All ejectors open, Module %{fld41->} will not be powered up (Serial number %{fld42})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","All ejectors open, Module will not be powered up."), + ])); + + var msg316 = msg("MOD_PWRFAIL_EJECTORS_OPEN", part268); + + var part269 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device->} pinning information is changed", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Fex pinning information is changed"), + ])); + + var msg317 = msg("PINNING_CHANGED", part269); + + var part270 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device->} Module %{fld41}: Cold boot", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","FEX-100 Module -Cold boot"), + ])); + + var msg318 = msg("SATCTRL", part270); + + var part271 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51->} [%{fld52}] Client %{fld43->} register more than once with same pid%{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Client register more than once with same pid"), + ])); + + var msg319 = msg("DUP_REGISTER", part271); + + var part272 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51->} [%{fld52}] Unknown mtype: %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Unknown mtype"), + ])); + + var msg320 = msg("UNKNOWN_MTYPE", part272); + + var part273 = match("MESSAGE#314:SATCTRL_IMAGE", "nwparser.payload", "%{fld51->} %{event_description}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + ])); + + var msg321 = msg("SATCTRL_IMAGE", part273); + + var part274 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ + dup1, + setc("ec_subject","Process"), + dup14, + dup2, + dup3, + dup4, + ])); + + var msg322 = msg("API_FAILED", part274); + + var part275 = match_copy("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "event_description", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg323 = msg("SENSOR_MSG1", part275); + + var part276 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + ])); + + var msg324 = msg("API_INIT_SEM_CLEAR", part276); + + var part277 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51->} has come online", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","vdc has come online"), + ])); + + var msg325 = msg("VDC_ONLINE", part277); + + var part278 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", "LACP port %{portname->} of port-channel %{interface->} not receiving any LACP BPDUs %{result}", processor_chain([ + dup77, + dup34, + dup78, + dup35, + dup72, + dup2, + dup3, + dup4, + setc("event_description","LACP port of port-channel not receiving any LACP BPDUs."), + ])); + + var msg326 = msg("LACP_SUSPEND_INDIVIDUAL", part278); + + var part279 = match("MESSAGE#320:dstats", "nwparser.payload", "%{process}: %{info}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg327 = msg("dstats", part279); + + var part280 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} logged OUT.", processor_chain([ + dup77, + dup34, + setc("ec_activity","Logoff"), + dup35, + dup2, + dup3, + dup4, + ])); + + var msg328 = msg("MSG_PORT_LOGGED_OUT", part280); + + var part281 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} with FCID %{fld54->} logged IN.", processor_chain([ + dup77, + dup34, + dup13, + dup35, + dup2, + dup3, + dup4, + ])); + + var msg329 = msg("MSG_PORT_LOGGED_IN", part281); + + var msg330 = msg("IF_DOWN_ELP_FAILURE_ISOLATION", dup96); + + var part282 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52->} Zone merge failure, isolating interface %{interface->} reason: %{result}:[%{resultcode}]", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var msg331 = msg("ZS_MERGE_FAILED", part282); + + var msg332 = msg("IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION", dup96); + + var part283 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Host %{hostname->} in vlan %{vlan->} is flapping between port %{change_old->} and port %{change_new}", processor_chain([ + dup23, + dup34, + dup35, + dup2, + dup3, + dup4, + setc("change_attribute","Port"), + ])); + + var msg333 = msg("MAC_MOVE_NOTIFICATION", part283); + + var part284 = match("MESSAGE#327:zone", "nwparser.payload", "num_tlv greater than 1, %{result}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg334 = msg("zone", part284); + + var part285 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_description}: %{info}", processor_chain([ + dup1, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg335 = msg("ERROR", part285); + + var part286 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid destination IP address (%{daddr}) from %{smacaddr->} on %{interface}", processor_chain([ + dup77, + dup34, + dup78, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg336 = msg("INVAL_IP", part286); + + var part287 = match("MESSAGE#330:SYSLOG_SL_MSG_WARNING", "nwparser.payload", "%{process}: message repeated %{dclass_counter1->} times in last %{duration}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var msg337 = msg("SYSLOG_SL_MSG_WARNING", part287); + + var part288 = match("MESSAGE#331:DUPLEX_MISMATCH", "nwparser.payload", "Duplex mismatch discovered on %{interface}, with %{fld55}", processor_chain([ + dup77, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg338 = msg("DUPLEX_MISMATCH", part288); + + var part289 = match("MESSAGE#332:NOHMS_DIAG_ERROR", "nwparser.payload", "Module %{fld20}: Runtime diag detected major event: Fabric port failure %{interface}", processor_chain([ + dup77, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg339 = msg("NOHMS_DIAG_ERROR", part289); + + var part290 = match("MESSAGE#333:STM_LEARNING_RE_ENABLE", "nwparser.payload", "Re enabling dynamic learning on all interfaces%{}", processor_chain([ + dup15, + dup34, + dup35, + dup2, + dup3, + dup4, + ])); + + var msg340 = msg("STM_LEARNING_RE_ENABLE", part290); + + var part291 = match("MESSAGE#334:UDLD_PORT_DISABLED", "nwparser.payload", "UDLD disabled interface %{interface}, %{result}", processor_chain([ + dup77, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg341 = msg("UDLD_PORT_DISABLED", part291); + + var part292 = match("MESSAGE#335:ntpd", "nwparser.payload", "ntp:no servers reachable%{}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg342 = msg("ntpd", part292); + + var part293 = match("MESSAGE#336:ntpd:01", "nwparser.payload", "ntp:event EVNT_UNREACH %{saddr}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg343 = msg("ntpd:01", part293); + + var part294 = match("MESSAGE#337:ntpd:02", "nwparser.payload", "ntp:event EVNT_REACH %{saddr}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg344 = msg("ntpd:02", part294); + + var part295 = match("MESSAGE#338:ntpd:03", "nwparser.payload", "ntp:synchronized to %{saddr}, stratum %{fld9}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg345 = msg("ntpd:03", part295); + + var part296 = match("MESSAGE#339:ntpd:04", "nwparser.payload", "ntp:%{event_description}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg346 = msg("ntpd:04", part296); + + var select41 = linear_select([ + msg342, + msg343, + msg344, + msg345, + msg346, + ]); + + var part297 = match_copy("MESSAGE#340:PFM_ALERT", "nwparser.payload", "event_description", processor_chain([ + dup9, + dup2, + dup3, + dup4, + ])); + + var msg347 = msg("PFM_ALERT", part297); + + var part298 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Client %{saddr}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + setc("event_description","Service acquired on WCCP Client"), + ])); + + var msg348 = msg("SERVICEFOUND", part298); + + var part299 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Router %{saddr}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + setc("event_description","Service acquired on WCCP Router"), + ])); + + var msg349 = msg("ROUTERFOUND", part299); + + var part300 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "pam_aaa:Authentication failed from %{shost->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + setc("event_description","Authentication failed"), + ])); + + var msg350 = msg("%AUTHPRIV-3-SYSTEM_MSG", part300); + + var part301 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ + dup18, + dup2, + dup12, + dup3, + dup4, + setc("event_description","New user added"), + ])); + + var msg351 = msg("%AUTHPRIV-5-SYSTEM_MSG", part301); + + var part302 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", "%{action}: %{service->} pid=%{process_id->} from=::ffff:%{saddr->} - %{agent}", processor_chain([ + dup10, + dup2, + dup12, + dup3, + dup4, + ])); + + var msg352 = msg("%AUTHPRIV-6-SYSTEM_MSG:01", part302); + + var part303 = match("MESSAGE#346:%AUTHPRIV-6-SYSTEM_MSG", "nwparser.payload", "pam_unix(%{fld1}:session): session opened for user %{username->} by (uid=%{uid}) - %{agent}", processor_chain([ + dup10, + dup2, + dup12, + dup3, + dup4, + setc("event_description","session opened for user"), + ])); + + var msg353 = msg("%AUTHPRIV-6-SYSTEM_MSG", part303); + + var select42 = linear_select([ + msg352, + msg353, + ]); + + var part304 = match("MESSAGE#347:%USER-3-SYSTEM_MSG", "nwparser.payload", "error: %{result}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg354 = msg("%USER-3-SYSTEM_MSG", part304); + + var part305 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Invalid user %{username->} from %{saddr->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup82, + ])); + + var msg355 = msg("%USER-6-SYSTEM_MSG", part305); + + var part306 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "input_userauth_request: invalid user %{username->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup82, + ])); + + var msg356 = msg("%USER-6-SYSTEM_MSG:01", part306); + + var part307 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Failed none for invalid user %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + setc("event_description","Failed none for invalid user"), + ])); + + var msg357 = msg("%USER-6-SYSTEM_MSG:02", part307); + + var part308 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + setc("event_description","Accepted password for user"), + ])); + + var msg358 = msg("%USER-6-SYSTEM_MSG:03", part308); + + var part309 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "lastlog_openseek: Couldn't stat %{directory}: No such file or directory - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + setc("event_description","No such file or directory"), + ])); + + var msg359 = msg("%USER-6-SYSTEM_MSG:04", part309); + + var part310 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Could not load host key: %{encryption_type->} - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + setc("event_description","Could not load host key"), + ])); + + var msg360 = msg("%USER-6-SYSTEM_MSG:05", part310); + + var part311 = match("MESSAGE#354:%USER-6-SYSTEM_MSG:06", "nwparser.payload", "%{event_description->} - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + ])); + + var msg361 = msg("%USER-6-SYSTEM_MSG:06", part311); + + var select43 = linear_select([ + msg355, + msg356, + msg357, + msg358, + msg359, + msg360, + msg361, + ]); + + var part312 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload", "Disabling learning in vlan %{vlan->} for %{duration}s due to too many mac moves", processor_chain([ + dup30, + dup2, + dup4, + setc("ec_activity","Disable"), + ])); + + var msg362 = msg("L2FM_MAC_FLAP_DISABLE_LEARN", part312); + + var part313 = match("MESSAGE#356:L2FM_MAC_FLAP_RE_ENABLE_LEARN", "nwparser.payload", "Re-enabling learning in vlan %{vlan}", processor_chain([ + dup30, + dup2, + dup4, + dup37, + ])); + + var msg363 = msg("L2FM_MAC_FLAP_RE_ENABLE_LEARN", part313); + + var part314 = match("MESSAGE#357:PS_ABSENT", "nwparser.payload", "Power supply %{fld1->} is %{disposition}, ps-redundancy might be affected", processor_chain([ + dup1, + dup2, + dup4, + ])); + + var msg364 = msg("PS_ABSENT", part314); + + var part315 = match("MESSAGE#358:PS_DETECT", "nwparser.payload", "Power supply %{fld1->} detected but %{disposition->} (Serial number %{serial_number})", processor_chain([ + dup1, + dup2, + dup4, + ])); + + var msg365 = msg("PS_DETECT", part315); + + var part316 = match("MESSAGE#359:SUBPROC_TERMINATED", "nwparser.payload", "\"System Manager (configuration controller)\" (PID %{process_id}) has finished with error code %{result->} (%{resultcode}).", processor_chain([ + dup1, + dup2, + dup4, + ])); + + var msg366 = msg("SUBPROC_TERMINATED", part316); + + var part317 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"%{service}\" (PID %{process_id}) has successfully exited with exit code %{result->} (%{resultcode}).", processor_chain([ + dup15, + dup2, + dup4, + dup84, + dup17, + ])); + + var msg367 = msg("SUBPROC_SUCCESS_EXIT", part317); + + var part318 = match("MESSAGE#361:UPDOWN", "nwparser.payload", "Line Protocol on Interface vlan %{vlan}, changed state to %{disposition}", processor_chain([ + dup30, + dup2, + dup4, + ])); + + var msg368 = msg("UPDOWN", part318); + + var part319 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{smacaddr->} in vlan %{vlan->} has moved between %{change_old->} to %{change_new}", processor_chain([ + dup30, + dup2, + dup4, + setc("change_attribute","Interface"), + ])); + + var msg369 = msg("L2FM_MAC_MOVE2", part319); + + var part320 = match("MESSAGE#363:PFM_PS_RED_MODE_CHG", "nwparser.payload", "Power redundancy configured mode changed to %{event_state}", processor_chain([ + dup30, + dup2, + dup4, + dup38, + ])); + + var msg370 = msg("PFM_PS_RED_MODE_CHG", part320); + + var part321 = match("MESSAGE#364:PS_RED_MODE_CHG", "nwparser.payload", "Power supply operational redundancy mode changed to %{event_state}", processor_chain([ + dup30, + dup2, + dup4, + dup38, + ])); + + var msg371 = msg("PS_RED_MODE_CHG", part321); + + var part322 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid source MAC address (%{smacaddr}) from %{saddr->} on %{vlan}", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg372 = msg("INVAL_MAC", part322); + + var part323 = match("MESSAGE#366:SRVSTATE_CHANGED", "nwparser.payload", "State for service \"%{service}\" changed from %{change_old->} to %{change_new->} in vdc %{fld1}.", processor_chain([ + dup15, + dup2, + dup4, + setc("change_attribute","Service status"), + ])); + + var msg373 = msg("SRVSTATE_CHANGED", part323); + + var part324 = match_copy("MESSAGE#367:INFO", "nwparser.payload", "event_description", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg374 = msg("INFO", part324); + + var part325 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service \"%{service}\" in vdc %{fld1->} started with PID(%{process_id}).", processor_chain([ + dup15, + dup2, + dup4, + dup84, + dup76, + dup17, + ])); + + var msg375 = msg("SERVICE_STARTED", part325); + + var part326 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local Virtual ip, %{saddr}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup85, + ])); + + var msg376 = msg("DUP_VADDR_SRCIP_PROBE", part326); + + var part327 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local ip, %{saddr}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup85, + ])); + + var msg377 = msg("DUP_SRCIP_PROBE", part327); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "%AUTHPRIV-3-SYSTEM_MSG": msg350, + "%AUTHPRIV-5-SYSTEM_MSG": msg351, + "%AUTHPRIV-6-SYSTEM_MSG": select42, + "%USER-3-SYSTEM_MSG": msg354, + "%USER-6-SYSTEM_MSG": select43, + "AAA_ACCOUNTING_MESSAGE": select28, + "ACLLOG_FLOW_INTERVAL": msg187, + "ACLLOG_MAXFLOW_REACHED": msg188, + "ACLLOG_NEW_FLOW": msg189, + "ACTIVE_LOWER_MEM_THAN_STANDBY": msg298, + "ACTIVE_SUP_OK": msg74, + "ADDON_IMG_DNLD_COMPLETE": msg60, + "ADDON_IMG_DNLD_STARTED": msg61, + "ADDON_IMG_DNLD_SUCCESSFUL": msg62, + "ADJCHANGE": msg217, + "API_FAILED": msg322, + "API_INIT_SEM_CLEAR": msg324, + "BIOS_DAEMON_LC_PRI_BOOT": msg262, + "CFGWRITE_ABORTED": msg135, + "CFGWRITE_ABORTED_LOCK": msg133, + "CFGWRITE_DONE": msg136, + "CFGWRITE_FAILED": msg134, + "CFGWRITE_STARTED": msg137, + "CFGWRITE_USER_ABORT": msg198, + "CHASSIS_CLKMODOK": msg80, + "CHASSIS_CLKSRC": msg81, + "CONN_CONNECT": msg145, + "CONN_DISCONNECT": msg146, + "CREATED": msg51, + "DELETE_STALE_USER_ACCOUNT": msg258, + "DISPUTE_CLEARED": msg77, + "DISPUTE_DETECTED": msg78, + "DOMAIN_CFG_SYNC_DONE": msg79, + "DUPLEX_MISMATCH": msg338, + "DUP_REGISTER": msg319, + "DUP_SRCIP_PROBE": msg377, + "DUP_VADDR_SRCIP_PROBE": msg376, + "DUP_VADDR_SRC_IP": msg190, + "DVPG_CREATE": msg147, + "DVPG_DELETE": msg148, + "DVS_HOSTMEMBER_INFO": msg149, + "DVS_NAME_CHANGE": msg150, + "EJECTOR_STAT_CHANGED": msg270, + "ERROR": msg335, + "ERR_MSG": msg131, + "EVENT": msg206, + "FAN_DETECT": msg97, + "FAN_OK": msg82, + "FCIP_PEER_CAVIUM": msg233, + "FEX_PORT_STATUS_NOTI": msg214, + "FEX_STATUS": select40, + "FIPS_POST_INFO_MSG": msg307, + "FOP_CHANGED": msg52, + "HASEQNO_SYNC_FAILED": msg287, + "HEARTBEAT_FAILURE": msg240, + "IF_ADMIN_UP": msg259, + "IF_ATTACHED": msg138, + "IF_BANDWIDTH_CHANGE": msg210, + "IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR": msg203, + "IF_DELETE_AUTO": msg139, + "IF_DETACHED": msg140, + "IF_DETACHED_MODULE_REMOVED": msg141, + "IF_DOWN_ADMIN_DOWN": select11, + "IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED": msg199, + "IF_DOWN_CFG_CHANGE": msg193, + "IF_DOWN_CHANNEL_ADMIN_DOWN": msg295, + "IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS": msg38, + "IF_DOWN_ELP_FAILURE_ISOLATION": msg330, + "IF_DOWN_ERROR_DISABLED": msg35, + "IF_DOWN_FCOT_NOT_PRESENT": select17, + "IF_DOWN_INACTIVE": msg142, + "IF_DOWN_INITIALIZING": select18, + "IF_DOWN_INTERFACE_REMOVED": msg39, + "IF_DOWN_LINK_FAILURE": select12, + "IF_DOWN_MODULE_REMOVED": msg42, + "IF_DOWN_NONE": select19, + "IF_DOWN_NON_PARTICIPATING": msg143, + "IF_DOWN_NOS_RCVD": select20, + "IF_DOWN_OFFLINE": msg114, + "IF_DOWN_OLS_RCVD": msg115, + "IF_DOWN_PARENT_ADMIN_DOWN": msg211, + "IF_DOWN_PEER_CLOSE": msg234, + "IF_DOWN_PEER_RESET": msg235, + "IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN": msg43, + "IF_DOWN_SOFTWARE_FAILURE": msg116, + "IF_DOWN_SRC_PORT_NOT_BOUND": msg117, + "IF_DOWN_SUSPENDED_BY_SPEED": msg293, + "IF_DOWN_TCP_MAX_RETRANSMIT": msg232, + "IF_DOWN_VEM_UNLICENSED": msg144, + "IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION": msg332, + "IF_DUPLEX": msg44, + "IF_ERRDIS_RECOVERY": msg296, + "IF_ERROR_VLANS_REMOVED": msg191, + "IF_ERROR_VLANS_SUSPENDED": msg192, + "IF_HARDWARE": msg239, + "IF_NON_CISCO_TRANSCEIVER": msg297, + "IF_PORTPROFILE_ATTACHED": msg125, + "IF_RX_FLOW_CONTROL": msg45, + "IF_SEQ_ERROR": msg46, + "IF_SFP_ALARM": select35, + "IF_SFP_WARNING": msg231, + "IF_TRUNK_DOWN": select21, + "IF_TRUNK_UP": select22, + "IF_TX_FLOW_CONTROL": msg47, + "IF_UP": select13, + "IF_XCVR_ALARM": select34, + "IF_XCVR_WARNING": select33, + "IMG_DNLD_COMPLETE": msg63, + "IMG_DNLD_STARTED": msg64, + "IM_INTF_STATE": msg283, + "IM_SEQ_ERROR": msg59, + "INFO": msg374, + "INFORMATION": msg205, + "INTF_CONSISTENCY_FAILED": msg236, + "INTF_CONSISTENCY_SUCCESS": msg237, + "INTF_COUNTERS_CLEARED": msg238, + "INVAL_IP": msg336, + "INVAL_MAC": msg372, + "L2FMC_NL_MTS_SEND_FAILURE": msg290, + "L2FM_MAC_FLAP_DISABLE_LEARN": msg362, + "L2FM_MAC_FLAP_RE_ENABLE_LEARN": msg363, + "L2FM_MAC_MOVE2": msg369, + "LACP_SUSPEND_INDIVIDUAL": msg326, + "LCM_MODULE_UPGRADE_END": msg306, + "LCM_MODULE_UPGRADE_START": msg305, + "LC_UPGRADE_REBOOT": msg302, + "LC_UPGRADE_START": msg301, + "LOG-7-SYSTEM_MSG": msg1, + "LOG_CMP_AAA_FAILURE": msg67, + "LOG_CMP_UP": msg244, + "LOG_LIC_N1K_EXPIRY_WARNING": msg68, + "M2FIB_MAC_TBL_PRGMING": msg257, + "MAC_MOVE_NOTIFICATION": msg333, + "MEMORY_ALERT": msg249, + "MEMORY_ALERT_RECOVERED": msg250, + "MESG": msg130, + "MODULE_LOCK_FAILED": msg289, + "MODULE_ONLINE": msg261, + "MOD_BRINGUP_MULTI_LIMIT": msg96, + "MOD_DETECT": msg83, + "MOD_FAIL": msg69, + "MOD_MAJORSWFAIL": msg70, + "MOD_OK": msg75, + "MOD_PWRDN": msg84, + "MOD_PWRFAIL_EJECTORS_OPEN": msg316, + "MOD_PWRUP": msg85, + "MOD_REMOVE": msg86, + "MOD_RESTART": msg76, + "MOD_SRG_NOT_COMPATIBLE": msg71, + "MOD_STATUS": msg98, + "MOD_WARNING": select14, + "MOUNT": msg243, + "MSG_PORT_LOGGED_IN": msg329, + "MSG_PORT_LOGGED_OUT": msg328, + "MSG_SEND_FAILURE_STANDBY_RESET": msg288, + "MSM_CRIT": msg66, + "MST_PORT_BOUNDARY": msg281, + "MTSERROR": msg34, + "MTS_DROP": msg57, + "NATIVE_VLAN_MISMATCH": msg207, + "NBRCHANGE_DUAL": msg253, + "NEIGHBOR_ADDED": msg208, + "NEIGHBOR_REMOVED": msg209, + "NEIGHBOR_UPDATE_AUTOCOPY": msg33, + "NOHMS_DIAG_ERROR": msg339, + "NOHMS_DIAG_ERR_PS_FAIL": msg215, + "NOHMS_DIAG_ERR_PS_RECOVERED": msg216, + "NOHMS_ENV_FEX_OFFLINE": msg310, + "NOHMS_ENV_FEX_ONLINE": msg311, + "PEER_KEEP_ALIVE_RECV_FAIL": msg266, + "PEER_KEEP_ALIVE_RECV_INT_LATEST": msg264, + "PEER_KEEP_ALIVE_RECV_SUCCESS": msg265, + "PEER_KEEP_ALIVE_SEND_INT_LATEST": msg267, + "PEER_KEEP_ALIVE_SEND_SUCCESS": msg268, + "PEER_KEEP_ALIVE_STATUS": msg269, + "PEER_VPC_CFGD": msg308, + "PEER_VPC_CFGD_VLANS_CHANGED": msg99, + "PEER_VPC_DELETED": msg100, + "PEER_VPC_DOWN": msg263, + "PFM_ALERT": msg347, + "PFM_CLOCK_CHANGE": msg194, + "PFM_FAN_FLTR_STATUS": msg242, + "PFM_MODULE_POWER_ON": msg87, + "PFM_PS_RED_MODE_CHG": msg370, + "PFM_SYSTEM_RESET": msg88, + "PFM_VEM_DETECTED": msg101, + "PFM_VEM_REMOVE_NO_HB": msg89, + "PFM_VEM_REMOVE_RESET": msg90, + "PFM_VEM_REMOVE_STATE_CONFLICT": msg91, + "PFM_VEM_REMOVE_TWO_ACT_VSM": msg92, + "PFM_VEM_UNLICENSED": msg93, + "PINNING_CHANGED": msg317, + "PIXM_SYSLOG_MESSAGE_TYPE_CRIT": msg282, + "POLICY_ACTIVATE_EVENT": msg27, + "POLICY_COMMIT_EVENT": msg28, + "POLICY_DEACTIVATE_EVENT": msg29, + "POLICY_LOOKUP_EVENT": select10, + "PORT_ADDED": msg218, + "PORT_DELETED": msg219, + "PORT_DOWN": msg53, + "PORT_INDIVIDUAL": msg294, + "PORT_INDIVIDUAL_DOWN": msg212, + "PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE": msg124, + "PORT_RANGE_ADDED": msg280, + "PORT_RANGE_DELETED": msg279, + "PORT_RANGE_ROLE": msg277, + "PORT_RANGE_STATE": msg278, + "PORT_ROLE": msg220, + "PORT_SOFTWARE_FAILURE": msg65, + "PORT_STATE": msg221, + "PORT_SUSPENDED": msg213, + "PORT_UP": msg54, + "PS_ABSENT": msg364, + "PS_CAPACITY_CHANGE": select16, + "PS_DETECT": msg365, + "PS_FAIL": msg204, + "PS_FANOK": msg94, + "PS_FOUND": msg102, + "PS_OK": msg95, + "PS_PWR_INPUT_MISSING": msg314, + "PS_RED_MODE_CHG": msg371, + "PS_RED_MODE_RESTORED": msg315, + "PS_STATUS": msg103, + "PVLAN_PPM_PORT_CONFIG_FAILED": msg129, + "READCONF_STARTED": msg299, + "RM_VICPP_RECREATE_ERROR": msg132, + "ROUTERFOUND": msg349, + "RUNTIME_DB_RESTORE_STARTED": msg303, + "RUNTIME_DB_RESTORE_SUCCESS": msg304, + "SATCTRL": msg318, + "SATCTRL_IMAGE": msg321, + "SENSOR_MSG1": msg323, + "SERVER_ADDED": msg291, + "SERVER_REMOVED": msg292, + "SERVICEFOUND": msg348, + "SERVICELOST": msg202, + "SERVICE_CRASHED": msg201, + "SERVICE_STARTED": msg375, + "SOHMS_DIAG_ERROR": select37, + "SPEED": msg50, + "SRVSTATE_CHANGED": msg373, + "STANDBY_SUP_OK": msg126, + "STM_LEARNING_RE_ENABLE": msg340, + "STM_LOOP_DETECT": msg127, + "SUBGROUP_ID_PORT_ADDED": msg55, + "SUBGROUP_ID_PORT_REMOVED": msg56, + "SUBPROC_SUCCESS_EXIT": msg367, + "SUBPROC_TERMINATED": msg366, + "SUP_POWERDOWN": msg300, + "SWITCHOVER_OVER": msg285, + "SYNC_COMPLETE": msg128, + "SYNC_FAILURE_STANDBY_RESET": msg195, + "SYN_COLL_DIS_EN": msg309, + "SYSLOG_LOG_WARNING": msg58, + "SYSLOG_SL_MSG_WARNING": msg337, + "SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG": msg241, + "SYSTEM_MSG": select9, + "TACACS_ACCOUNTING_MESSAGE": select32, + "TACACS_ERROR_MESSAGE": msg230, + "UDLD_PORT_DISABLED": msg341, + "UNKNOWN_MTYPE": msg320, + "UPDOWN": msg368, + "VDC_HOSTNAME_CHANGE": msg26, + "VDC_MODULETYPE": msg286, + "VDC_ONLINE": msg325, + "VDC_STATE_CHANGE": msg284, + "VMS_PPM_SYNC_COMPLETE": msg151, + "VPC_CFGD": msg260, + "VPC_DELETED": msg152, + "VPC_ISSU_END": msg276, + "VPC_ISSU_START": msg275, + "VPC_UP": msg153, + "VSHD_SYSLOG_CONFIG_I": select25, + "XBAR_DETECT": msg271, + "XBAR_OK": msg274, + "XBAR_PWRDN": msg273, + "XBAR_PWRUP": msg272, + "ZS_MERGE_FAILED": msg331, + "dstats": msg327, + "last": msg200, + "ntpd": select41, + "snmpd": select29, + "zone": msg334, + }), + ]); + + var part328 = match_copy("MESSAGE#24:SYSTEM_MSG:08/0_1", "nwparser.payload", "event_description"); + + var part329 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); + + var part330 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); + + var part331 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); + + var part332 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); + + var part333 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); + + var part334 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); + + var part335 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); + + var part336 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); + + var part337 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); + + var part338 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); + + var part339 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); + + var part340 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); + + var part341 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); + + var part342 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); + + var part343 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); + + var part344 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); + + var part345 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); + + var part346 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); + + var part347 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); + + var part348 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); + + var part349 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); + + var part350 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); + + var part351 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); + + var part352 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); + + var part353 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); + + var part354 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); + + var part355 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); + + var part356 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); + + var part357 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var part358 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part359 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var part360 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var part361 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part362 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var select44 = linear_select([ + dup26, + dup27, + ]); + + var part363 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var part364 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var part365 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part366 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var part367 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var select45 = linear_select([ + dup46, + dup47, + ]); + + var select46 = linear_select([ + dup49, + dup50, + ]); + + var select47 = linear_select([ + dup54, + dup55, + ]); + + var select48 = linear_select([ + dup57, + dup58, + ]); + + var part368 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var select49 = linear_select([ + dup65, + dup66, + ]); + + var select50 = linear_select([ + dup67, + dup68, + ]); + + var part369 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part370 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var select51 = linear_select([ + dup70, + dup71, + ]); + + var part371 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/cisco/0.13.3/data_stream/nexus/agent/stream/udp.yml.hbs b/packages/cisco/0.13.3/data_stream/nexus/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..64f17de3e0 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/nexus/agent/stream/udp.yml.hbs @@ -0,0 +1,7176 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Cisco" + product: "Nexus" + type: "Switches" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} Hit-count = %{dclass_counter1}"); + + var dup60 = setc("dclass_counter1_string","Hit Count"); + + var dup61 = setc("eventcategory","1603100000"); + + var dup62 = setc("eventcategory","1701020000"); + + var dup63 = setc("eventcategory","1801000000"); + + var dup64 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); + + var dup65 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); + + var dup66 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); + + var dup67 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); + + var dup68 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); + + var dup69 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); + + var dup70 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); + + var dup71 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); + + var dup72 = setc("ec_outcome","Error"); + + var dup73 = setc("eventcategory","1703000000"); + + var dup74 = setc("obj_type","vPC"); + + var dup75 = setc("ec_subject","OS"); + + var dup76 = setc("ec_activity","Start"); + + var dup77 = setc("eventcategory","1801010000"); + + var dup78 = setc("ec_activity","Receive"); + + var dup79 = setc("ec_activity","Send"); + + var dup80 = setc("ec_activity","Create"); + + var dup81 = setc("event_description","Switchover completed."); + + var dup82 = setc("event_description","Invalid user"); + + var dup83 = setc("eventcategory","1401000000"); + + var dup84 = setc("ec_subject","Service"); + + var dup85 = setc("event_description","Duplicate address Detected."); + + var dup86 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var dup87 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup88 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup89 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup90 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup91 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var dup92 = linear_select([ + dup26, + dup27, + ]); + + var dup93 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var dup94 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var dup95 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup96 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var dup97 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var dup98 = linear_select([ + dup46, + dup47, + ]); + + var dup99 = linear_select([ + dup49, + dup50, + ]); + + var dup100 = linear_select([ + dup54, + dup55, + ]); + + var dup101 = linear_select([ + dup57, + dup58, + ]); + + var dup102 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup103 = linear_select([ + dup65, + dup66, + ]); + + var dup104 = linear_select([ + dup67, + dup68, + ]); + + var dup105 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup106 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup107 = linear_select([ + dup70, + dup71, + ]); + + var dup108 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + ])); + + var hdr1 = match("HEADER#0:0001", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0007", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0007"), + ])); + + var hdr3 = match("HEADER#2:0005", "message", "%{hfld4->} %{hfld5->} %{hfld6->} %{hfld7->} : %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0005"), + ])); + + var hdr4 = match("HEADER#3:0002", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0002"), + ])); + + var hdr5 = match("HEADER#4:0012", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0012"), + ])); + + var hdr6 = match("HEADER#5:0008", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0008"), + ])); + + var hdr7 = match("HEADER#6:0011", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}[%{hfld18}]:%{payload}", processor_chain([ + setc("header_id","0011"), + ])); + + var hdr8 = match("HEADER#7:0003", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr9 = match("HEADER#8:0004", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var hdr10 = match("HEADER#9:0009", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0009"), + ])); + + var hdr11 = match("HEADER#10:0013", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0013"), + ])); + + var hdr12 = match("HEADER#11:0010", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0010"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, + ]); + + var msg1 = msg("LOG-7-SYSTEM_MSG", dup86); + + var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup6, + ])); + + var msg2 = msg("SYSTEM_MSG", part1); + + var part2 = match("MESSAGE#2:SYSTEM_MSG:12", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{shost}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup6, + ])); + + var msg3 = msg("SYSTEM_MSG:12", part2); + + var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, + ])); + + var msg4 = msg("SYSTEM_MSG:01", part3); + + var part4 = match("MESSAGE#4:SYSTEM_MSG:11", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{shost}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, + ])); + + var msg5 = msg("SYSTEM_MSG:11", part4); + + var part5 = match("MESSAGE#5:SYSTEM_MSG:19/0", "nwparser.payload", "error: maximum authentication attempts exceeded for %{p0}"); + + var part6 = match("MESSAGE#5:SYSTEM_MSG:19/1_0", "nwparser.p0", "invalid user %{username->} from %{p0}"); + + var part7 = match("MESSAGE#5:SYSTEM_MSG:19/1_1", "nwparser.p0", "%{username->} from %{p0}"); + + var select2 = linear_select([ + part6, + part7, + ]); + + var part8 = match("MESSAGE#5:SYSTEM_MSG:19/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol->} - %{agent}[%{process_id}]"); + + var all1 = all_match({ + processors: [ + part5, + select2, + part8, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + ]), + }); + + var msg6 = msg("SYSTEM_MSG:19", all1); + + var part9 = match("MESSAGE#6:SYSTEM_MSG:02", "nwparser.payload", "error:%{result}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var msg7 = msg("SYSTEM_MSG:02", part9); + + var part10 = match("MESSAGE#7:SYSTEM_MSG:03/0_0", "nwparser.payload", "(pam_unix)%{p0}"); + + var part11 = match("MESSAGE#7:SYSTEM_MSG:03/0_1", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}):%{p0}"); + + var select3 = linear_select([ + part10, + part11, + ]); + + var part12 = match("MESSAGE#7:SYSTEM_MSG:03/1", "nwparser.p0", "%{}authentication failure; logname=%{fld20->} uid=%{fld21->} euid=%{fld22->} tty=%{terminal->} ruser=%{fld24->} rhost=%{p0}"); + + var part13 = match("MESSAGE#7:SYSTEM_MSG:03/2_0", "nwparser.p0", "%{fld25->} user=%{username->} - %{p0}"); + + var part14 = match("MESSAGE#7:SYSTEM_MSG:03/2_1", "nwparser.p0", "%{fld25->} - %{p0}"); + + var select4 = linear_select([ + part13, + part14, + ]); + + var part15 = match_copy("MESSAGE#7:SYSTEM_MSG:03/3", "nwparser.p0", "agent"); + + var all2 = all_match({ + processors: [ + select3, + part12, + select4, + part15, + ], + on_success: processor_chain([ + dup5, + dup2, + dup3, + dup4, + ]), + }); + + var msg8 = msg("SYSTEM_MSG:03", all2); + + var part16 = match("MESSAGE#8:SYSTEM_MSG:04", "nwparser.payload", "(pam_unix) %{event_description}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg9 = msg("SYSTEM_MSG:04", part16); + + var part17 = match("MESSAGE#9:SYSTEM_MSG:05/0", "nwparser.payload", "pam_aaa:Authentication failed f%{p0}"); + + var part18 = match("MESSAGE#9:SYSTEM_MSG:05/1_0", "nwparser.p0", "or user %{username->} from%{p0}"); + + var part19 = match("MESSAGE#9:SYSTEM_MSG:05/1_1", "nwparser.p0", "rom%{p0}"); + + var select5 = linear_select([ + part18, + part19, + ]); + + var part20 = match("MESSAGE#9:SYSTEM_MSG:05/2", "nwparser.p0", "%{} %{saddr->} - %{agent}[%{process_id}]"); + + var all3 = all_match({ + processors: [ + part17, + select5, + part20, + ], + on_success: processor_chain([ + dup5, + dup2, + dup3, + dup4, + ]), + }); + + var msg10 = msg("SYSTEM_MSG:05", all3); + + var part21 = match("MESSAGE#10:SYSTEM_MSG:06", "nwparser.payload", "FAILED LOGIN (%{fld20}) on %{fld21->} FOR %{username}, Authentication failure - login[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg11 = msg("SYSTEM_MSG:06", part21); + + var part22 = match("MESSAGE#11:SYSTEM_MSG:07", "nwparser.payload", "fatal:%{event_description}", processor_chain([ + dup9, + dup2, + dup3, + dup4, + ])); + + var msg12 = msg("SYSTEM_MSG:07", part22); + + var part23 = match("MESSAGE#12:SYSTEM_MSG:09", "nwparser.payload", "%{fld1}: Host name is set %{hostname->} - kernel", processor_chain([ + dup9, + dup2, + dup3, + dup4, + ])); + + var msg13 = msg("SYSTEM_MSG:09", part23); + + var part24 = match("MESSAGE#13:SYSTEM_MSG:10", "nwparser.payload", "Unauthorized access by NFS client %{saddr}.", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg14 = msg("SYSTEM_MSG:10", part24); + + var part25 = match("MESSAGE#14:SYSTEM_MSG:13", "nwparser.payload", "%{fld43->} : SNMP UDP authentication failed for %{saddr}.", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg15 = msg("SYSTEM_MSG:13", part25); + + var part26 = match("MESSAGE#15:SYSTEM_MSG:14", "nwparser.payload", "%{fld43->} : Subsequent authentication success for user (%{username}) failed.", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg16 = msg("SYSTEM_MSG:14", part26); + + var part27 = match("MESSAGE#16:SYSTEM_MSG:15", "nwparser.payload", "%{fld1->} : TTY=%{terminal->} ; PWD=%{directory->} ; USER=%{username->} ; COMMAND=%{param}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup11, + dup12, + ])); + + var msg17 = msg("SYSTEM_MSG:15", part27); + + var part28 = match("MESSAGE#17:SYSTEM_MSG:16", "nwparser.payload", "Login failed for user %{username->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup11, + dup13, + dup12, + dup14, + ])); + + var msg18 = msg("SYSTEM_MSG:16", part28); + + var part29 = match("MESSAGE#18:SYSTEM_MSG:17/0", "nwparser.payload", "NTP: Peer %{hostip->} %{p0}"); + + var part30 = match("MESSAGE#18:SYSTEM_MSG:17/1_0", "nwparser.p0", "with stratum %{fld1->} selected - %{p0}"); + + var part31 = match("MESSAGE#18:SYSTEM_MSG:17/1_1", "nwparser.p0", "is %{disposition->} - %{p0}"); + + var select6 = linear_select([ + part30, + part31, + ]); + + var part32 = match("MESSAGE#18:SYSTEM_MSG:17/2", "nwparser.p0", "%{agent}[%{process_id}]"); + + var all4 = all_match({ + processors: [ + part29, + select6, + part32, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg19 = msg("SYSTEM_MSG:17", all4); + + var part33 = match("MESSAGE#19:SYSTEM_MSG:20", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup12, + ])); + + var msg20 = msg("SYSTEM_MSG:20", part33); + + var part34 = match("MESSAGE#20:SYSTEM_MSG:21", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): password changed for %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + setc("ec_subject","Password"), + dup16, + dup12, + dup17, + ])); + + var msg21 = msg("SYSTEM_MSG:21", part34); + + var part35 = match("MESSAGE#21:SYSTEM_MSG:22", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): check pass; user %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup12, + ])); + + var msg22 = msg("SYSTEM_MSG:22", part35); + + var part36 = match("MESSAGE#22:SYSTEM_MSG:23", "nwparser.payload", "new user: name=%{username}, uid=%{uid}, gid=%{fld1}, home=%{directory}, shell=%{fld2->} - %{agent}[%{process_id}]", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup11, + ])); + + var msg23 = msg("SYSTEM_MSG:23", part36); + + var part37 = match("MESSAGE#23:SYSTEM_MSG:24/0", "nwparser.payload", "delete user %{p0}"); + + var part38 = match("MESSAGE#23:SYSTEM_MSG:24/1_0", "nwparser.p0", "`%{p0}"); + + var part39 = match("MESSAGE#23:SYSTEM_MSG:24/1_1", "nwparser.p0", "'%{p0}"); + + var select7 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#23:SYSTEM_MSG:24/2", "nwparser.p0", "'%{username->} - %{agent}[%{process_id}]"); + + var all5 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup11, + dup20, + dup17, + ]), + }); + + var msg24 = msg("SYSTEM_MSG:24", all5); + + var part41 = match("MESSAGE#24:SYSTEM_MSG:08/0_0", "nwparser.payload", "%{event_description->} - %{agent}"); + + var select8 = linear_select([ + part41, + dup21, + ]); + + var all6 = all_match({ + processors: [ + select8, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg25 = msg("SYSTEM_MSG:08", all6); + + var select9 = linear_select([ + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + ]); + + var part42 = match("MESSAGE#25:VDC_HOSTNAME_CHANGE", "nwparser.payload", "%{fld1->} hostname changed to %{hostname}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg26 = msg("VDC_HOSTNAME_CHANGE", part42); + + var part43 = match("MESSAGE#26:POLICY_ACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is activated by profile %{username}", processor_chain([ + dup22, + dup2, + dup3, + dup4, + setc("action","activated"), + setc("event_description","Policy is activated by profile"), + ])); + + var msg27 = msg("POLICY_ACTIVATE_EVENT", part43); + + var part44 = match("MESSAGE#27:POLICY_COMMIT_EVENT", "nwparser.payload", "Commit operation %{disposition}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg28 = msg("POLICY_COMMIT_EVENT", part44); + + var part45 = match("MESSAGE#28:POLICY_DEACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is de-activated by last referring profile %{username}", processor_chain([ + setc("eventcategory","1701070000"), + dup2, + dup3, + dup4, + setc("action","de-activated"), + setc("event_description","Policy is de-activated by last referring profile"), + ])); + + var msg29 = msg("POLICY_DEACTIVATE_EVENT", part45); + + var part46 = match("MESSAGE#29:POLICY_LOOKUP_EVENT:01", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2->} dst.zone.name=%{dst_zone->} src.zone.name=%{src_zone}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg30 = msg("POLICY_LOOKUP_EVENT:01", part46); + + var part47 = match("MESSAGE#30:POLICY_LOOKUP_EVENT", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg31 = msg("POLICY_LOOKUP_EVENT", part47); + + var part48 = match("MESSAGE#31:POLICY_LOOKUP_EVENT:02", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} net.ethertype=%{fld2}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg32 = msg("POLICY_LOOKUP_EVENT:02", part48); + + var select10 = linear_select([ + msg30, + msg31, + msg32, + ]); + + var msg33 = msg("NEIGHBOR_UPDATE_AUTOCOPY", dup87); + + var msg34 = msg("MTSERROR", dup86); + + var part49 = match("MESSAGE#34:IF_DOWN_ERROR_DISABLED", "nwparser.payload", "Interface %{interface->} is down (Error disabled. Reason:%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg35 = msg("IF_DOWN_ERROR_DISABLED", part49); + + var msg36 = msg("IF_DOWN_ADMIN_DOWN", dup88); + + var msg37 = msg("IF_DOWN_ADMIN_DOWN:01", dup89); + + var select11 = linear_select([ + msg36, + msg37, + ]); + + var msg38 = msg("IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", dup90); + + var msg39 = msg("IF_DOWN_INTERFACE_REMOVED", dup91); + + var part50 = match("MESSAGE#39:IF_DOWN_LINK_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + dup25, + ])); + + var msg40 = msg("IF_DOWN_LINK_FAILURE", part50); + + var msg41 = msg("IF_DOWN_LINK_FAILURE:01", dup89); + + var select12 = linear_select([ + msg40, + msg41, + ]); + + var msg42 = msg("IF_DOWN_MODULE_REMOVED", dup91); + + var msg43 = msg("IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN", dup88); + + var part51 = match("MESSAGE#43:IF_DUPLEX", "nwparser.payload", "Interface %{interface}, operational duplex mode changed to %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface duplex mode changed"), + ])); + + var msg44 = msg("IF_DUPLEX", part51); + + var part52 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Receive Flow Cont%{p0}"); + + var all7 = all_match({ + processors: [ + part52, + dup92, + dup28, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational Receive Flow Control state changed"), + ]), + }); + + var msg45 = msg("IF_RX_FLOW_CONTROL", all7); + + var part53 = match_copy("MESSAGE#45:IF_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg46 = msg("IF_SEQ_ERROR", part53); + + var part54 = match("MESSAGE#46:IF_TX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Transmit Flow Cont%{p0}"); + + var all8 = all_match({ + processors: [ + part54, + dup92, + dup28, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational Transmit Flow Control state changed"), + ]), + }); + + var msg47 = msg("IF_TX_FLOW_CONTROL", all8); + + var part55 = match("MESSAGE#47:IF_UP", "nwparser.payload", "%{fld43->} Interface %{sinterface->} is up in mode %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface is up in mode"), + ])); + + var msg48 = msg("IF_UP", part55); + + var part56 = match("MESSAGE#48:IF_UP:01", "nwparser.payload", "Interface %{sinterface->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface is up"), + ])); + + var msg49 = msg("IF_UP:01", part56); + + var select13 = linear_select([ + msg48, + msg49, + ]); + + var part57 = match("MESSAGE#49:SPEED", "nwparser.payload", "Interface %{interface}, operational speed changed to %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational speed changed"), + ])); + + var msg50 = msg("SPEED", part57); + + var part58 = match("MESSAGE#50:CREATED", "nwparser.payload", "%{group_object->} created", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg51 = msg("CREATED", part58); + + var part59 = match("MESSAGE#51:FOP_CHANGED", "nwparser.payload", "%{group_object}: first operational port changed from %{change_old->} to %{change_new}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + ])); + + var msg52 = msg("FOP_CHANGED", part59); + + var part60 = match("MESSAGE#52:PORT_DOWN", "nwparser.payload", "%{group_object}: %{interface->} is down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg53 = msg("PORT_DOWN", part60); + + var part61 = match("MESSAGE#53:PORT_UP", "nwparser.payload", "%{group_object}: %{interface->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg54 = msg("PORT_UP", part61); + + var part62 = match("MESSAGE#54:SUBGROUP_ID_PORT_ADDED", "nwparser.payload", "Interface %{interface->} is added to %{group_object->} with subgroup id %{fld20}", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg55 = msg("SUBGROUP_ID_PORT_ADDED", part62); + + var part63 = match("MESSAGE#55:SUBGROUP_ID_PORT_REMOVED", "nwparser.payload", "Interface %{interface->} is removed from %{group_object->} with subgroup id %{fld20}", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg56 = msg("SUBGROUP_ID_PORT_REMOVED", part63); + + var msg57 = msg("MTS_DROP", dup87); + + var msg58 = msg("SYSLOG_LOG_WARNING", dup87); + + var msg59 = msg("IM_SEQ_ERROR", dup93); + + var msg60 = msg("ADDON_IMG_DNLD_COMPLETE", dup87); + + var msg61 = msg("ADDON_IMG_DNLD_STARTED", dup87); + + var msg62 = msg("ADDON_IMG_DNLD_SUCCESSFUL", dup87); + + var msg63 = msg("IMG_DNLD_COMPLETE", dup87); + + var msg64 = msg("IMG_DNLD_STARTED", dup87); + + var part64 = match_copy("MESSAGE#64:PORT_SOFTWARE_FAILURE", "nwparser.payload", "result", processor_chain([ + dup31, + dup2, + dup3, + dup4, + ])); + + var msg65 = msg("PORT_SOFTWARE_FAILURE", part64); + + var msg66 = msg("MSM_CRIT", dup93); + + var part65 = match("MESSAGE#66:LOG_CMP_AAA_FAILURE", "nwparser.payload", "Authentication failed for a login from %{shost->} (%{result})", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, + ])); + + var msg67 = msg("LOG_CMP_AAA_FAILURE", part65); + + var msg68 = msg("LOG_LIC_N1K_EXPIRY_WARNING", dup87); + + var part66 = match("MESSAGE#68:MOD_FAIL", "nwparser.payload", "Initialization of module %{fld20->} (serial: %{serial_number}) failed", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg69 = msg("MOD_FAIL", part66); + + var part67 = match("MESSAGE#69:MOD_MAJORSWFAIL", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported a critical failure in service %{fld22}", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var msg70 = msg("MOD_MAJORSWFAIL", part67); + + var part68 = match("MESSAGE#70:MOD_SRG_NOT_COMPATIBLE", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) firmware is not compatible with supervisor, downloading new image", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg71 = msg("MOD_SRG_NOT_COMPATIBLE", part68); + + var part69 = match("MESSAGE#71:MOD_WARNING:01", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warnings on %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg72 = msg("MOD_WARNING:01", part69); + + var part70 = match("MESSAGE#72:MOD_WARNING", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warning %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg73 = msg("MOD_WARNING", part70); + + var select14 = linear_select([ + msg72, + msg73, + ]); + + var part71 = match("MESSAGE#73:ACTIVE_SUP_OK", "nwparser.payload", "Supervisor %{fld20->} is active (serial: %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg74 = msg("ACTIVE_SUP_OK", part71); + + var part72 = match("MESSAGE#74:MOD_OK", "nwparser.payload", "Module %{fld20->} is online (serial: %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg75 = msg("MOD_OK", part72); + + var part73 = match("MESSAGE#75:MOD_RESTART", "nwparser.payload", "Module %{fld20->} is restarting after image download", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg76 = msg("MOD_RESTART", part73); + + var part74 = match("MESSAGE#76:DISPUTE_CLEARED", "nwparser.payload", "Dispute resolved for port %{portname->} on %{vlan}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","Dispute resolved for port on VLAN"), + ])); + + var msg77 = msg("DISPUTE_CLEARED", part74); + + var part75 = match("MESSAGE#77:DISPUTE_DETECTED", "nwparser.payload", "Dispute detected on port %{portname->} on %{vlan}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","Dispute detected on port on VLAN"), + ])); + + var msg78 = msg("DISPUTE_DETECTED", part75); + + var msg79 = msg("DOMAIN_CFG_SYNC_DONE", dup87); + + var msg80 = msg("CHASSIS_CLKMODOK", dup87); + + var msg81 = msg("CHASSIS_CLKSRC", dup87); + + var msg82 = msg("FAN_OK", dup87); + + var part76 = match("MESSAGE#82:MOD_DETECT", "nwparser.payload", "Module %{fld19->} detected (Serial number %{serial_number}) Module-Type %{fld20->} Model %{fld21}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg83 = msg("MOD_DETECT", part76); + + var part77 = match("MESSAGE#83:MOD_PWRDN", "nwparser.payload", "Module %{fld19->} powered down (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg84 = msg("MOD_PWRDN", part77); + + var part78 = match("MESSAGE#84:MOD_PWRUP", "nwparser.payload", "Module %{fld19->} powered up (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg85 = msg("MOD_PWRUP", part78); + + var part79 = match("MESSAGE#85:MOD_REMOVE", "nwparser.payload", "Module %{fld19->} removed (Serial number %{serial_number})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg86 = msg("MOD_REMOVE", part79); + + var msg87 = msg("PFM_MODULE_POWER_ON", dup87); + + var msg88 = msg("PFM_SYSTEM_RESET", dup87); + + var msg89 = msg("PFM_VEM_REMOVE_NO_HB", dup94); + + var msg90 = msg("PFM_VEM_REMOVE_RESET", dup94); + + var msg91 = msg("PFM_VEM_REMOVE_STATE_CONFLICT", dup94); + + var msg92 = msg("PFM_VEM_REMOVE_TWO_ACT_VSM", dup94); + + var msg93 = msg("PFM_VEM_UNLICENSED", dup87); + + var msg94 = msg("PS_FANOK", dup87); + + var part80 = match("MESSAGE#94:PS_OK", "nwparser.payload", "Power supply %{fld19->} ok (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg95 = msg("PS_OK", part80); + + var part81 = match_copy("MESSAGE#95:MOD_BRINGUP_MULTI_LIMIT", "nwparser.payload", "event_description", processor_chain([ + dup31, + dup2, + dup3, + dup4, + ])); + + var msg96 = msg("MOD_BRINGUP_MULTI_LIMIT", part81); + + var part82 = match("MESSAGE#96:FAN_DETECT", "nwparser.payload", "Fan module %{fld19->} (Serial number %{serial_number}) %{fld20->} detected", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg97 = msg("FAN_DETECT", part82); + + var msg98 = msg("MOD_STATUS", dup87); + + var part83 = match("MESSAGE#98:PEER_VPC_CFGD_VLANS_CHANGED", "nwparser.payload", "Peer vPC %{obj_name->} configured vlans changed", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC configured vlans changed"), + ])); + + var msg99 = msg("PEER_VPC_CFGD_VLANS_CHANGED", part83); + + var part84 = match("MESSAGE#99:PEER_VPC_DELETED", "nwparser.payload", "Peer vPC %{obj_name->} deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg100 = msg("PEER_VPC_DELETED", part84); + + var msg101 = msg("PFM_VEM_DETECTED", dup87); + + var part85 = match("MESSAGE#101:PS_FOUND", "nwparser.payload", "Power supply %{fld19->} found (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg102 = msg("PS_FOUND", part85); + + var part86 = match("MESSAGE#102:PS_STATUS/0_0", "nwparser.payload", "PowerSupply %{fld1->} current-status is %{disposition}"); + + var select15 = linear_select([ + part86, + dup21, + ]); + + var all9 = all_match({ + processors: [ + select15, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg103 = msg("PS_STATUS", all9); + + var part87 = match("MESSAGE#103:PS_CAPACITY_CHANGE:01", "nwparser.payload", "Power supply %{fld1->} changed its capacity. possibly due to On/Off or power cable removal/insertion (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg104 = msg("PS_CAPACITY_CHANGE:01", part87); + + var msg105 = msg("PS_CAPACITY_CHANGE", dup87); + + var select16 = linear_select([ + msg104, + msg105, + ]); + + var msg106 = msg("IF_DOWN_FCOT_NOT_PRESENT", dup88); + + var msg107 = msg("IF_DOWN_FCOT_NOT_PRESENT:01", dup89); + + var select17 = linear_select([ + msg106, + msg107, + ]); + + var msg108 = msg("IF_DOWN_INITIALIZING", dup90); + + var msg109 = msg("IF_DOWN_INITIALIZING:01", dup95); + + var select18 = linear_select([ + msg108, + msg109, + ]); + + var part88 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var msg110 = msg("IF_DOWN_NONE", part88); + + var msg111 = msg("IF_DOWN_NONE:01", dup96); + + var select19 = linear_select([ + msg110, + msg111, + ]); + + var msg112 = msg("IF_DOWN_NOS_RCVD", dup88); + + var msg113 = msg("IF_DOWN_NOS_RCVD:01", dup89); + + var select20 = linear_select([ + msg112, + msg113, + ]); + + var msg114 = msg("IF_DOWN_OFFLINE", dup88); + + var msg115 = msg("IF_DOWN_OLS_RCVD", dup88); + + var part89 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup31, + dup2, + dup3, + dup4, + ])); + + var msg116 = msg("IF_DOWN_SOFTWARE_FAILURE", part89); + + var msg117 = msg("IF_DOWN_SRC_PORT_NOT_BOUND", dup90); + + var part90 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is down (%{info})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg118 = msg("IF_TRUNK_DOWN", part90); + + var part91 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg119 = msg("IF_TRUNK_DOWN:01", part91); + + var part92 = match("MESSAGE#119:IF_TRUNK_DOWN:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is down %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg120 = msg("IF_TRUNK_DOWN:02", part92); + + var select21 = linear_select([ + msg118, + msg119, + msg120, + ]); + + var part93 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg121 = msg("IF_TRUNK_UP", part93); + + var part94 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} up", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg122 = msg("IF_TRUNK_UP:01", part94); + + var part95 = match("MESSAGE#122:IF_TRUNK_UP:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is up %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg123 = msg("IF_TRUNK_UP:02", part95); + + var select22 = linear_select([ + msg121, + msg122, + msg123, + ]); + + var msg124 = msg("PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", dup97); + + var part96 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "Interface %{interface->} is inheriting port-profile %{fld20}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg125 = msg("IF_PORTPROFILE_ATTACHED", part96); + + var msg126 = msg("STANDBY_SUP_OK", dup87); + + var part97 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops detected in the network among ports %{portname->} and %{info->} vlan %{vlan->} - %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Loops detected in the network among ports"), + ])); + + var msg127 = msg("STM_LOOP_DETECT", part97); + + var part98 = match("MESSAGE#127:SYNC_COMPLETE", "nwparser.payload", "Sync completed.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg128 = msg("SYNC_COMPLETE", part98); + + var msg129 = msg("PVLAN_PPM_PORT_CONFIG_FAILED", dup97); + + var msg130 = msg("MESG", dup87); + + var part99 = match("MESSAGE#130:ERR_MSG", "nwparser.payload", "ERROR:%{result}", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var msg131 = msg("ERR_MSG", part99); + + var msg132 = msg("RM_VICPP_RECREATE_ERROR", dup97); + + var part100 = match("MESSAGE#132:CFGWRITE_ABORTED_LOCK", "nwparser.payload", "Unable to lock the configuration (error-id %{resultcode}). Aborting configuration copy.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg133 = msg("CFGWRITE_ABORTED_LOCK", part100); + + var part101 = match("MESSAGE#133:CFGWRITE_FAILED", "nwparser.payload", "Configuration copy failed (error-id %{resultcode}).", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg134 = msg("CFGWRITE_FAILED", part101); + + var msg135 = msg("CFGWRITE_ABORTED", dup87); + + var msg136 = msg("CFGWRITE_DONE", dup87); + + var part102 = match("MESSAGE#136:CFGWRITE_STARTED/0_0", "nwparser.payload", "%{event_description->} (PID %{process_id})."); + + var select23 = linear_select([ + part102, + dup21, + ]); + + var all10 = all_match({ + processors: [ + select23, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg137 = msg("CFGWRITE_STARTED", all10); + + var msg138 = msg("IF_ATTACHED", dup87); + + var msg139 = msg("IF_DELETE_AUTO", dup94); + + var part103 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface->} is detached", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg140 = msg("IF_DETACHED", part103); + + var msg141 = msg("IF_DETACHED_MODULE_REMOVED", dup94); + + var msg142 = msg("IF_DOWN_INACTIVE", dup88); + + var msg143 = msg("IF_DOWN_NON_PARTICIPATING", dup88); + + var part104 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface->} is down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg144 = msg("IF_DOWN_VEM_UNLICENSED", part104); + + var part105 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname->} connected to the vCenter Server.", processor_chain([ + dup36, + dup2, + dup3, + dup4, + ])); + + var msg145 = msg("CONN_CONNECT", part105); + + var part106 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname->} disconnected from the vCenter Server.", processor_chain([ + setc("eventcategory","1801030000"), + dup2, + dup3, + dup4, + ])); + + var msg146 = msg("CONN_DISCONNECT", part106); + + var part107 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info->} on the vCenter Server.", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg147 = msg("DVPG_CREATE", part107); + + var part108 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info->} from the vCenter Server.", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg148 = msg("DVPG_DELETE", part108); + + var msg149 = msg("DVS_HOSTMEMBER_INFO", dup87); + + var part109 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info->} on the vCenter Server.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg150 = msg("DVS_NAME_CHANGE", part109); + + var msg151 = msg("VMS_PPM_SYNC_COMPLETE", dup87); + + var part110 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name->} is deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg152 = msg("VPC_DELETED", part110); + + var part111 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} is up", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","VPC is up"), + ])); + + var msg153 = msg("VPC_UP", part111); + + var part112 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username->} on %{p0}"); + + var part113 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_0", "nwparser.p0", "%{saddr}@%{terminal}"); + + var part114 = match_copy("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_1", "nwparser.p0", "saddr"); + + var select24 = linear_select([ + part113, + part114, + ]); + + var all11 = all_match({ + processors: [ + part112, + select24, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg154 = msg("VSHD_SYSLOG_CONFIG_I", all11); + + var part115 = match("MESSAGE#154:VSHD_SYSLOG_CONFIG_I:01", "nwparser.payload", "Configuring console from %{fld43->} %{saddr}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg155 = msg("VSHD_SYSLOG_CONFIG_I:01", part115); + + var select25 = linear_select([ + msg154, + msg155, + ]); + + var part116 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol->} (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg156 = msg("AAA_ACCOUNTING_MESSAGE:18", part116); + + var part117 = match("MESSAGE#156:AAA_ACCOUNTING_MESSAGE:17", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:enabled telnet", processor_chain([ + dup22, + dup37, + dup38, + dup17, + dup2, + dup3, + dup4, + dup39, + dup40, + ])); + + var msg157 = msg("AAA_ACCOUNTING_MESSAGE:17", part117); + + var part118 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "start:%{saddr}@%{application}:%{username}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","program start"), + ])); + + var msg158 = msg("AAA_ACCOUNTING_MESSAGE", part118); + + var part119 = match("MESSAGE#158:AAA_ACCOUNTING_MESSAGE:08", "nwparser.payload", "start:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg159 = msg("AAA_ACCOUNTING_MESSAGE:08", part119); + + var part120 = match("MESSAGE#159:AAA_ACCOUNTING_MESSAGE:03", "nwparser.payload", "start:%{saddr}(%{terminal}):%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg160 = msg("AAA_ACCOUNTING_MESSAGE:03", part120); + + var part121 = match("MESSAGE#160:AAA_ACCOUNTING_MESSAGE:19", "nwparser.payload", "start:%{fld40}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg161 = msg("AAA_ACCOUNTING_MESSAGE:19", part121); + + var part122 = match("MESSAGE#161:AAA_ACCOUNTING_MESSAGE:22", "nwparser.payload", "update:::added user %{username}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + ])); + + var msg162 = msg("AAA_ACCOUNTING_MESSAGE:22", part122); + + var part123 = match("MESSAGE#162:AAA_ACCOUNTING_MESSAGE:23", "nwparser.payload", "update:::%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg163 = msg("AAA_ACCOUNTING_MESSAGE:23", part123); + + var part124 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport}) deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg164 = msg("AAA_ACCOUNTING_MESSAGE:11", part124); + + var part125 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport->} timeout:%{fld44->} retry:%{fld45->} tagList:trap params:%{fld46}) added", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg165 = msg("AAA_ACCOUNTING_MESSAGE:12", part125); + + var part126 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg166 = msg("AAA_ACCOUNTING_MESSAGE:13", part126); + + var part127 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to down", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg167 = msg("AAA_ACCOUNTING_MESSAGE:14", part127); + + var part128 = match("MESSAGE#167:AAA_ACCOUNTING_MESSAGE:15", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Performing configuration copy.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg168 = msg("AAA_ACCOUNTING_MESSAGE:15", part128); + + var part129 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup41, + ])); + + var msg169 = msg("AAA_ACCOUNTING_MESSAGE:16", part129); + + var part130 = match("MESSAGE#169:AAA_ACCOUNTING_MESSAGE:04", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal length %{fld5}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg170 = msg("AAA_ACCOUNTING_MESSAGE:04", part130); + + var part131 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup41, + ])); + + var msg171 = msg("AAA_ACCOUNTING_MESSAGE:01", part131); + + var part132 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_0", "nwparser.p0", "configure terminal ; ntp source-interface %{sinterface->} (%{p0}"); + + var part133 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_1", "nwparser.p0", "show ntp statistics peer ipaddr %{hostip->} (%{p0}"); + + var select26 = linear_select([ + part132, + part133, + ]); + + var all12 = all_match({ + processors: [ + dup42, + select26, + dup43, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup44, + ]), + }); + + var msg172 = msg("AAA_ACCOUNTING_MESSAGE:27", all12); + + var part134 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_0", "nwparser.p0", "clock set %{event_time_string->} (%{p0}"); + + var part135 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_1", "nwparser.p0", "show logging last %{fld1->} (%{p0}"); + + var select27 = linear_select([ + part134, + part135, + ]); + + var all13 = all_match({ + processors: [ + dup42, + select27, + dup43, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup44, + ]), + }); + + var msg173 = msg("AAA_ACCOUNTING_MESSAGE:28", all13); + + var part136 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg174 = msg("AAA_ACCOUNTING_MESSAGE:20", part136); + + var part137 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:added user %{c_username}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup11, + dup17, + setc("event_description","Added user"), + dup44, + ])); + + var msg175 = msg("AAA_ACCOUNTING_MESSAGE:30", part137); + + var part138 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:deleted user %{c_username}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup11, + dup17, + setc("event_description","Deleted user"), + dup44, + ])); + + var msg176 = msg("AAA_ACCOUNTING_MESSAGE:29", part138); + + var part139 = match("MESSAGE#176:AAA_ACCOUNTING_MESSAGE:21", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg177 = msg("AAA_ACCOUNTING_MESSAGE:21", part139); + + var part140 = match("MESSAGE#177:AAA_ACCOUNTING_MESSAGE:07", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal width %{dclass_counter1}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg178 = msg("AAA_ACCOUNTING_MESSAGE:07", part140); + + var part141 = match("MESSAGE#178:AAA_ACCOUNTING_MESSAGE:05", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal session-timeout %{fld5}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg179 = msg("AAA_ACCOUNTING_MESSAGE:05", part141); + + var part142 = match("MESSAGE#179:AAA_ACCOUNTING_MESSAGE:10", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:copy %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg180 = msg("AAA_ACCOUNTING_MESSAGE:10", part142); + + var part143 = match("MESSAGE#180:AAA_ACCOUNTING_MESSAGE:24", "nwparser.payload", "update:%{terminal}:%{username}: %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg181 = msg("AAA_ACCOUNTING_MESSAGE:24", part143); + + var part144 = match("MESSAGE#181:AAA_ACCOUNTING_MESSAGE:06", "nwparser.payload", "stop:%{saddr}(%{fld3}):%{username}:shell terminated", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg182 = msg("AAA_ACCOUNTING_MESSAGE:06", part144); + + var part145 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:shell %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","shell terminated"), + ])); + + var msg183 = msg("AAA_ACCOUNTING_MESSAGE:02", part145); + + var part146 = match("MESSAGE#183:AAA_ACCOUNTING_MESSAGE:25", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:%{fld40}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg184 = msg("AAA_ACCOUNTING_MESSAGE:25", part146); + + var part147 = match("MESSAGE#184:AAA_ACCOUNTING_MESSAGE:09", "nwparser.payload", "stop:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg185 = msg("AAA_ACCOUNTING_MESSAGE:09", part147); + + var part148 = match("MESSAGE#185:AAA_ACCOUNTING_MESSAGE:26", "nwparser.payload", "stop:%{terminal}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg186 = msg("AAA_ACCOUNTING_MESSAGE:26", part148); + + var select28 = linear_select([ + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, + msg175, + msg176, + msg177, + msg178, + msg179, + msg180, + msg181, + msg182, + msg183, + msg184, + msg185, + msg186, + ]); + + var all14 = all_match({ + processors: [ + dup45, + dup98, + dup48, + dup99, + dup51, + dup98, + dup52, + dup99, + dup53, + dup100, + dup56, + dup101, + dup59, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","ACL Log Flow Interval"), + dup60, + ]), + }); + + var msg187 = msg("ACLLOG_FLOW_INTERVAL", all14); + + var part149 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3->} reached for number of flows", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg188 = msg("ACLLOG_MAXFLOW_REACHED", part149); + + var all15 = all_match({ + processors: [ + dup45, + dup98, + dup48, + dup99, + dup51, + dup98, + dup52, + dup99, + dup53, + dup100, + dup56, + dup101, + dup59, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","ACL Lof New Flow"), + dup60, + ]), + }); + + var msg189 = msg("ACLLOG_NEW_FLOW", all15); + + var part150 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process->} [%{process_id}] Source address of packet received from %{smacaddr->} on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Source address of packet received on vlan is duplicate of local virtual ip"), + ])); + + var msg190 = msg("DUP_VADDR_SRC_IP", part150); + + var part151 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are removed from suspended state.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg191 = msg("IF_ERROR_VLANS_REMOVED", part151); + + var part152 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are being suspended. (Reason: %{info})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg192 = msg("IF_ERROR_VLANS_SUSPENDED", part152); + + var part153 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface->} is down(%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg193 = msg("IF_DOWN_CFG_CHANGE", part153); + + var part154 = match("MESSAGE#193:PFM_CLOCK_CHANGE", "nwparser.payload", "Clock setting has been changed on the system. Please be aware that clock changes will force a recheckout of all existing VEM licenses. During this recheckout procedure, licensed VEMs which are offline will lose their licenses.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg194 = msg("PFM_CLOCK_CHANGE", part154); + + var part155 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3->} causing standby to reset.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg195 = msg("SYNC_FAILURE_STANDBY_RESET", part155); + + var part156 = match("MESSAGE#195:snmpd", "nwparser.payload", "snmp_pss_snapshot : Copying local engine DB PSS file to url%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg196 = msg("snmpd", part156); + + var part157 = match("MESSAGE#196:snmpd:01", "nwparser.payload", "SNMPD_SYSLOG_CONFIG_I: Configuration update from %{fld43}_%{saddr->} %{info}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg197 = msg("snmpd:01", part157); + + var select29 = linear_select([ + msg196, + msg197, + ]); + + var part158 = match("MESSAGE#197:CFGWRITE_USER_ABORT", "nwparser.payload", "Configuration copy aborted by the user.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg198 = msg("CFGWRITE_USER_ABORT", part158); + + var msg199 = msg("IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED", dup95); + + var part159 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1->} time", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","last message repeated number of times."), + setc("dclass_counter1_string","Number of times repeated"), + ])); + + var msg200 = msg("last", part159); + + var part160 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service->} (PID %{parent_pid}) hasn't caught signal %{fld43->} (%{result}).", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg201 = msg("SERVICE_CRASHED", part160); + + var part161 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service->} lost on WCCP Client %{saddr}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + setc("event_description","Service lost on WCCP Client"), + ])); + + var msg202 = msg("SERVICELOST", part161); + + var part162 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface->} is allowed to come up even with SFP checksum error", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg203 = msg("IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", part162); + + var part163 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43->} failed or shut%{p0}"); + + var part164 = match("MESSAGE#203:PS_FAIL/1_0", "nwparser.p0", " down %{p0}"); + + var part165 = match("MESSAGE#203:PS_FAIL/1_1", "nwparser.p0", "down %{p0}"); + + var select30 = linear_select([ + part164, + part165, + ]); + + var part166 = match("MESSAGE#203:PS_FAIL/2", "nwparser.p0", "(Serial number %{serial_number})"); + + var all16 = all_match({ + processors: [ + part163, + select30, + part166, + ], + on_success: processor_chain([ + dup23, + dup2, + dup3, + dup4, + ]), + }); + + var msg204 = msg("PS_FAIL", all16); + + var msg205 = msg("INFORMATION", dup87); + + var msg206 = msg("EVENT", dup87); + + var part167 = match("MESSAGE#206:NATIVE_VLAN_MISMATCH", "nwparser.payload", "Native VLAN mismatch discovered on %{interface}, with %{fld23}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg207 = msg("NATIVE_VLAN_MISMATCH", part167); + + var part168 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22->} discovered of type %{fld23->} with port %{fld24->} on incoming port %{interface->} with ip addr %{fld25->} and mgmt ip %{hostip}", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg208 = msg("NEIGHBOR_ADDED", part168); + + var part169 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22->} on port %{interface->} has been removed", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg209 = msg("NEIGHBOR_REMOVED", part169); + + var part170 = match("MESSAGE#209:IF_BANDWIDTH_CHANGE", "nwparser.payload", "Interface %{interface},%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg210 = msg("IF_BANDWIDTH_CHANGE", part170); + + var part171 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (Parent interface down)", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg211 = msg("IF_DOWN_PARENT_ADMIN_DOWN", part171); + + var part172 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface->} is down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg212 = msg("PORT_INDIVIDUAL_DOWN", part172); + + var part173 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface->} is suspended", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg213 = msg("PORT_SUSPENDED", part173); + + var part174 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22->} of Fex %{fld23->} that is connected with %{interface->} changed its status from %{change_old->} to %{change_new}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("change_attribute","status"), + ])); + + var msg214 = msg("FEX_PORT_STATUS_NOTI", part174); + + var msg215 = msg("NOHMS_DIAG_ERR_PS_FAIL", dup102); + + var msg216 = msg("NOHMS_DIAG_ERR_PS_RECOVERED", dup87); + + var msg217 = msg("ADJCHANGE", dup87); + + var part175 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan->} with role %{fld22}, state %{disposition}, %{info}", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg218 = msg("PORT_ADDED", part175); + + var part176 = match("MESSAGE#218:PORT_DELETED", "nwparser.payload", "Interface %{interface}, removed from VLAN%{vlan}", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg219 = msg("PORT_DELETED", part176); + + var part177 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} role changed to %{fld22}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + ])); + + var msg220 = msg("PORT_ROLE", part177); + + var part178 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} moving from %{change_old->} to %{change_new}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("change_attribute","Port state"), + ])); + + var msg221 = msg("PORT_STATE", part178); + + var part179 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol->} (%{result}) %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg222 = msg("TACACS_ACCOUNTING_MESSAGE", part179); + + var part180 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}: enabled telnet", processor_chain([ + dup22, + dup37, + dup38, + dup17, + dup2, + dup3, + dup4, + dup39, + dup40, + ])); + + var msg223 = msg("TACACS_ACCOUNTING_MESSAGE:01", part180); + + var part181 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface->} (%{result})%{info}", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg224 = msg("TACACS_ACCOUNTING_MESSAGE:04", part181); + + var part182 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/0", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: show %{p0}"); + + var part183 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_0", "nwparser.p0", "ntp statistics peer ipaddr %{hostip->} (%{p0}"); + + var part184 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_1", "nwparser.p0", "logging last %{fld3->} (%{p0}"); + + var select31 = linear_select([ + part183, + part184, + ]); + + var part185 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/2", "nwparser.p0", "%{result})%{info}"); + + var all17 = all_match({ + processors: [ + part182, + select31, + part185, + ], + on_success: processor_chain([ + dup63, + dup2, + dup4, + ]), + }); + + var msg225 = msg("TACACS_ACCOUNTING_MESSAGE:05", all17); + + var part186 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string->} (%{result})%{info}", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg226 = msg("TACACS_ACCOUNTING_MESSAGE:06", part186); + + var part187 = match("MESSAGE#371:TACACS_ACCOUNTING_MESSAGE:08", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: Performing configuration copy. %{info}", processor_chain([ + dup63, + dup2, + dup4, + setc("event_description","Performing configuration copy"), + ])); + + var msg227 = msg("TACACS_ACCOUNTING_MESSAGE:08", part187); + + var part188 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/2", "nwparser.p0", "%{username}: shell terminated because of session timeout %{p0}"); + + var all18 = all_match({ + processors: [ + dup64, + dup103, + part188, + dup104, + ], + on_success: processor_chain([ + dup63, + dup2, + dup4, + setc("event_description","shell terminated because of session timeout"), + ]), + }); + + var msg228 = msg("TACACS_ACCOUNTING_MESSAGE:09", all18); + + var part189 = match("MESSAGE#373:TACACS_ACCOUNTING_MESSAGE:07/2", "nwparser.p0", "%{username}: %{event_description->} %{p0}"); + + var all19 = all_match({ + processors: [ + dup64, + dup103, + part189, + dup104, + ], + on_success: processor_chain([ + dup63, + dup2, + dup4, + ]), + }); + + var msg229 = msg("TACACS_ACCOUNTING_MESSAGE:07", all19); + + var select32 = linear_select([ + msg222, + msg223, + msg224, + msg225, + msg226, + msg227, + msg228, + msg229, + ]); + + var msg230 = msg("TACACS_ERROR_MESSAGE", dup102); + + var msg231 = msg("IF_SFP_WARNING", dup105); + + var msg232 = msg("IF_DOWN_TCP_MAX_RETRANSMIT", dup106); + + var msg233 = msg("FCIP_PEER_CAVIUM", dup87); + + var msg234 = msg("IF_DOWN_PEER_CLOSE", dup106); + + var msg235 = msg("IF_DOWN_PEER_RESET", dup106); + + var part190 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name->} configuration is not consistent (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","configuration is not consistent in domain"), + ])); + + var msg236 = msg("INTF_CONSISTENCY_FAILED", part190); + + var part191 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name->} configuration is consistent", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","configuration is consistent in domain"), + ])); + + var msg237 = msg("INTF_CONSISTENCY_SUCCESS", part191); + + var msg238 = msg("INTF_COUNTERS_CLEARED", dup105); + + var msg239 = msg("IF_HARDWARE", dup105); + + var part192 = match_copy("MESSAGE#233:HEARTBEAT_FAILURE", "nwparser.payload", "event_description", processor_chain([ + setc("eventcategory","1604010000"), + dup2, + dup3, + dup4, + ])); + + var msg240 = msg("HEARTBEAT_FAILURE", part192); + + var msg241 = msg("SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG", dup87); + + var msg242 = msg("PFM_FAN_FLTR_STATUS", dup87); + + var msg243 = msg("MOUNT", dup87); + + var msg244 = msg("LOG_CMP_UP", dup87); + + var part193 = match("MESSAGE#238:IF_XCVR_WARNING/2", "nwparser.p0", "Temperature Warning cleared%{}"); + + var all20 = all_match({ + processors: [ + dup69, + dup107, + part193, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg245 = msg("IF_XCVR_WARNING", all20); + + var msg246 = msg("IF_XCVR_WARNING:01", dup108); + + var select33 = linear_select([ + msg245, + msg246, + ]); + + var part194 = match("MESSAGE#240:IF_XCVR_ALARM/2", "nwparser.p0", "Temperature Alarm cleared%{}"); + + var all21 = all_match({ + processors: [ + dup69, + dup107, + part194, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg247 = msg("IF_XCVR_ALARM", all21); + + var msg248 = msg("IF_XCVR_ALARM:01", dup108); + + var select34 = linear_select([ + msg247, + msg248, + ]); + + var msg249 = msg("MEMORY_ALERT", dup87); + + var msg250 = msg("MEMORY_ALERT_RECOVERED", dup87); + + var part195 = match("MESSAGE#244:IF_SFP_ALARM/2", "nwparser.p0", "Rx Power Alarm cleared%{}"); + + var all22 = all_match({ + processors: [ + dup69, + dup107, + part195, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg251 = msg("IF_SFP_ALARM", all22); + + var msg252 = msg("IF_SFP_ALARM:01", dup108); + + var select35 = linear_select([ + msg251, + msg252, + ]); + + var part196 = match_copy("MESSAGE#246:NBRCHANGE_DUAL", "nwparser.payload", "event_description", processor_chain([ + dup61, + dup2, + dup3, + dup4, + ])); + + var msg253 = msg("NBRCHANGE_DUAL", part196); + + var part197 = match("MESSAGE#247:SOHMS_DIAG_ERROR/0", "nwparser.payload", "%{} %{device->} %{p0}"); + + var part198 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_0", "nwparser.p0", "%{action}: System %{p0}"); + + var part199 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_1", "nwparser.p0", "System %{p0}"); + + var select36 = linear_select([ + part198, + part199, + ]); + + var part200 = match("MESSAGE#247:SOHMS_DIAG_ERROR/2", "nwparser.p0", "minor alarm on fans in fan tray %{dclass_counter1}"); + + var all23 = all_match({ + processors: [ + part197, + select36, + part200, + ], + on_success: processor_chain([ + dup61, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","System minor alarm on fans in fan tray"), + ]), + }); + + var msg254 = msg("SOHMS_DIAG_ERROR", all23); + + var part201 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{device->} System minor alarm on power supply %{fld42}: %{result}", processor_chain([ + dup61, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","FEX-System minor alarm on power supply."), + ])); + + var msg255 = msg("SOHMS_DIAG_ERROR:01", part201); + + var part202 = match("MESSAGE#249:SOHMS_DIAG_ERROR:02", "nwparser.payload", "%{device}: %{event_description}", processor_chain([ + dup61, + dup38, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg256 = msg("SOHMS_DIAG_ERROR:02", part202); + + var select37 = linear_select([ + msg254, + msg255, + msg256, + ]); + + var part203 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Failed to program the mac table on %{device->} for group: %{fld1}, (%{fld2->} (%{fld3}), %{fld4}, %{hostip}). Error: %{result}. %{info}", processor_chain([ + dup73, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Failed to program the mac table"), + ])); + + var msg257 = msg("M2FIB_MAC_TBL_PRGMING", part203); + + var part204 = match("MESSAGE#251:DELETE_STALE_USER_ACCOUNT", "nwparser.payload", "deleting expired user account:%{username}", processor_chain([ + dup19, + dup11, + dup20, + setc("ec_theme","UserGroup"), + dup2, + dup3, + dup4, + setc("event_description","deleting expired user account"), + ])); + + var msg258 = msg("DELETE_STALE_USER_ACCOUNT", part204); + + var part205 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{interface->} is admin up", processor_chain([ + dup30, + dup34, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","Interface is admin up."), + ])); + + var msg259 = msg("IF_ADMIN_UP", part205); + + var part206 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name->} is configured", processor_chain([ + dup30, + dup34, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","vPC is configured"), + dup74, + ])); + + var msg260 = msg("VPC_CFGD", part206); + + var part207 = match("MESSAGE#254:MODULE_ONLINE", "nwparser.payload", "System Manager has received notification of %{info}", processor_chain([ + dup30, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","System Manager has received notification of local module becoming online."), + ])); + + var msg261 = msg("MODULE_ONLINE", part207); + + var part208 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", "System booted from Primary BIOS Flash%{}", processor_chain([ + dup30, + dup75, + dup76, + dup2, + dup3, + dup4, + setc("event_description","System booted from Primary BIOS Flash"), + ])); + + var msg262 = msg("BIOS_DAEMON_LC_PRI_BOOT", part208); + + var part209 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj_name->} is down ()", processor_chain([ + dup77, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC is down"), + dup74, + ])); + + var msg263 = msg("PEER_VPC_DOWN", part209); + + var part210 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/0", "nwparser.payload", "In domain %{domain}, %{p0}"); + + var part211 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_0", "nwparser.p0", "VPC%{p0}"); + + var part212 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_1", "nwparser.p0", "vPC%{p0}"); + + var select38 = linear_select([ + part211, + part212, + ]); + + var part213 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/2", "nwparser.p0", "%{}peer%{p0}"); + + var part214 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_0", "nwparser.p0", "-keepalive%{p0}"); + + var part215 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_1", "nwparser.p0", " keep-alive%{p0}"); + + var select39 = linear_select([ + part214, + part215, + ]); + + var part216 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/4", "nwparser.p0", "%{}received on interface %{interface}"); + + var all24 = all_match({ + processors: [ + part210, + select38, + part213, + select39, + part216, + ], + on_success: processor_chain([ + dup36, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer-keepalive received on interface"), + ]), + }); + + var msg264 = msg("PEER_KEEP_ALIVE_RECV_INT_LATEST", all24); + + var part217 = match("MESSAGE#258:PEER_KEEP_ALIVE_RECV_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive receive is successful", processor_chain([ + dup36, + dup34, + dup78, + dup35, + dup17, + dup2, + dup3, + dup4, + setc("event_description","In domain, vPC peer keep-alive receive is successful"), + ])); + + var msg265 = msg("PEER_KEEP_ALIVE_RECV_SUCCESS", part217); + + var part218 = match("MESSAGE#259:PEER_KEEP_ALIVE_RECV_FAIL", "nwparser.payload", "In domain %{domain}, VPC peer keep-alive receive has failed", processor_chain([ + dup77, + dup34, + dup78, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer keep-alive receive has failed"), + ])); + + var msg266 = msg("PEER_KEEP_ALIVE_RECV_FAIL", part218); + + var part219 = match("MESSAGE#260:PEER_KEEP_ALIVE_SEND_INT_LATEST", "nwparser.payload", "In domain %{domain}, VPC peer-keepalive sent on interface %{interface}", processor_chain([ + dup36, + dup34, + dup79, + dup35, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer-keepalive sent on interface"), + ])); + + var msg267 = msg("PEER_KEEP_ALIVE_SEND_INT_LATEST", part219); + + var part220 = match("MESSAGE#261:PEER_KEEP_ALIVE_SEND_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive send is successful", processor_chain([ + dup36, + dup34, + dup79, + dup35, + dup17, + dup2, + dup3, + dup4, + setc("event_description","In domain, vPC peer keep-alive send is successful"), + ])); + + var msg268 = msg("PEER_KEEP_ALIVE_SEND_SUCCESS", part220); + + var part221 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "In domain %{domain}, peer keep-alive status changed to %{change_new}", processor_chain([ + dup30, + dup34, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Peer keep-alive status changed."), + setc("change_attribute","peer keep-alive status"), + ])); + + var msg269 = msg("PEER_KEEP_ALIVE_STATUS", part221); + + var part222 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Ejectors' status in slot %{fld47->} has changed, %{info}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Ejectors' status in slot has changed."), + ])); + + var msg270 = msg("EJECTOR_STAT_CHANGED", part222); + + var part223 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41->} detected (Serial number %{fld42})", processor_chain([ + dup29, + setc("ec_activity","Detect"), + dup38, + dup2, + dup3, + dup4, + setc("event_description","Xbar detected"), + ])); + + var msg271 = msg("XBAR_DETECT", part223); + + var part224 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41->} powered up (Serial number %{fld42})", processor_chain([ + dup15, + dup75, + dup76, + dup2, + dup3, + dup4, + setc("event_description","Xbar powered up"), + ])); + + var msg272 = msg("XBAR_PWRUP", part224); + + var part225 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41->} powered down (Serial number %{fld42})", processor_chain([ + dup15, + dup75, + setc("ec_activity","Stop"), + dup2, + dup3, + dup4, + setc("event_description","Xbar powered down"), + ])); + + var msg273 = msg("XBAR_PWRDN", part225); + + var part226 = match("MESSAGE#267:XBAR_OK", "nwparser.payload", "Xbar %{fld41->} is online (serial: %{fld42})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Xbar is online"), + ])); + + var msg274 = msg("XBAR_OK", part226); + + var part227 = match("MESSAGE#268:VPC_ISSU_START", "nwparser.payload", "Peer vPC switch ISSU start, locking configuration%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC switch ISSU start, locking configuration"), + ])); + + var msg275 = msg("VPC_ISSU_START", part227); + + var part228 = match("MESSAGE#269:VPC_ISSU_END", "nwparser.payload", "Peer vPC switch ISSU end, unlocking configuration%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC switch ISSU end, unlocking configuration"), + ])); + + var msg276 = msg("VPC_ISSU_END", part228); + + var part229 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("obj_type","new_role"), + ])); + + var msg277 = msg("PORT_RANGE_ROLE", part229); + + var part230 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_state=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("obj_type","new_state"), + ])); + + var msg278 = msg("PORT_RANGE_STATE", part230); + + var part231 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Interface %{interface->} removed from mst=%{fld42}", processor_chain([ + dup24, + dup34, + dup20, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Interface removed from MST."), + ])); + + var msg279 = msg("PORT_RANGE_DELETED", part231); + + var part232 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interface %{interface->} added to mst=%{fld42->} with %{info}", processor_chain([ + dup29, + dup34, + dup80, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Interface added to MST."), + ])); + + var msg280 = msg("PORT_RANGE_ADDED", part232); + + var part233 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port %{portname->} removed as MST Boundary port", processor_chain([ + dup24, + dup34, + dup20, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Port removed as MST Boundary port"), + ])); + + var msg281 = msg("MST_PORT_BOUNDARY", part233); + + var part234 = match("MESSAGE#275:PIXM_SYSLOG_MESSAGE_TYPE_CRIT", "nwparser.payload", "Non-transactional PIXM Error. Error Type: %{result}.%{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Non-transactional PIXM Error"), + ])); + + var msg282 = msg("PIXM_SYSLOG_MESSAGE_TYPE_CRIT", part234); + + var part235 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interface->} is %{obj_name->} in vdc %{fld43}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("obj_type"," Interface state"), + ])); + + var msg283 = msg("IM_INTF_STATE", part235); + + var part236 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{fld43->} state changed to %{obj_name}", processor_chain([ + dup62, + dup34, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","VDC state changed."), + setc("obj_type"," VDC state"), + ])); + + var msg284 = msg("VDC_STATE_CHANGE", part236); + + var part237 = match("MESSAGE#278:SWITCHOVER_OVER", "nwparser.payload", "Switchover completed.%{}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup81, + ])); + + var msg285 = msg("SWITCHOVER_OVER", part237); + + var part238 = match("MESSAGE#279:VDC_MODULETYPE", "nwparser.payload", "%{process}: Module type changed to %{obj_name}", processor_chain([ + dup62, + dup16, + dup38, + dup2, + dup3, + dup4, + dup81, + setc("obj_type"," New Module type"), + ])); + + var msg286 = msg("VDC_MODULETYPE", part238); + + var part239 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unable to sync HA sequence number %{fld44->} for service \"%{service}\" (PID %{process_id}): %{result}.", processor_chain([ + dup77, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Unable to sync HA sequence number for service"), + ])); + + var msg287 = msg("HASEQNO_SYNC_FAILED", part239); + + var part240 = match("MESSAGE#281:MSG_SEND_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in sending message to standby causing standby to reset.%{}", processor_chain([ + dup1, + dup34, + dup79, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Failure in sending message to standby causing standby to reset."), + ])); + + var msg288 = msg("MSG_SEND_FAILURE_STANDBY_RESET", part240); + + var part241 = match("MESSAGE#282:MODULE_LOCK_FAILED", "nwparser.payload", "Failed to lock the local module to avoid reset (error-id %{resultcode}).", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Failed to lock the local module to avoid reset"), + ])); + + var msg289 = msg("MODULE_LOCK_FAILED", part241); + + var part242 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", "Failed to send Mac New Learns/Mac moves due to mts send failure errno %{resultcode}", processor_chain([ + dup1, + dup34, + dup79, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Failed to send Mac New Learns/Mac moves due to mts send failure."), + ])); + + var msg290 = msg("L2FMC_NL_MTS_SEND_FAILURE", part242); + + var part243 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} management address %{fld46->} discovered on local port %{portname->} in vlan %{vlan->} %{info}", processor_chain([ + dup29, + dup80, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Server discovered on local in vlan 0 with enabled capability Station"), + ])); + + var msg291 = msg("SERVER_ADDED", part243); + + var part244 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} on local port %{portname->} has been removed", processor_chain([ + dup24, + dup20, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Server on local port has been removed"), + ])); + + var msg292 = msg("SERVER_REMOVED", part244); + + var part245 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ + dup23, + dup34, + dup72, + dup2, + dup3, + dup4, + dup25, + ])); + + var msg293 = msg("IF_DOWN_SUSPENDED_BY_SPEED", part245); + + var part246 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{portname->} is operationally individual", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","port is operationally individual"), + ])); + + var msg294 = msg("PORT_INDIVIDUAL", part246); + + var part247 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ + dup23, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + dup25, + ])); + + var msg295 = msg("IF_DOWN_CHANNEL_ADMIN_DOWN", part247); + + var part248 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Interface %{interface->} is being recovered from error disabled state %{info}", processor_chain([ + dup22, + dup2, + dup3, + dup4, + setc("event_description","Interface is being recovered from error disabled state"), + ])); + + var msg296 = msg("IF_ERRDIS_RECOVERY", part248); + + var part249 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", "Non-Cisco transceiver on interface %{interface->} is detected", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Non-Cisco transceiver on interface is detected"), + ])); + + var msg297 = msg("IF_NON_CISCO_TRANSCEIVER", part249); + + var part250 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.payload", "Active supervisor in slot %{fld47->} is running with less memory than standby supervisor in slot %{fld48}.", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Active supervisor is running with less memory than standby supervisor."), + ])); + + var msg298 = msg("ACTIVE_LOWER_MEM_THAN_STANDBY", part250); + + var part251 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configuration update started (PID %{process_id}).", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Configuration update started."), + ])); + + var msg299 = msg("READCONF_STARTED", part251); + + var part252 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor in slot %{fld47->} is running with less memory than active supervisor in slot %{fld48}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Supervisor is running with less memory than active supervisor."), + ])); + + var msg300 = msg("SUP_POWERDOWN", part252); + + var part253 = match("MESSAGE#294:LC_UPGRADE_START", "nwparser.payload", "Starting linecard upgrade%{}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Starting linecard upgrade"), + ])); + + var msg301 = msg("LC_UPGRADE_START", part253); + + var part254 = match("MESSAGE#295:LC_UPGRADE_REBOOT", "nwparser.payload", "Rebooting linecard as a part of upgrade%{}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Rebooting linecard as a part of upgrade"), + ])); + + var msg302 = msg("LC_UPGRADE_REBOOT", part254); + + var part255 = match("MESSAGE#296:RUNTIME_DB_RESTORE_STARTED", "nwparser.payload", "Runtime database controller started (PID %{process_id}).", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Runtime database controller started."), + ])); + + var msg303 = msg("RUNTIME_DB_RESTORE_STARTED", part255); + + var part256 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload", "Runtime database successfully restored.%{}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Runtime database successfully restored."), + ])); + + var msg304 = msg("RUNTIME_DB_RESTORE_SUCCESS", part256); + + var part257 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", "Upgrade of module %{fld49->} started", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Upgrade of module started"), + ])); + + var msg305 = msg("LCM_MODULE_UPGRADE_START", part257); + + var part258 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "Upgrade of module %{fld49->} ended", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Upgrade of module ended"), + ])); + + var msg306 = msg("LCM_MODULE_UPGRADE_END", part258); + + var part259 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recieved insert for %{fld50}", processor_chain([ + dup63, + dup34, + dup78, + dup35, + dup2, + dup3, + dup4, + setc("event_description","Recieved insert for lc mod"), + ])); + + var msg307 = msg("FIPS_POST_INFO_MSG", part259); + + var part260 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC %{obj_name->} is configured", processor_chain([ + dup30, + dup34, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","peer vPC is configured"), + dup74, + ])); + + var msg308 = msg("PEER_VPC_CFGD", part260); + + var part261 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: Potential Interop issue on [%{interface}]: %{result}", processor_chain([ + dup73, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Potential Interop issue on interface."), + ])); + + var msg309 = msg("SYN_COLL_DIS_EN", part261); + + var part262 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{device->} Off-line (Serial Number %{fld42})", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","FEX OFFLINE"), + ])); + + var msg310 = msg("NOHMS_ENV_FEX_OFFLINE", part262); + + var part263 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{device->} On-line", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","FEX ONLINE"), + ])); + + var msg311 = msg("NOHMS_ENV_FEX_ONLINE", part263); + + var part264 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{device->} is online", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Fex is online"), + ])); + + var msg312 = msg("FEX_STATUS_online", part264); + + var part265 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{device->} is offline", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Fex is offline"), + ])); + + var msg313 = msg("FEX_STATUS_offline", part265); + + var select40 = linear_select([ + msg312, + msg313, + ]); + + var part266 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Power supply %{fld41->} present but all AC/DC inputs are not connected, power redundancy might be affected", processor_chain([ + dup73, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Power supply present but all AC/DC inputs are not connected, power redundancy might be affected"), + ])); + + var msg314 = msg("PS_PWR_INPUT_MISSING", part266); + + var part267 = match("MESSAGE#308:PS_RED_MODE_RESTORED", "nwparser.payload", "Power redundancy operational mode changed to %{change_new}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Power redundancy operational mode changed."), + setc("change_attribute","operational mode"), + ])); + + var msg315 = msg("PS_RED_MODE_RESTORED", part267); + + var part268 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", "All ejectors open, Module %{fld41->} will not be powered up (Serial number %{fld42})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","All ejectors open, Module will not be powered up."), + ])); + + var msg316 = msg("MOD_PWRFAIL_EJECTORS_OPEN", part268); + + var part269 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device->} pinning information is changed", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Fex pinning information is changed"), + ])); + + var msg317 = msg("PINNING_CHANGED", part269); + + var part270 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device->} Module %{fld41}: Cold boot", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","FEX-100 Module -Cold boot"), + ])); + + var msg318 = msg("SATCTRL", part270); + + var part271 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51->} [%{fld52}] Client %{fld43->} register more than once with same pid%{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Client register more than once with same pid"), + ])); + + var msg319 = msg("DUP_REGISTER", part271); + + var part272 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51->} [%{fld52}] Unknown mtype: %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Unknown mtype"), + ])); + + var msg320 = msg("UNKNOWN_MTYPE", part272); + + var part273 = match("MESSAGE#314:SATCTRL_IMAGE", "nwparser.payload", "%{fld51->} %{event_description}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + ])); + + var msg321 = msg("SATCTRL_IMAGE", part273); + + var part274 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ + dup1, + setc("ec_subject","Process"), + dup14, + dup2, + dup3, + dup4, + ])); + + var msg322 = msg("API_FAILED", part274); + + var part275 = match_copy("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "event_description", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg323 = msg("SENSOR_MSG1", part275); + + var part276 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + ])); + + var msg324 = msg("API_INIT_SEM_CLEAR", part276); + + var part277 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51->} has come online", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","vdc has come online"), + ])); + + var msg325 = msg("VDC_ONLINE", part277); + + var part278 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", "LACP port %{portname->} of port-channel %{interface->} not receiving any LACP BPDUs %{result}", processor_chain([ + dup77, + dup34, + dup78, + dup35, + dup72, + dup2, + dup3, + dup4, + setc("event_description","LACP port of port-channel not receiving any LACP BPDUs."), + ])); + + var msg326 = msg("LACP_SUSPEND_INDIVIDUAL", part278); + + var part279 = match("MESSAGE#320:dstats", "nwparser.payload", "%{process}: %{info}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg327 = msg("dstats", part279); + + var part280 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} logged OUT.", processor_chain([ + dup77, + dup34, + setc("ec_activity","Logoff"), + dup35, + dup2, + dup3, + dup4, + ])); + + var msg328 = msg("MSG_PORT_LOGGED_OUT", part280); + + var part281 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} with FCID %{fld54->} logged IN.", processor_chain([ + dup77, + dup34, + dup13, + dup35, + dup2, + dup3, + dup4, + ])); + + var msg329 = msg("MSG_PORT_LOGGED_IN", part281); + + var msg330 = msg("IF_DOWN_ELP_FAILURE_ISOLATION", dup96); + + var part282 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52->} Zone merge failure, isolating interface %{interface->} reason: %{result}:[%{resultcode}]", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var msg331 = msg("ZS_MERGE_FAILED", part282); + + var msg332 = msg("IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION", dup96); + + var part283 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Host %{hostname->} in vlan %{vlan->} is flapping between port %{change_old->} and port %{change_new}", processor_chain([ + dup23, + dup34, + dup35, + dup2, + dup3, + dup4, + setc("change_attribute","Port"), + ])); + + var msg333 = msg("MAC_MOVE_NOTIFICATION", part283); + + var part284 = match("MESSAGE#327:zone", "nwparser.payload", "num_tlv greater than 1, %{result}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg334 = msg("zone", part284); + + var part285 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_description}: %{info}", processor_chain([ + dup1, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg335 = msg("ERROR", part285); + + var part286 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid destination IP address (%{daddr}) from %{smacaddr->} on %{interface}", processor_chain([ + dup77, + dup34, + dup78, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg336 = msg("INVAL_IP", part286); + + var part287 = match("MESSAGE#330:SYSLOG_SL_MSG_WARNING", "nwparser.payload", "%{process}: message repeated %{dclass_counter1->} times in last %{duration}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var msg337 = msg("SYSLOG_SL_MSG_WARNING", part287); + + var part288 = match("MESSAGE#331:DUPLEX_MISMATCH", "nwparser.payload", "Duplex mismatch discovered on %{interface}, with %{fld55}", processor_chain([ + dup77, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg338 = msg("DUPLEX_MISMATCH", part288); + + var part289 = match("MESSAGE#332:NOHMS_DIAG_ERROR", "nwparser.payload", "Module %{fld20}: Runtime diag detected major event: Fabric port failure %{interface}", processor_chain([ + dup77, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg339 = msg("NOHMS_DIAG_ERROR", part289); + + var part290 = match("MESSAGE#333:STM_LEARNING_RE_ENABLE", "nwparser.payload", "Re enabling dynamic learning on all interfaces%{}", processor_chain([ + dup15, + dup34, + dup35, + dup2, + dup3, + dup4, + ])); + + var msg340 = msg("STM_LEARNING_RE_ENABLE", part290); + + var part291 = match("MESSAGE#334:UDLD_PORT_DISABLED", "nwparser.payload", "UDLD disabled interface %{interface}, %{result}", processor_chain([ + dup77, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg341 = msg("UDLD_PORT_DISABLED", part291); + + var part292 = match("MESSAGE#335:ntpd", "nwparser.payload", "ntp:no servers reachable%{}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg342 = msg("ntpd", part292); + + var part293 = match("MESSAGE#336:ntpd:01", "nwparser.payload", "ntp:event EVNT_UNREACH %{saddr}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg343 = msg("ntpd:01", part293); + + var part294 = match("MESSAGE#337:ntpd:02", "nwparser.payload", "ntp:event EVNT_REACH %{saddr}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg344 = msg("ntpd:02", part294); + + var part295 = match("MESSAGE#338:ntpd:03", "nwparser.payload", "ntp:synchronized to %{saddr}, stratum %{fld9}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg345 = msg("ntpd:03", part295); + + var part296 = match("MESSAGE#339:ntpd:04", "nwparser.payload", "ntp:%{event_description}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg346 = msg("ntpd:04", part296); + + var select41 = linear_select([ + msg342, + msg343, + msg344, + msg345, + msg346, + ]); + + var part297 = match_copy("MESSAGE#340:PFM_ALERT", "nwparser.payload", "event_description", processor_chain([ + dup9, + dup2, + dup3, + dup4, + ])); + + var msg347 = msg("PFM_ALERT", part297); + + var part298 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Client %{saddr}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + setc("event_description","Service acquired on WCCP Client"), + ])); + + var msg348 = msg("SERVICEFOUND", part298); + + var part299 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Router %{saddr}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + setc("event_description","Service acquired on WCCP Router"), + ])); + + var msg349 = msg("ROUTERFOUND", part299); + + var part300 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "pam_aaa:Authentication failed from %{shost->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + setc("event_description","Authentication failed"), + ])); + + var msg350 = msg("%AUTHPRIV-3-SYSTEM_MSG", part300); + + var part301 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ + dup18, + dup2, + dup12, + dup3, + dup4, + setc("event_description","New user added"), + ])); + + var msg351 = msg("%AUTHPRIV-5-SYSTEM_MSG", part301); + + var part302 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", "%{action}: %{service->} pid=%{process_id->} from=::ffff:%{saddr->} - %{agent}", processor_chain([ + dup10, + dup2, + dup12, + dup3, + dup4, + ])); + + var msg352 = msg("%AUTHPRIV-6-SYSTEM_MSG:01", part302); + + var part303 = match("MESSAGE#346:%AUTHPRIV-6-SYSTEM_MSG", "nwparser.payload", "pam_unix(%{fld1}:session): session opened for user %{username->} by (uid=%{uid}) - %{agent}", processor_chain([ + dup10, + dup2, + dup12, + dup3, + dup4, + setc("event_description","session opened for user"), + ])); + + var msg353 = msg("%AUTHPRIV-6-SYSTEM_MSG", part303); + + var select42 = linear_select([ + msg352, + msg353, + ]); + + var part304 = match("MESSAGE#347:%USER-3-SYSTEM_MSG", "nwparser.payload", "error: %{result}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg354 = msg("%USER-3-SYSTEM_MSG", part304); + + var part305 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Invalid user %{username->} from %{saddr->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup82, + ])); + + var msg355 = msg("%USER-6-SYSTEM_MSG", part305); + + var part306 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "input_userauth_request: invalid user %{username->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup82, + ])); + + var msg356 = msg("%USER-6-SYSTEM_MSG:01", part306); + + var part307 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Failed none for invalid user %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + setc("event_description","Failed none for invalid user"), + ])); + + var msg357 = msg("%USER-6-SYSTEM_MSG:02", part307); + + var part308 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + setc("event_description","Accepted password for user"), + ])); + + var msg358 = msg("%USER-6-SYSTEM_MSG:03", part308); + + var part309 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "lastlog_openseek: Couldn't stat %{directory}: No such file or directory - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + setc("event_description","No such file or directory"), + ])); + + var msg359 = msg("%USER-6-SYSTEM_MSG:04", part309); + + var part310 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Could not load host key: %{encryption_type->} - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + setc("event_description","Could not load host key"), + ])); + + var msg360 = msg("%USER-6-SYSTEM_MSG:05", part310); + + var part311 = match("MESSAGE#354:%USER-6-SYSTEM_MSG:06", "nwparser.payload", "%{event_description->} - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + ])); + + var msg361 = msg("%USER-6-SYSTEM_MSG:06", part311); + + var select43 = linear_select([ + msg355, + msg356, + msg357, + msg358, + msg359, + msg360, + msg361, + ]); + + var part312 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload", "Disabling learning in vlan %{vlan->} for %{duration}s due to too many mac moves", processor_chain([ + dup30, + dup2, + dup4, + setc("ec_activity","Disable"), + ])); + + var msg362 = msg("L2FM_MAC_FLAP_DISABLE_LEARN", part312); + + var part313 = match("MESSAGE#356:L2FM_MAC_FLAP_RE_ENABLE_LEARN", "nwparser.payload", "Re-enabling learning in vlan %{vlan}", processor_chain([ + dup30, + dup2, + dup4, + dup37, + ])); + + var msg363 = msg("L2FM_MAC_FLAP_RE_ENABLE_LEARN", part313); + + var part314 = match("MESSAGE#357:PS_ABSENT", "nwparser.payload", "Power supply %{fld1->} is %{disposition}, ps-redundancy might be affected", processor_chain([ + dup1, + dup2, + dup4, + ])); + + var msg364 = msg("PS_ABSENT", part314); + + var part315 = match("MESSAGE#358:PS_DETECT", "nwparser.payload", "Power supply %{fld1->} detected but %{disposition->} (Serial number %{serial_number})", processor_chain([ + dup1, + dup2, + dup4, + ])); + + var msg365 = msg("PS_DETECT", part315); + + var part316 = match("MESSAGE#359:SUBPROC_TERMINATED", "nwparser.payload", "\"System Manager (configuration controller)\" (PID %{process_id}) has finished with error code %{result->} (%{resultcode}).", processor_chain([ + dup1, + dup2, + dup4, + ])); + + var msg366 = msg("SUBPROC_TERMINATED", part316); + + var part317 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"%{service}\" (PID %{process_id}) has successfully exited with exit code %{result->} (%{resultcode}).", processor_chain([ + dup15, + dup2, + dup4, + dup84, + dup17, + ])); + + var msg367 = msg("SUBPROC_SUCCESS_EXIT", part317); + + var part318 = match("MESSAGE#361:UPDOWN", "nwparser.payload", "Line Protocol on Interface vlan %{vlan}, changed state to %{disposition}", processor_chain([ + dup30, + dup2, + dup4, + ])); + + var msg368 = msg("UPDOWN", part318); + + var part319 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{smacaddr->} in vlan %{vlan->} has moved between %{change_old->} to %{change_new}", processor_chain([ + dup30, + dup2, + dup4, + setc("change_attribute","Interface"), + ])); + + var msg369 = msg("L2FM_MAC_MOVE2", part319); + + var part320 = match("MESSAGE#363:PFM_PS_RED_MODE_CHG", "nwparser.payload", "Power redundancy configured mode changed to %{event_state}", processor_chain([ + dup30, + dup2, + dup4, + dup38, + ])); + + var msg370 = msg("PFM_PS_RED_MODE_CHG", part320); + + var part321 = match("MESSAGE#364:PS_RED_MODE_CHG", "nwparser.payload", "Power supply operational redundancy mode changed to %{event_state}", processor_chain([ + dup30, + dup2, + dup4, + dup38, + ])); + + var msg371 = msg("PS_RED_MODE_CHG", part321); + + var part322 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid source MAC address (%{smacaddr}) from %{saddr->} on %{vlan}", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg372 = msg("INVAL_MAC", part322); + + var part323 = match("MESSAGE#366:SRVSTATE_CHANGED", "nwparser.payload", "State for service \"%{service}\" changed from %{change_old->} to %{change_new->} in vdc %{fld1}.", processor_chain([ + dup15, + dup2, + dup4, + setc("change_attribute","Service status"), + ])); + + var msg373 = msg("SRVSTATE_CHANGED", part323); + + var part324 = match_copy("MESSAGE#367:INFO", "nwparser.payload", "event_description", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg374 = msg("INFO", part324); + + var part325 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service \"%{service}\" in vdc %{fld1->} started with PID(%{process_id}).", processor_chain([ + dup15, + dup2, + dup4, + dup84, + dup76, + dup17, + ])); + + var msg375 = msg("SERVICE_STARTED", part325); + + var part326 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local Virtual ip, %{saddr}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup85, + ])); + + var msg376 = msg("DUP_VADDR_SRCIP_PROBE", part326); + + var part327 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local ip, %{saddr}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup85, + ])); + + var msg377 = msg("DUP_SRCIP_PROBE", part327); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "%AUTHPRIV-3-SYSTEM_MSG": msg350, + "%AUTHPRIV-5-SYSTEM_MSG": msg351, + "%AUTHPRIV-6-SYSTEM_MSG": select42, + "%USER-3-SYSTEM_MSG": msg354, + "%USER-6-SYSTEM_MSG": select43, + "AAA_ACCOUNTING_MESSAGE": select28, + "ACLLOG_FLOW_INTERVAL": msg187, + "ACLLOG_MAXFLOW_REACHED": msg188, + "ACLLOG_NEW_FLOW": msg189, + "ACTIVE_LOWER_MEM_THAN_STANDBY": msg298, + "ACTIVE_SUP_OK": msg74, + "ADDON_IMG_DNLD_COMPLETE": msg60, + "ADDON_IMG_DNLD_STARTED": msg61, + "ADDON_IMG_DNLD_SUCCESSFUL": msg62, + "ADJCHANGE": msg217, + "API_FAILED": msg322, + "API_INIT_SEM_CLEAR": msg324, + "BIOS_DAEMON_LC_PRI_BOOT": msg262, + "CFGWRITE_ABORTED": msg135, + "CFGWRITE_ABORTED_LOCK": msg133, + "CFGWRITE_DONE": msg136, + "CFGWRITE_FAILED": msg134, + "CFGWRITE_STARTED": msg137, + "CFGWRITE_USER_ABORT": msg198, + "CHASSIS_CLKMODOK": msg80, + "CHASSIS_CLKSRC": msg81, + "CONN_CONNECT": msg145, + "CONN_DISCONNECT": msg146, + "CREATED": msg51, + "DELETE_STALE_USER_ACCOUNT": msg258, + "DISPUTE_CLEARED": msg77, + "DISPUTE_DETECTED": msg78, + "DOMAIN_CFG_SYNC_DONE": msg79, + "DUPLEX_MISMATCH": msg338, + "DUP_REGISTER": msg319, + "DUP_SRCIP_PROBE": msg377, + "DUP_VADDR_SRCIP_PROBE": msg376, + "DUP_VADDR_SRC_IP": msg190, + "DVPG_CREATE": msg147, + "DVPG_DELETE": msg148, + "DVS_HOSTMEMBER_INFO": msg149, + "DVS_NAME_CHANGE": msg150, + "EJECTOR_STAT_CHANGED": msg270, + "ERROR": msg335, + "ERR_MSG": msg131, + "EVENT": msg206, + "FAN_DETECT": msg97, + "FAN_OK": msg82, + "FCIP_PEER_CAVIUM": msg233, + "FEX_PORT_STATUS_NOTI": msg214, + "FEX_STATUS": select40, + "FIPS_POST_INFO_MSG": msg307, + "FOP_CHANGED": msg52, + "HASEQNO_SYNC_FAILED": msg287, + "HEARTBEAT_FAILURE": msg240, + "IF_ADMIN_UP": msg259, + "IF_ATTACHED": msg138, + "IF_BANDWIDTH_CHANGE": msg210, + "IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR": msg203, + "IF_DELETE_AUTO": msg139, + "IF_DETACHED": msg140, + "IF_DETACHED_MODULE_REMOVED": msg141, + "IF_DOWN_ADMIN_DOWN": select11, + "IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED": msg199, + "IF_DOWN_CFG_CHANGE": msg193, + "IF_DOWN_CHANNEL_ADMIN_DOWN": msg295, + "IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS": msg38, + "IF_DOWN_ELP_FAILURE_ISOLATION": msg330, + "IF_DOWN_ERROR_DISABLED": msg35, + "IF_DOWN_FCOT_NOT_PRESENT": select17, + "IF_DOWN_INACTIVE": msg142, + "IF_DOWN_INITIALIZING": select18, + "IF_DOWN_INTERFACE_REMOVED": msg39, + "IF_DOWN_LINK_FAILURE": select12, + "IF_DOWN_MODULE_REMOVED": msg42, + "IF_DOWN_NONE": select19, + "IF_DOWN_NON_PARTICIPATING": msg143, + "IF_DOWN_NOS_RCVD": select20, + "IF_DOWN_OFFLINE": msg114, + "IF_DOWN_OLS_RCVD": msg115, + "IF_DOWN_PARENT_ADMIN_DOWN": msg211, + "IF_DOWN_PEER_CLOSE": msg234, + "IF_DOWN_PEER_RESET": msg235, + "IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN": msg43, + "IF_DOWN_SOFTWARE_FAILURE": msg116, + "IF_DOWN_SRC_PORT_NOT_BOUND": msg117, + "IF_DOWN_SUSPENDED_BY_SPEED": msg293, + "IF_DOWN_TCP_MAX_RETRANSMIT": msg232, + "IF_DOWN_VEM_UNLICENSED": msg144, + "IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION": msg332, + "IF_DUPLEX": msg44, + "IF_ERRDIS_RECOVERY": msg296, + "IF_ERROR_VLANS_REMOVED": msg191, + "IF_ERROR_VLANS_SUSPENDED": msg192, + "IF_HARDWARE": msg239, + "IF_NON_CISCO_TRANSCEIVER": msg297, + "IF_PORTPROFILE_ATTACHED": msg125, + "IF_RX_FLOW_CONTROL": msg45, + "IF_SEQ_ERROR": msg46, + "IF_SFP_ALARM": select35, + "IF_SFP_WARNING": msg231, + "IF_TRUNK_DOWN": select21, + "IF_TRUNK_UP": select22, + "IF_TX_FLOW_CONTROL": msg47, + "IF_UP": select13, + "IF_XCVR_ALARM": select34, + "IF_XCVR_WARNING": select33, + "IMG_DNLD_COMPLETE": msg63, + "IMG_DNLD_STARTED": msg64, + "IM_INTF_STATE": msg283, + "IM_SEQ_ERROR": msg59, + "INFO": msg374, + "INFORMATION": msg205, + "INTF_CONSISTENCY_FAILED": msg236, + "INTF_CONSISTENCY_SUCCESS": msg237, + "INTF_COUNTERS_CLEARED": msg238, + "INVAL_IP": msg336, + "INVAL_MAC": msg372, + "L2FMC_NL_MTS_SEND_FAILURE": msg290, + "L2FM_MAC_FLAP_DISABLE_LEARN": msg362, + "L2FM_MAC_FLAP_RE_ENABLE_LEARN": msg363, + "L2FM_MAC_MOVE2": msg369, + "LACP_SUSPEND_INDIVIDUAL": msg326, + "LCM_MODULE_UPGRADE_END": msg306, + "LCM_MODULE_UPGRADE_START": msg305, + "LC_UPGRADE_REBOOT": msg302, + "LC_UPGRADE_START": msg301, + "LOG-7-SYSTEM_MSG": msg1, + "LOG_CMP_AAA_FAILURE": msg67, + "LOG_CMP_UP": msg244, + "LOG_LIC_N1K_EXPIRY_WARNING": msg68, + "M2FIB_MAC_TBL_PRGMING": msg257, + "MAC_MOVE_NOTIFICATION": msg333, + "MEMORY_ALERT": msg249, + "MEMORY_ALERT_RECOVERED": msg250, + "MESG": msg130, + "MODULE_LOCK_FAILED": msg289, + "MODULE_ONLINE": msg261, + "MOD_BRINGUP_MULTI_LIMIT": msg96, + "MOD_DETECT": msg83, + "MOD_FAIL": msg69, + "MOD_MAJORSWFAIL": msg70, + "MOD_OK": msg75, + "MOD_PWRDN": msg84, + "MOD_PWRFAIL_EJECTORS_OPEN": msg316, + "MOD_PWRUP": msg85, + "MOD_REMOVE": msg86, + "MOD_RESTART": msg76, + "MOD_SRG_NOT_COMPATIBLE": msg71, + "MOD_STATUS": msg98, + "MOD_WARNING": select14, + "MOUNT": msg243, + "MSG_PORT_LOGGED_IN": msg329, + "MSG_PORT_LOGGED_OUT": msg328, + "MSG_SEND_FAILURE_STANDBY_RESET": msg288, + "MSM_CRIT": msg66, + "MST_PORT_BOUNDARY": msg281, + "MTSERROR": msg34, + "MTS_DROP": msg57, + "NATIVE_VLAN_MISMATCH": msg207, + "NBRCHANGE_DUAL": msg253, + "NEIGHBOR_ADDED": msg208, + "NEIGHBOR_REMOVED": msg209, + "NEIGHBOR_UPDATE_AUTOCOPY": msg33, + "NOHMS_DIAG_ERROR": msg339, + "NOHMS_DIAG_ERR_PS_FAIL": msg215, + "NOHMS_DIAG_ERR_PS_RECOVERED": msg216, + "NOHMS_ENV_FEX_OFFLINE": msg310, + "NOHMS_ENV_FEX_ONLINE": msg311, + "PEER_KEEP_ALIVE_RECV_FAIL": msg266, + "PEER_KEEP_ALIVE_RECV_INT_LATEST": msg264, + "PEER_KEEP_ALIVE_RECV_SUCCESS": msg265, + "PEER_KEEP_ALIVE_SEND_INT_LATEST": msg267, + "PEER_KEEP_ALIVE_SEND_SUCCESS": msg268, + "PEER_KEEP_ALIVE_STATUS": msg269, + "PEER_VPC_CFGD": msg308, + "PEER_VPC_CFGD_VLANS_CHANGED": msg99, + "PEER_VPC_DELETED": msg100, + "PEER_VPC_DOWN": msg263, + "PFM_ALERT": msg347, + "PFM_CLOCK_CHANGE": msg194, + "PFM_FAN_FLTR_STATUS": msg242, + "PFM_MODULE_POWER_ON": msg87, + "PFM_PS_RED_MODE_CHG": msg370, + "PFM_SYSTEM_RESET": msg88, + "PFM_VEM_DETECTED": msg101, + "PFM_VEM_REMOVE_NO_HB": msg89, + "PFM_VEM_REMOVE_RESET": msg90, + "PFM_VEM_REMOVE_STATE_CONFLICT": msg91, + "PFM_VEM_REMOVE_TWO_ACT_VSM": msg92, + "PFM_VEM_UNLICENSED": msg93, + "PINNING_CHANGED": msg317, + "PIXM_SYSLOG_MESSAGE_TYPE_CRIT": msg282, + "POLICY_ACTIVATE_EVENT": msg27, + "POLICY_COMMIT_EVENT": msg28, + "POLICY_DEACTIVATE_EVENT": msg29, + "POLICY_LOOKUP_EVENT": select10, + "PORT_ADDED": msg218, + "PORT_DELETED": msg219, + "PORT_DOWN": msg53, + "PORT_INDIVIDUAL": msg294, + "PORT_INDIVIDUAL_DOWN": msg212, + "PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE": msg124, + "PORT_RANGE_ADDED": msg280, + "PORT_RANGE_DELETED": msg279, + "PORT_RANGE_ROLE": msg277, + "PORT_RANGE_STATE": msg278, + "PORT_ROLE": msg220, + "PORT_SOFTWARE_FAILURE": msg65, + "PORT_STATE": msg221, + "PORT_SUSPENDED": msg213, + "PORT_UP": msg54, + "PS_ABSENT": msg364, + "PS_CAPACITY_CHANGE": select16, + "PS_DETECT": msg365, + "PS_FAIL": msg204, + "PS_FANOK": msg94, + "PS_FOUND": msg102, + "PS_OK": msg95, + "PS_PWR_INPUT_MISSING": msg314, + "PS_RED_MODE_CHG": msg371, + "PS_RED_MODE_RESTORED": msg315, + "PS_STATUS": msg103, + "PVLAN_PPM_PORT_CONFIG_FAILED": msg129, + "READCONF_STARTED": msg299, + "RM_VICPP_RECREATE_ERROR": msg132, + "ROUTERFOUND": msg349, + "RUNTIME_DB_RESTORE_STARTED": msg303, + "RUNTIME_DB_RESTORE_SUCCESS": msg304, + "SATCTRL": msg318, + "SATCTRL_IMAGE": msg321, + "SENSOR_MSG1": msg323, + "SERVER_ADDED": msg291, + "SERVER_REMOVED": msg292, + "SERVICEFOUND": msg348, + "SERVICELOST": msg202, + "SERVICE_CRASHED": msg201, + "SERVICE_STARTED": msg375, + "SOHMS_DIAG_ERROR": select37, + "SPEED": msg50, + "SRVSTATE_CHANGED": msg373, + "STANDBY_SUP_OK": msg126, + "STM_LEARNING_RE_ENABLE": msg340, + "STM_LOOP_DETECT": msg127, + "SUBGROUP_ID_PORT_ADDED": msg55, + "SUBGROUP_ID_PORT_REMOVED": msg56, + "SUBPROC_SUCCESS_EXIT": msg367, + "SUBPROC_TERMINATED": msg366, + "SUP_POWERDOWN": msg300, + "SWITCHOVER_OVER": msg285, + "SYNC_COMPLETE": msg128, + "SYNC_FAILURE_STANDBY_RESET": msg195, + "SYN_COLL_DIS_EN": msg309, + "SYSLOG_LOG_WARNING": msg58, + "SYSLOG_SL_MSG_WARNING": msg337, + "SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG": msg241, + "SYSTEM_MSG": select9, + "TACACS_ACCOUNTING_MESSAGE": select32, + "TACACS_ERROR_MESSAGE": msg230, + "UDLD_PORT_DISABLED": msg341, + "UNKNOWN_MTYPE": msg320, + "UPDOWN": msg368, + "VDC_HOSTNAME_CHANGE": msg26, + "VDC_MODULETYPE": msg286, + "VDC_ONLINE": msg325, + "VDC_STATE_CHANGE": msg284, + "VMS_PPM_SYNC_COMPLETE": msg151, + "VPC_CFGD": msg260, + "VPC_DELETED": msg152, + "VPC_ISSU_END": msg276, + "VPC_ISSU_START": msg275, + "VPC_UP": msg153, + "VSHD_SYSLOG_CONFIG_I": select25, + "XBAR_DETECT": msg271, + "XBAR_OK": msg274, + "XBAR_PWRDN": msg273, + "XBAR_PWRUP": msg272, + "ZS_MERGE_FAILED": msg331, + "dstats": msg327, + "last": msg200, + "ntpd": select41, + "snmpd": select29, + "zone": msg334, + }), + ]); + + var part328 = match_copy("MESSAGE#24:SYSTEM_MSG:08/0_1", "nwparser.payload", "event_description"); + + var part329 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); + + var part330 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); + + var part331 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); + + var part332 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); + + var part333 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); + + var part334 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); + + var part335 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); + + var part336 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); + + var part337 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); + + var part338 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); + + var part339 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); + + var part340 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); + + var part341 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); + + var part342 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); + + var part343 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); + + var part344 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); + + var part345 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); + + var part346 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); + + var part347 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); + + var part348 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); + + var part349 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); + + var part350 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); + + var part351 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); + + var part352 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); + + var part353 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); + + var part354 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); + + var part355 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); + + var part356 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); + + var part357 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var part358 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part359 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var part360 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var part361 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part362 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var select44 = linear_select([ + dup26, + dup27, + ]); + + var part363 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var part364 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var part365 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part366 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var part367 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var select45 = linear_select([ + dup46, + dup47, + ]); + + var select46 = linear_select([ + dup49, + dup50, + ]); + + var select47 = linear_select([ + dup54, + dup55, + ]); + + var select48 = linear_select([ + dup57, + dup58, + ]); + + var part368 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var select49 = linear_select([ + dup65, + dup66, + ]); + + var select50 = linear_select([ + dup67, + dup68, + ]); + + var part369 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part370 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var select51 = linear_select([ + dup70, + dup71, + ]); + + var part371 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/cisco/0.13.3/data_stream/nexus/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/0.13.3/data_stream/nexus/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..0ae3463d96 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/nexus/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,69 @@ +--- +description: Pipeline for Cisco Nexus + +processors: + # ECS event.ingested + - set: + field: ecs.version + value: '8.0.0' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco/0.13.3/data_stream/nexus/fields/agent.yml b/packages/cisco/0.13.3/data_stream/nexus/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/nexus/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/cisco/0.13.3/data_stream/nexus/fields/base-fields.yml b/packages/cisco/0.13.3/data_stream/nexus/fields/base-fields.yml new file mode 100755 index 0000000000..b676b8221c --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/nexus/fields/base-fields.yml @@ -0,0 +1,46 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco.nexus +- name: '@timestamp' + type: date + description: Event timestamp. +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/cisco/0.13.3/data_stream/nexus/fields/ecs.yml b/packages/cisco/0.13.3/data_stream/nexus/fields/ecs.yml new file mode 100755 index 0000000000..78ddffacce --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/nexus/fields/ecs.yml @@ -0,0 +1,541 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/cisco/0.13.3/data_stream/nexus/fields/fields.yml b/packages/cisco/0.13.3/data_stream/nexus/fields/fields.yml new file mode 100755 index 0000000000..489a873293 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/nexus/fields/fields.yml @@ -0,0 +1,1753 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + description: Server domain. +- name: network.interface.name + type: keyword diff --git a/packages/cisco/0.13.3/data_stream/nexus/manifest.yml b/packages/cisco/0.13.3/data_stream/nexus/manifest.yml new file mode 100755 index 0000000000..a608512a5c --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/nexus/manifest.yml @@ -0,0 +1,205 @@ +title: Cisco Nexus logs +release: experimental +type: logs +streams: + - input: udp + title: Cisco Nexus logs + description: Collect Cisco Nexus logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-nexus + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9506 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Cisco Nexus logs + description: Collect Cisco Nexus logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-nexus + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9506 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Cisco Nexus logs + description: Collect Cisco Nexus logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/cisco-nexus.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-nexus + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/cisco/0.13.3/data_stream/nexus/sample_event.json b/packages/cisco/0.13.3/data_stream/nexus/sample_event.json new file mode 100755 index 0000000000..5bbeb4b806 --- /dev/null +++ b/packages/cisco/0.13.3/data_stream/nexus/sample_event.json @@ -0,0 +1,58 @@ +{ + "@timestamp": "2022-01-25T08:47:14.944Z", + "agent": { + "ephemeral_id": "091f3442-1209-4033-8434-e8c731c8a092", + "hostname": "docker-fleet-agent", + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.2" + }, + "data_stream": { + "dataset": "cisco.nexus", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "1.12.0" + }, + "elastic_agent": { + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "snapshot": false, + "version": "7.16.2" + }, + "event": { + "agent_id_status": "verified", + "code": "pam_aaa", + "dataset": "cisco.nexus", + "ingested": "2022-01-25T08:47:15Z", + "original": "2012 Dec 18 14:51:08 Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user en from 2.2.2.1 - login\n", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.19.0.4:54372" + } + }, + "observer": { + "product": "Nexus", + "type": "Switches", + "vendor": "Cisco" + }, + "rsa": { + "internal": { + "messageid": "pam_aaa" + }, + "time": { + "timezone": "Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG" + } + }, + "tags": [ + "preserve_original_event", + "cisco-nexus", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/cisco/0.13.3/docs/README.md b/packages/cisco/0.13.3/docs/README.md new file mode 100755 index 0000000000..1b440cf628 --- /dev/null +++ b/packages/cisco/0.13.3/docs/README.md @@ -0,0 +1,2770 @@ +# Cisco Integration (Deprecated) + +> Warning: This integration is deprecated. Please use one of the other Cisco integrations +> that are specific to a Cisco product. + +This integration is for [Cisco network devices](https://developer.cisco.com/docs/) logs. It includes the following datasets for receiving logs over syslog or read from a file: + +- `asa` dataset: supports Cisco ASA firewall logs. +- `ftd` dataset: supports Cisco Firepower Threat Defense logs. +- `ios` dataset: supports Cisco IOS router and switch logs. +- `nexus` fileset: supports Cisco Nexus switch logs. +- `meraki` dataset: supports Cisco Meraki logs. + +## Compatibility + +## Logs + +### ASA + +The `asa` dataset collects the Cisco firewall logs. + +An example event for `asa` looks as following: + +```json +{ + "@timestamp": "2018-10-10T12:34:56.000Z", + "agent": { + "ephemeral_id": "a548620b-0623-4130-b586-fe233f00e6e5", + "hostname": "docker-fleet-agent", + "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.14.0" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "data_stream": { + "dataset": "cisco.asa", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "100.66.98.44", + "ip": "100.66.98.44", + "port": 8256 + }, + "ecs": { + "version": "1.10.0" + }, + "elastic_agent": { + "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", + "snapshot": true, + "version": "7.14.0" + }, + "event": { + "action": "firewall-rule", + "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "305011", + "dataset": "cisco.asa", + "ingested": "2021-07-19T08:54:36.436846422Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:100.66.98.44/8256\n", + "severity": 6, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost", + "name": "docker-fleet-agent" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "informational", + "source": { + "address": "172.23.0.4:59451" + } + }, + "network": { + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "100.66.98.44" + ] + }, + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1772 + }, + "tags": [ + "preserve_original_event", + "cisco-asa", + "forwarded" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cisco.asa.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | +| cisco.asa.burst.avg_rate | The current average burst rate seen | keyword | +| cisco.asa.burst.configured_avg_rate | The current configured average burst rate allowed | keyword | +| cisco.asa.burst.configured_rate | The current configured burst rate | keyword | +| cisco.asa.burst.cumulative_count | The total count of burst rate hits since the object was created or cleared | keyword | +| cisco.asa.burst.current_rate | The current burst rate seen | keyword | +| cisco.asa.burst.id | The related rate ID for burst warnings | keyword | +| cisco.asa.burst.object | The related object for burst warnings | keyword | +| cisco.asa.command_line_arguments | The command line arguments logged by the local audit log | keyword | +| cisco.asa.connection_id | Unique identifier for a flow. | keyword | +| cisco.asa.connection_type | The VPN connection type | keyword | +| cisco.asa.dap_records | The assigned DAP records | keyword | +| cisco.asa.destination_interface | Destination interface for the flow or event. | keyword | +| cisco.asa.destination_username | Name of the user that is the destination for this event. | keyword | +| cisco.asa.icmp_code | ICMP code. | short | +| cisco.asa.icmp_type | ICMP type. | short | +| cisco.asa.mapped_destination_host | | keyword | +| cisco.asa.mapped_destination_ip | The translated destination IP address. | ip | +| cisco.asa.mapped_destination_port | The translated destination port. | long | +| cisco.asa.mapped_source_host | | keyword | +| cisco.asa.mapped_source_ip | The translated source IP address. | ip | +| cisco.asa.mapped_source_port | The translated source port. | long | +| cisco.asa.message_id | The Cisco ASA message identifier. | keyword | +| cisco.asa.privilege.new | When a users privilege is changed this is the new value | keyword | +| cisco.asa.privilege.old | When a users privilege is changed this is the old value | keyword | +| cisco.asa.rule_name | Name of the Access Control List rule that matched this event. | keyword | +| cisco.asa.security | Cisco FTD security event fields. | flattened | +| cisco.asa.source_interface | Source interface for the flow or event. | keyword | +| cisco.asa.source_username | Name of the user that is the source for this event. | keyword | +| cisco.asa.suffix | Optional suffix after %ASA identifier. | keyword | +| cisco.asa.termination_user | AAA name of user requesting termination | keyword | +| cisco.asa.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword | +| cisco.asa.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword | +| cisco.asa.username | | keyword | +| cisco.asa.webvpn.group_name | The WebVPN group name the user belongs to | keyword | +| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type. | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| syslog.facility.code | Syslog numeric facility of the event. | long | +| syslog.priority | Syslog priority of the event. | long | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.username | Username of the request. | keyword | +| user.email | User email address. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + + +### FTD + +The `ftd` dataset collects the Firepower Threat Defense logs. + +An example event for `ftd` looks as following: + +```json +{ + "@timestamp": "2019-08-16T09:39:03.000Z", + "agent": { + "ephemeral_id": "915b9d78-907c-4615-90f8-e2997777f537", + "hostname": "docker-fleet-agent", + "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.14.0" + }, + "cisco": { + "ftd": { + "rule_name": "malware-and-file-policy", + "security": { + "application_protocol": "HTTP", + "client": "cURL", + "dst_ip": "213.211.198.62", + "dst_port": "80", + "file_action": "Malware Cloud Lookup", + "file_direction": "Download", + "file_name": "eicar_com.zip", + "file_policy": "malware-and-file-policy", + "file_sandbox_status": "File Size Is Too Small", + "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "file_size": "184", + "file_storage_status": "Not Stored (Disposition Was Pending)", + "file_type": "ZIP", + "first_packet_second": "2019-08-16T09:39:02Z", + "protocol": "tcp", + "sha_disposition": "Unavailable", + "spero_disposition": "Spero detection not performed on file", + "src_ip": "10.0.1.20", + "src_port": "46004", + "threat_name": "Win.Ransomware.Eicar::95.sbx.tg", + "uri": "http://www.eicar.org/download/eicar_com.zip", + "user": "No Authentication Required" + }, + "threat_category": "Win.Ransomware.Eicar::95.sbx.tg" + } + }, + "data_stream": { + "dataset": "cisco.ftd", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "213.211.198.62", + "as": { + "number": 43341, + "organization": { + "name": "MDlink online service center GmbH" + } + }, + "geo": { + "city_name": "Magdeburg", + "continent_name": "Europe", + "country_iso_code": "DE", + "country_name": "Germany", + "location": { + "lat": 52.1333, + "lon": 11.6167 + }, + "region_iso_code": "DE-ST", + "region_name": "Saxony-Anhalt" + }, + "ip": "213.211.198.62", + "port": 80 + }, + "ecs": { + "version": "1.10.0" + }, + "elastic_agent": { + "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", + "snapshot": true, + "version": "7.14.0" + }, + "event": { + "action": "malware-detected", + "agent_id_status": "verified", + "category": [ + "malware" + ], + "code": "430005", + "dataset": "cisco.ftd", + "ingested": "2021-07-19T08:56:32.448763106Z", + "kind": "alert", + "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 213.211.198.62, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip\n", + "severity": 1, + "start": "2019-08-16T09:39:02Z", + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "file": { + "hash": { + "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + }, + "name": "eicar_com.zip", + "size": 184 + }, + "host": { + "hostname": "firepower", + "name": "docker-fleet-agent" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "alert", + "source": { + "address": "172.23.0.4:41328" + } + }, + "network": { + "application": "curl", + "iana_number": "6", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "hostname": "firepower", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "hash": [ + "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + ], + "hosts": [ + "firepower" + ], + "ip": [ + "10.0.1.20", + "213.211.198.62" + ], + "user": [ + "No Authentication Required" + ] + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 46004 + }, + "tags": [ + "preserve_original_event", + "cisco-ftd", + "forwarded" + ], + "url": { + "domain": "www.eicar.org", + "extension": "zip", + "original": "http://www.eicar.org/download/eicar_com.zip", + "path": "/download/eicar_com.zip", + "scheme": "http" + }, + "user": { + "id": "No Authentication Required", + "name": "No Authentication Required" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cisco.ftd.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | +| cisco.ftd.burst.avg_rate | The current average burst rate seen | keyword | +| cisco.ftd.burst.configured_avg_rate | The current configured average burst rate allowed | keyword | +| cisco.ftd.burst.configured_rate | The current configured burst rate | keyword | +| cisco.ftd.burst.cumulative_count | The total count of burst rate hits since the object was created or cleared | keyword | +| cisco.ftd.burst.current_rate | The current burst rate seen | keyword | +| cisco.ftd.burst.id | The related rate ID for burst warnings | keyword | +| cisco.ftd.burst.object | The related object for burst warnings | keyword | +| cisco.ftd.command_line_arguments | The command line arguments logged by the local audit log | keyword | +| cisco.ftd.connection_id | Unique identifier for a flow. | keyword | +| cisco.ftd.connection_type | The VPN connection type | keyword | +| cisco.ftd.dap_records | The assigned DAP records | keyword | +| cisco.ftd.destination_interface | Destination interface for the flow or event. | keyword | +| cisco.ftd.destination_username | Name of the user that is the destination for this event. | keyword | +| cisco.ftd.icmp_code | ICMP code. | short | +| cisco.ftd.icmp_type | ICMP type. | short | +| cisco.ftd.mapped_destination_host | | keyword | +| cisco.ftd.mapped_destination_ip | The translated destination IP address. | ip | +| cisco.ftd.mapped_destination_port | The translated destination port. | long | +| cisco.ftd.mapped_source_host | | keyword | +| cisco.ftd.mapped_source_ip | The translated source IP address. | ip | +| cisco.ftd.mapped_source_port | The translated source port. | long | +| cisco.ftd.message_id | The Cisco FTD message identifier. | keyword | +| cisco.ftd.privilege.new | When a users privilege is changed this is the new value | keyword | +| cisco.ftd.privilege.old | When a users privilege is changed this is the old value | keyword | +| cisco.ftd.rule_name | Name of the Access Control List rule that matched this event. | keyword | +| cisco.ftd.security | Cisco FTD security event fields. | flattened | +| cisco.ftd.source_interface | Source interface for the flow or event. | keyword | +| cisco.ftd.source_username | Name of the user that is the source for this event. | keyword | +| cisco.ftd.suffix | Optional suffix after %FTD identifier. | keyword | +| cisco.ftd.termination_user | AAA name of user requesting termination | keyword | +| cisco.ftd.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword | +| cisco.ftd.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword | +| cisco.ftd.username | | keyword | +| cisco.ftd.webvpn.group_name | The WebVPN group name the user belongs to | keyword | +| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.response_code | The DNS response code. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.status_code | HTTP response status code. | long | +| input.type | Input type. | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| syslog.facility.code | Syslog numeric facility of the event. | long | +| syslog.priority | Syslog priority of the event. | long | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.username | Username of the request. | keyword | +| user.email | User email address. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + + +### IOS + +The `ios` dataset collects the Cisco IOS router and switch logs. + +An example event for `ios` looks as following: + +```json +{ + "@timestamp": "2021-07-19T08:58:29.370Z", + "agent": { + "ephemeral_id": "7e9d4c95-b972-479d-bc6c-2ac0d05f3eb1", + "hostname": "docker-fleet-agent", + "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.14.0" + }, + "cisco": { + "ios": { + "access_list": "177", + "facility": "SEC" + } + }, + "data_stream": { + "dataset": "cisco.ios", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "224.0.0.22", + "ip": "224.0.0.22" + }, + "ecs": { + "version": "1.10.0" + }, + "elastic_agent": { + "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", + "snapshot": true, + "version": "7.14.0" + }, + "event": { + "action": "deny", + "agent_id_status": "verified", + "category": "network", + "code": "IPACCESSLOGRP", + "dataset": "cisco.ios", + "ingested": "2021-07-19T08:58:30.397370366Z", + "original": "Feb 8 04:00:48 198.51.100.2 585917: Feb 8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 198.51.100.197 -\u003e 224.0.0.22, 1 packet\n", + "provider": "firewall", + "sequence": 585917, + "severity": 6, + "timezone": "+00:00", + "type": "denied" + }, + "host": { + "name": "docker-fleet-agent" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "informational", + "source": { + "address": "198.51.100.2" + } + }, + "message": "list 177 denied igmp 198.51.100.197 -\u003e 224.0.0.22, 1 packet", + "network": { + "community_id": "1:Rt5RGlrNED3cg8Wokm4+KGsDz+4=", + "packets": 1, + "transport": "igmp", + "type": "ipv4" + }, + "related": { + "ip": [ + "198.51.100.197", + "224.0.0.22" + ] + }, + "source": { + "address": "198.51.100.197", + "ip": "198.51.100.197", + "packets": 1 + }, + "tags": [ + "preserve_original_event", + "cisco-ios", + "forwarded" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cisco.ios.access_list | Name of the IP access list. | keyword | +| cisco.ios.action | Action taken by the device | keyword | +| cisco.ios.facility | The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. | keyword | +| cisco.ios.outcome | The result of the event | keyword | +| cisco.ios.pim.group.ip | Multicast group IP | ip | +| cisco.ios.pim.source.ip | Multicast source IP | ip | +| cisco.ios.session.number | Session ID | integer | +| cisco.ios.session.type | Session type | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| elastic.agent.id | | keyword | +| elastic.agent.snapshot | | boolean | +| elastic.agent.version | | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| hostname | Hostname from syslog header. | keyword | +| icmp.code | ICMP code. | keyword | +| icmp.type | ICMP type. | keyword | +| igmp.type | IGMP type. | keyword | +| input.type | | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | | long | +| log.source.address | | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| process.program | Process from syslog header. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | + + +### Nexus + +The `nexus` dataset collects Cisco Nexus logs. + +An example event for `nexus` looks as following: + +```json +{ + "@timestamp": "2022-01-25T08:47:14.944Z", + "agent": { + "ephemeral_id": "091f3442-1209-4033-8434-e8c731c8a092", + "hostname": "docker-fleet-agent", + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.2" + }, + "data_stream": { + "dataset": "cisco.nexus", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "1.12.0" + }, + "elastic_agent": { + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "snapshot": false, + "version": "7.16.2" + }, + "event": { + "agent_id_status": "verified", + "code": "pam_aaa", + "dataset": "cisco.nexus", + "ingested": "2022-01-25T08:47:15Z", + "original": "2012 Dec 18 14:51:08 Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user en from 2.2.2.1 - login\n", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.19.0.4:54372" + } + }, + "observer": { + "product": "Nexus", + "type": "Switches", + "vendor": "Cisco" + }, + "rsa": { + "internal": { + "messageid": "pam_aaa" + }, + "time": { + "timezone": "Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG" + } + }, + "tags": [ + "preserve_original_event", + "cisco-nexus", + "forwarded" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.domain | Server domain. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + + +### Meraki + +The `meraki` dataset collects Cisco Meraki logs. + +An example event for `meraki` looks as following: + +```json +{ + "@timestamp": "2016-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "0f004ed2-0b2a-4215-8b24-e652cef37253", + "hostname": "docker-fleet-agent", + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.2" + }, + "data_stream": { + "dataset": "cisco.meraki", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": [ + "10.193.124.51" + ], + "port": 5293 + }, + "ecs": { + "version": "1.12.0" + }, + "elastic_agent": { + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "snapshot": false, + "version": "7.16.2" + }, + "event": { + "action": "deny\n", + "agent_id_status": "verified", + "code": "security_event", + "dataset": "cisco.meraki", + "ingested": "2022-01-25T09:01:37Z", + "original": "modtempo 1454047799.olab nto_ security_event olaborissecurity_event tur url=https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac src=10.15.44.253:5078 dst=10.193.124.51:5293 mac=01:00:5e:28:ae:7d name=psa sha256=umq disposition=ntium action=deny\n", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.19.0.4:59238" + } + }, + "observer": { + "product": "Meraki", + "type": "Wireless", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.193.124.51", + "10.15.44.253" + ] + }, + "rsa": { + "internal": { + "event_desc": "olaborissecurity_event tur", + "messageid": "security_event" + }, + "misc": { + "action": [ + "deny\n" + ], + "disposition": "ntium", + "event_type": "security_event", + "node": "nto_", + "sensor": "nto_" + }, + "time": { + "event_time": "2016-01-29T06:09:59.000Z" + } + }, + "source": { + "ip": [ + "10.15.44.253" + ], + "mac": "01:00:5e:28:ae:7d", + "port": 5078 + }, + "tags": [ + "preserve_original_event", + "cisco-meraki", + "forwarded" + ], + "url": { + "original": "https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.domain | Server domain. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + diff --git a/packages/cisco/0.13.3/img/cisco.svg b/packages/cisco/0.13.3/img/cisco.svg new file mode 100755 index 0000000000..20ebebf197 --- /dev/null +++ b/packages/cisco/0.13.3/img/cisco.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/cisco/0.13.3/img/kibana-cisco-asa.png b/packages/cisco/0.13.3/img/kibana-cisco-asa.png new file mode 100755 index 0000000000..ad51be2204 Binary files /dev/null and b/packages/cisco/0.13.3/img/kibana-cisco-asa.png differ diff --git a/packages/cisco/0.13.3/kibana/dashboard/cisco-a555b160-4987-11e9-b8ce-ed898b5ef295.json b/packages/cisco/0.13.3/kibana/dashboard/cisco-a555b160-4987-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..bca683b7a6 --- /dev/null +++ b/packages/cisco/0.13.3/kibana/dashboard/cisco-a555b160-4987-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,53 @@ +{ + "attributes": { + "description": "Sample dashboard for Cisco ASA Firewall devices", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Destination Port and Transport\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Source Port and Transport\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"ASA Firewall Events Over Time\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"ASA Flows by Network Bytes\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"title\":\"Blocked by Source\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"8\",\"panelRefName\":\"panel_5\",\"title\":\"Top ACL by Blocked\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"9\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Cisco] ASA Firewall", + "version": 1 + }, + "id": "cisco-a555b160-4987-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco-118da960-4987-11e9-b8ce-ed898b5ef295", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "cisco-5d0322d0-4987-11e9-b8ce-ed898b5ef295", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco-a3b5ab10-4989-11e9-b8ce-ed898b5ef295", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco-80d0c1b0-498a-11e9-b8ce-ed898b5ef295", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "cisco-d05cdf60-498b-11e9-b8ce-ed898b5ef295", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "cisco-08ef4d90-499b-11e9-b8ce-ed898b5ef295", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "cisco-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295", + "name": "panel_6", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco/0.13.3/kibana/search/cisco-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json b/packages/cisco/0.13.3/kibana/search/cisco-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..44728b96aa --- /dev/null +++ b/packages/cisco/0.13.3/kibana/search/cisco-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,29 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"cisco.asa.message_id :*\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "All ASA Logs [Cisco]", + "version": 1 + }, + "id": "cisco-14fce5e0-498f-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco/0.13.3/kibana/search/cisco-753406e0-4986-11e9-b8ce-ed898b5ef295.json b/packages/cisco/0.13.3/kibana/search/cisco-753406e0-4986-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..c81e4abb75 --- /dev/null +++ b/packages/cisco/0.13.3/kibana/search/cisco-753406e0-4986-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,29 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"cisco.asa.message_id:* and event.action:\\\"flow-expiration\\\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "ASA Firewall flows [Cisco]", + "version": 1 + }, + "id": "cisco-753406e0-4986-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco/0.13.3/kibana/search/cisco-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json b/packages/cisco/0.13.3/kibana/search/cisco-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..63d66c3574 --- /dev/null +++ b/packages/cisco/0.13.3/kibana/search/cisco-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,29 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"cisco.asa.message_id:* and event.action:\\\"firewall-rule\\\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "ASA Firewall Events [Cisco]", + "version": 1 + }, + "id": "cisco-96c6ff60-4986-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco/0.13.3/kibana/visualization/cisco-08ef4d90-499b-11e9-b8ce-ed898b5ef295.json b/packages/cisco/0.13.3/kibana/visualization/cisco-08ef4d90-499b-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..6d17f1fc9c --- /dev/null +++ b/packages/cisco/0.13.3/kibana/visualization/cisco-08ef4d90-499b-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.outcome:\\\"deny\\\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "ASA Top ACL by Blocked [Cisco]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ACL ID\",\"field\":\"cisco.asa.rule_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"ASA Top ACL by Blocked [Cisco]\",\"type\":\"table\"}" + }, + "id": "cisco-08ef4d90-499b-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco-96c6ff60-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco/0.13.3/kibana/visualization/cisco-118da960-4987-11e9-b8ce-ed898b5ef295.json b/packages/cisco/0.13.3/kibana/visualization/cisco-118da960-4987-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..1a79bc5ab4 --- /dev/null +++ b/packages/cisco/0.13.3/kibana/visualization/cisco-118da960-4987-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Destination Port and Transport [Cisco]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.port\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Destination Port and Transport [Cisco]\",\"type\":\"pie\"}" + }, + "id": "cisco-118da960-4987-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco-753406e0-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco/0.13.3/kibana/visualization/cisco-5d0322d0-4987-11e9-b8ce-ed898b5ef295.json b/packages/cisco/0.13.3/kibana/visualization/cisco-5d0322d0-4987-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..723d6d8e55 --- /dev/null +++ b/packages/cisco/0.13.3/kibana/visualization/cisco-5d0322d0-4987-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Source Port and Transport [Cisco]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.port\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Source Port and Transport [Cisco]\",\"type\":\"pie\"}" + }, + "id": "cisco-5d0322d0-4987-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco-753406e0-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco/0.13.3/kibana/visualization/cisco-80d0c1b0-498a-11e9-b8ce-ed898b5ef295.json b/packages/cisco/0.13.3/kibana/visualization/cisco-80d0c1b0-498a-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..5cdc6043cc --- /dev/null +++ b/packages/cisco/0.13.3/kibana/visualization/cisco-80d0c1b0-498a-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "ASA Flows by Network Bytes [Cisco]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now+1y\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Total bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"3\",\"label\":\"Total bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total bytes\"},\"type\":\"value\"}]},\"title\":\"ASA Flows by Network Bytes [Cisco]\",\"type\":\"histogram\"}" + }, + "id": "cisco-80d0c1b0-498a-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco-753406e0-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco/0.13.3/kibana/visualization/cisco-a3b5ab10-4989-11e9-b8ce-ed898b5ef295.json b/packages/cisco/0.13.3/kibana/visualization/cisco-a3b5ab10-4989-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..4df81b14ae --- /dev/null +++ b/packages/cisco/0.13.3/kibana/visualization/cisco-a3b5ab10-4989-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "ASA Events Over Time [Cisco]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now+1y\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"ASA Events Over Time [Cisco]\",\"type\":\"histogram\"}" + }, + "id": "cisco-a3b5ab10-4989-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco-96c6ff60-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco/0.13.3/kibana/visualization/cisco-d05cdf60-498b-11e9-b8ce-ed898b5ef295.json b/packages/cisco/0.13.3/kibana/visualization/cisco-d05cdf60-498b-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..23c96a604e --- /dev/null +++ b/packages/cisco/0.13.3/kibana/visualization/cisco-d05cdf60-498b-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "ASA Firewall Blocked by Source [Cisco]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"ASA Firewall Blocked by Source [Cisco]\",\"type\":\"table\"}" + }, + "id": "cisco-d05cdf60-498b-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco-96c6ff60-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco/0.13.3/kibana/visualization/cisco-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json b/packages/cisco/0.13.3/kibana/visualization/cisco-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..63aef5f85a --- /dev/null +++ b/packages/cisco/0.13.3/kibana/visualization/cisco-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top ASA Messages [Cisco]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ID\",\"field\":\"cisco.asa.message_id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Severity\",\"field\":\"log.level\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Sample message\",\"field\":\"event.original\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top ASA Messages [Cisco]\",\"type\":\"table\"}" + }, + "id": "cisco-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco-14fce5e0-498f-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco/0.13.3/manifest.yml b/packages/cisco/0.13.3/manifest.yml new file mode 100755 index 0000000000..2b4ec970c6 --- /dev/null +++ b/packages/cisco/0.13.3/manifest.yml @@ -0,0 +1,39 @@ +format_version: 1.0.0 +name: cisco +title: Cisco +version: 0.13.3 +license: basic +description: Deprecated. Use a specific Cisco package instead. +type: integration +categories: + - network + - security +release: experimental +conditions: + kibana.version: "^7.16.0" +screenshots: + - src: /img/kibana-cisco-asa.png + title: kibana cisco asa + size: 1800x1559 + type: image/png +icons: + - src: /img/cisco.svg + title: cisco + size: 216x216 + type: image/svg+xml +policy_templates: + - name: cisco + title: Cisco logs + description: Collect logs from Cisco instances + inputs: + - type: udp + title: Collect logs from Cisco via UDP + description: Collecting logs from Cisco via UDP + - type: tcp + title: Collect logs from Cisco via TCP + description: Collecting logs from Cisco via TCP + - type: logfile + title: Collect logs from Cisco via file + description: Collecting logs from Cisco via file +owner: + github: elastic/security-external-integrations diff --git a/packages/cyberark/0.5.1/changelog.yml b/packages/cyberark/0.5.1/changelog.yml new file mode 100755 index 0000000000..cfb4bcc253 --- /dev/null +++ b/packages/cyberark/0.5.1/changelog.yml @@ -0,0 +1,82 @@ +# newer versions go on top +- version: "0.5.1" + changes: + - description: Update to readme to add vendor link + type: enhancement + link: https://github.com/elastic/integrations/pull/3537 +- version: "0.5.0" + changes: + - description: Update to ECS 8.0.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2582 +- version: "0.4.5" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.4.4" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2023 + - description: Remove dash from title for consistency with brand. + type: enhancement + link: https://github.com/elastic/integrations/pull/2004 +- version: "0.4.3" + changes: + - description: Update title and description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1997 +- version: "0.4.2" + changes: + - description: Fixed a bug that prevents the package from working in 7.16. + type: bugfix + link: https://github.com/elastic/integrations/pull/1882 +- version: "0.4.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1813 +- version: "0.4.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1656 +- version: "0.3.3" + changes: + - description: Requires version 7.14.1 of the stack + type: bugfix + link: https://github.com/elastic/integrations/pull/1541 +- version: "0.3.2" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1473 +- version: '0.3.1' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1379 +- version: "0.3.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1259 + - description: Add deprecation notes to title and description + type: enhancement + link: https://github.com/elastic/integrations/pull/1259 +- version: "0.2.0" + changes: + - description: update to ECS 1.10.0 and add event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1037 +- version: "0.1.4" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/842 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/package-storage/pull/400 diff --git a/packages/cyberark/0.5.1/data_stream/corepas/agent/stream/stream.yml.hbs b/packages/cyberark/0.5.1/data_stream/corepas/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..5ccf63b399 --- /dev/null +++ b/packages/cyberark/0.5.1/data_stream/corepas/agent/stream/stream.yml.hbs @@ -0,0 +1,8833 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Cyberark" + product: "Core" + type: "Access" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup1, + dup2, + ])); + + var dup153 = tagval("MESSAGE#2:2:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup4, + dup2, + dup3, + ])); + + var dup154 = match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup4, + dup2, + ])); + + var dup155 = tagval("MESSAGE#6:4:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, + dup3, + ])); + + var dup156 = match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, + ])); + + var dup157 = tagval("MESSAGE#20:13:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, + dup3, + ])); + + var dup158 = match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, + ])); + + var dup159 = tagval("MESSAGE#26:16:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup19, + dup2, + dup3, + ])); + + var dup160 = match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup19, + dup2, + ])); + + var dup161 = tagval("MESSAGE#30:18:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup15, + dup2, + dup3, + ])); + + var dup162 = match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup2, + ])); + + var dup163 = tagval("MESSAGE#38:22:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup21, + dup2, + dup3, + ])); + + var dup164 = match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup21, + dup2, + ])); + + var dup165 = tagval("MESSAGE#70:38:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup23, + dup2, + dup3, + ])); + + var dup166 = match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup23, + dup2, + ])); + + var dup167 = tagval("MESSAGE#116:61:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup20, + dup2, + dup3, + ])); + + var dup168 = match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup20, + dup2, + ])); + + var dup169 = tagval("MESSAGE#126:66:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup26, + dup2, + dup3, + ])); + + var dup170 = match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup26, + dup2, + ])); + + var dup171 = tagval("MESSAGE#190:98:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup26, + dup2, + dup3, + dup24, + dup25, + ])); + + var dup172 = linear_select([ + dup32, + dup33, + ]); + + var dup173 = linear_select([ + dup34, + dup35, + ]); + + var dup174 = linear_select([ + dup36, + dup37, + ]); + + var dup175 = linear_select([ + dup38, + dup39, + ]); + + var dup176 = linear_select([ + dup40, + dup41, + ]); + + var dup177 = linear_select([ + dup42, + dup43, + ]); + + var dup178 = linear_select([ + dup44, + dup45, + ]); + + var dup179 = linear_select([ + dup46, + dup47, + ]); + + var dup180 = linear_select([ + dup48, + dup49, + ]); + + var dup181 = linear_select([ + dup50, + dup51, + ]); + + var dup182 = linear_select([ + dup52, + dup53, + ]); + + var dup183 = linear_select([ + dup54, + dup55, + ]); + + var dup184 = linear_select([ + dup56, + dup57, + ]); + + var dup185 = linear_select([ + dup58, + dup59, + ]); + + var dup186 = linear_select([ + dup60, + dup61, + ]); + + var dup187 = linear_select([ + dup62, + dup63, + ]); + + var dup188 = linear_select([ + dup64, + dup65, + ]); + + var dup189 = linear_select([ + dup66, + dup67, + ]); + + var dup190 = linear_select([ + dup68, + dup69, + ]); + + var dup191 = linear_select([ + dup70, + dup71, + ]); + + var dup192 = linear_select([ + dup72, + dup73, + ]); + + var dup193 = linear_select([ + dup74, + dup75, + ]); + + var dup194 = linear_select([ + dup76, + dup77, + ]); + + var dup195 = tagval("MESSAGE#591:317:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup79, + dup80, + dup81, + dup2, + dup3, + ])); + + var dup196 = match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup79, + dup80, + dup81, + dup2, + ])); + + var dup197 = tagval("MESSAGE#595:355:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup82, + dup2, + dup3, + ])); + + var dup198 = match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup82, + dup2, + ])); + + var dup199 = tagval("MESSAGE#599:357:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup83, + dup2, + dup3, + ])); + + var dup200 = match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup83, + dup2, + ])); + + var dup201 = match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var dup202 = linear_select([ + dup85, + dup86, + ]); + + var dup203 = linear_select([ + dup88, + dup89, + ]); + + var dup204 = linear_select([ + dup91, + dup92, + ]); + + var dup205 = linear_select([ + dup94, + dup95, + ]); + + var dup206 = linear_select([ + dup97, + dup98, + ]); + + var dup207 = linear_select([ + dup100, + dup101, + ]); + + var dup208 = linear_select([ + dup103, + dup104, + ]); + + var dup209 = linear_select([ + dup106, + dup107, + ]); + + var dup210 = linear_select([ + dup109, + dup110, + ]); + + var dup211 = linear_select([ + dup112, + dup113, + ]); + + var dup212 = linear_select([ + dup115, + dup116, + dup117, + dup118, + ]); + + var dup213 = linear_select([ + dup120, + dup121, + ]); + + var dup214 = linear_select([ + dup123, + dup124, + ]); + + var dup215 = linear_select([ + dup126, + dup127, + ]); + + var dup216 = linear_select([ + dup129, + dup130, + ]); + + var dup217 = linear_select([ + dup132, + dup133, + ]); + + var dup218 = linear_select([ + dup135, + dup136, + ]); + + var dup219 = linear_select([ + dup138, + dup139, + ]); + + var dup220 = linear_select([ + dup141, + dup142, + ]); + + var dup221 = linear_select([ + dup144, + dup145, + ]); + + var dup222 = linear_select([ + dup147, + dup148, + ]); + + var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld1}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdevice"), + constant("\",ProductAccount=\""), + field("hfld1"), + constant("\",ProductProcess=\""), + field("process"), + constant("\",EventId=\""), + field("messageid"), + constant("\", "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0005", "message", "%{hfld1->} %{hdatetime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld4}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ + setc("header_id","0005"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdevice"), + constant("\",ProductAccount=\""), + field("hfld4"), + constant("\",ProductProcess=\""), + field("process"), + constant("\",EventId=\""), + field("messageid"), + constant("\", "), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0002"), + ])); + + var hdr4 = match("HEADER#3:0003", "message", "%{hfld1->} %{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr5 = match("HEADER#4:0004", "message", "%CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var hdr6 = match("HEADER#5:0006", "message", "%{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0006"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + ]); + + var msg1 = msg("1:01", dup151); + + var msg2 = msg("1", dup152); + + var select2 = linear_select([ + msg1, + msg2, + ]); + + var msg3 = msg("2:01", dup153); + + var msg4 = msg("2", dup154); + + var select3 = linear_select([ + msg3, + msg4, + ]); + + var msg5 = msg("3:01", dup151); + + var msg6 = msg("3", dup152); + + var select4 = linear_select([ + msg5, + msg6, + ]); + + var msg7 = msg("4:01", dup155); + + var msg8 = msg("4", dup156); + + var select5 = linear_select([ + msg7, + msg8, + ]); + + var part1 = tagval("MESSAGE#8:7:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup11, + dup2, + dup3, + ])); + + var msg9 = msg("7:01", part1); + + var part2 = match("MESSAGE#9:7", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup11, + dup2, + ])); + + var msg10 = msg("7", part2); + + var select6 = linear_select([ + msg9, + msg10, + ]); + + var part3 = tagval("MESSAGE#10:8:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup12, + dup6, + dup13, + dup8, + dup11, + dup2, + dup3, + ])); + + var msg11 = msg("8:01", part3); + + var part4 = match("MESSAGE#11:8", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup12, + dup6, + dup13, + dup8, + dup11, + dup2, + ])); + + var msg12 = msg("8", part4); + + var select7 = linear_select([ + msg11, + msg12, + ]); + + var part5 = tagval("MESSAGE#12:9:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup1, + dup14, + dup9, + dup2, + dup3, + ])); + + var msg13 = msg("9:01", part5); + + var part6 = match("MESSAGE#13:9", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup1, + dup14, + dup9, + dup2, + ])); + + var msg14 = msg("9", part6); + + var select8 = linear_select([ + msg13, + msg14, + ]); + + var msg15 = msg("10:01", dup151); + + var msg16 = msg("10", dup152); + + var select9 = linear_select([ + msg15, + msg16, + ]); + + var msg17 = msg("11:01", dup151); + + var msg18 = msg("11", dup152); + + var select10 = linear_select([ + msg17, + msg18, + ]); + + var msg19 = msg("12:01", dup151); + + var msg20 = msg("12", dup152); + + var select11 = linear_select([ + msg19, + msg20, + ]); + + var msg21 = msg("13:01", dup157); + + var msg22 = msg("13", dup158); + + var select12 = linear_select([ + msg21, + msg22, + ]); + + var msg23 = msg("14:01", dup157); + + var msg24 = msg("14", dup158); + + var select13 = linear_select([ + msg23, + msg24, + ]); + + var part7 = tagval("MESSAGE#24:15:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup15, + dup18, + dup9, + dup2, + dup3, + ])); + + var msg25 = msg("15:01", part7); + + var part8 = match("MESSAGE#25:15", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup18, + dup9, + dup2, + ])); + + var msg26 = msg("15", part8); + + var select14 = linear_select([ + msg25, + msg26, + ]); + + var msg27 = msg("16:01", dup159); + + var msg28 = msg("16", dup160); + + var select15 = linear_select([ + msg27, + msg28, + ]); + + var msg29 = msg("17:01", dup151); + + var msg30 = msg("17", dup152); + + var select16 = linear_select([ + msg29, + msg30, + ]); + + var msg31 = msg("18:01", dup161); + + var msg32 = msg("18", dup162); + + var select17 = linear_select([ + msg31, + msg32, + ]); + + var part9 = tagval("MESSAGE#32:19:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup20, + dup16, + dup11, + dup2, + dup3, + ])); + + var msg33 = msg("19:01", part9); + + var part10 = match("MESSAGE#33:19", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup20, + dup16, + dup11, + dup2, + ])); + + var msg34 = msg("19", part10); + + var select18 = linear_select([ + msg33, + msg34, + ]); + + var part11 = tagval("MESSAGE#34:20:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup19, + dup16, + dup2, + dup3, + ])); + + var msg35 = msg("20:01", part11); + + var part12 = match("MESSAGE#35:20", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup19, + dup16, + dup2, + ])); + + var msg36 = msg("20", part12); + + var select19 = linear_select([ + msg35, + msg36, + ]); + + var part13 = tagval("MESSAGE#36:21:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup15, + dup16, + dup9, + dup2, + dup3, + ])); + + var msg37 = msg("21:01", part13); + + var part14 = match("MESSAGE#37:21", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup16, + dup9, + dup2, + ])); + + var msg38 = msg("21", part14); + + var select20 = linear_select([ + msg37, + msg38, + ]); + + var msg39 = msg("22:01", dup163); + + var msg40 = msg("22", dup164); + + var select21 = linear_select([ + msg39, + msg40, + ]); + + var part15 = tagval("MESSAGE#40:23:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup22, + dup2, + dup3, + ])); + + var msg41 = msg("23:01", part15); + + var part16 = match("MESSAGE#41:23", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup22, + dup2, + ])); + + var msg42 = msg("23", part16); + + var select22 = linear_select([ + msg41, + msg42, + ]); + + var msg43 = msg("24:01", dup163); + + var msg44 = msg("24", dup164); + + var select23 = linear_select([ + msg43, + msg44, + ]); + + var msg45 = msg("25:01", dup151); + + var msg46 = msg("25", dup152); + + var select24 = linear_select([ + msg45, + msg46, + ]); + + var msg47 = msg("26:01", dup151); + + var msg48 = msg("26", dup152); + + var select25 = linear_select([ + msg47, + msg48, + ]); + + var msg49 = msg("27:01", dup151); + + var msg50 = msg("27", dup152); + + var select26 = linear_select([ + msg49, + msg50, + ]); + + var msg51 = msg("28:01", dup163); + + var msg52 = msg("28", dup164); + + var select27 = linear_select([ + msg51, + msg52, + ]); + + var msg53 = msg("29:01", dup151); + + var msg54 = msg("29", dup152); + + var select28 = linear_select([ + msg53, + msg54, + ]); + + var msg55 = msg("30:01", dup151); + + var msg56 = msg("30", dup152); + + var select29 = linear_select([ + msg55, + msg56, + ]); + + var msg57 = msg("31:01", dup163); + + var msg58 = msg("31", dup164); + + var select30 = linear_select([ + msg57, + msg58, + ]); + + var msg59 = msg("32:01", dup163); + + var msg60 = msg("32", dup164); + + var select31 = linear_select([ + msg59, + msg60, + ]); + + var msg61 = msg("33:01", dup163); + + var msg62 = msg("33", dup164); + + var select32 = linear_select([ + msg61, + msg62, + ]); + + var msg63 = msg("34:01", dup151); + + var msg64 = msg("34", dup152); + + var select33 = linear_select([ + msg63, + msg64, + ]); + + var msg65 = msg("35:01", dup151); + + var msg66 = msg("35", dup152); + + var select34 = linear_select([ + msg65, + msg66, + ]); + + var msg67 = msg("36:01", dup163); + + var msg68 = msg("36", dup164); + + var select35 = linear_select([ + msg67, + msg68, + ]); + + var msg69 = msg("37:01", dup163); + + var msg70 = msg("37", dup164); + + var select36 = linear_select([ + msg69, + msg70, + ]); + + var msg71 = msg("38:01", dup165); + + var msg72 = msg("38", dup166); + + var select37 = linear_select([ + msg71, + msg72, + ]); + + var msg73 = msg("39:01", dup163); + + var msg74 = msg("39", dup164); + + var select38 = linear_select([ + msg73, + msg74, + ]); + + var msg75 = msg("40:01", dup151); + + var msg76 = msg("40", dup152); + + var select39 = linear_select([ + msg75, + msg76, + ]); + + var msg77 = msg("41:01", dup151); + + var msg78 = msg("41", dup152); + + var select40 = linear_select([ + msg77, + msg78, + ]); + + var msg79 = msg("42:01", dup151); + + var msg80 = msg("42", dup152); + + var select41 = linear_select([ + msg79, + msg80, + ]); + + var msg81 = msg("43:01", dup151); + + var msg82 = msg("43", dup152); + + var select42 = linear_select([ + msg81, + msg82, + ]); + + var msg83 = msg("44:01", dup151); + + var msg84 = msg("44", dup152); + + var select43 = linear_select([ + msg83, + msg84, + ]); + + var msg85 = msg("45:01", dup151); + + var msg86 = msg("45", dup152); + + var select44 = linear_select([ + msg85, + msg86, + ]); + + var msg87 = msg("46:01", dup151); + + var msg88 = msg("46", dup152); + + var select45 = linear_select([ + msg87, + msg88, + ]); + + var msg89 = msg("47:01", dup151); + + var msg90 = msg("47", dup152); + + var select46 = linear_select([ + msg89, + msg90, + ]); + + var msg91 = msg("48:01", dup151); + + var msg92 = msg("48", dup152); + + var select47 = linear_select([ + msg91, + msg92, + ]); + + var msg93 = msg("49:01", dup151); + + var msg94 = msg("49", dup152); + + var select48 = linear_select([ + msg93, + msg94, + ]); + + var part17 = tagval("MESSAGE#94:50:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup21, + dup2, + dup3, + dup24, + dup25, + ])); + + var msg95 = msg("50:01", part17); + + var msg96 = msg("50", dup164); + + var select49 = linear_select([ + msg95, + msg96, + ]); + + var msg97 = msg("51:01", dup163); + + var msg98 = msg("51", dup164); + + var select50 = linear_select([ + msg97, + msg98, + ]); + + var msg99 = msg("52:01", dup163); + + var msg100 = msg("52", dup164); + + var select51 = linear_select([ + msg99, + msg100, + ]); + + var msg101 = msg("53:01", dup151); + + var msg102 = msg("53", dup152); + + var select52 = linear_select([ + msg101, + msg102, + ]); + + var msg103 = msg("54:01", dup151); + + var msg104 = msg("54", dup152); + + var select53 = linear_select([ + msg103, + msg104, + ]); + + var msg105 = msg("55:01", dup151); + + var msg106 = msg("55", dup152); + + var select54 = linear_select([ + msg105, + msg106, + ]); + + var msg107 = msg("56:01", dup151); + + var msg108 = msg("56", dup152); + + var select55 = linear_select([ + msg107, + msg108, + ]); + + var msg109 = msg("57:01", dup165); + + var msg110 = msg("57", dup166); + + var select56 = linear_select([ + msg109, + msg110, + ]); + + var msg111 = msg("58:01", dup163); + + var msg112 = msg("58", dup164); + + var select57 = linear_select([ + msg111, + msg112, + ]); + + var msg113 = msg("59:01", dup163); + + var msg114 = msg("59", dup164); + + var select58 = linear_select([ + msg113, + msg114, + ]); + + var msg115 = msg("60:01", dup165); + + var msg116 = msg("60", dup166); + + var select59 = linear_select([ + msg115, + msg116, + ]); + + var msg117 = msg("61:01", dup167); + + var msg118 = msg("61", dup168); + + var select60 = linear_select([ + msg117, + msg118, + ]); + + var msg119 = msg("62:01", dup163); + + var msg120 = msg("62", dup164); + + var select61 = linear_select([ + msg119, + msg120, + ]); + + var msg121 = msg("63:01", dup151); + + var msg122 = msg("63", dup152); + + var select62 = linear_select([ + msg121, + msg122, + ]); + + var msg123 = msg("64:01", dup167); + + var msg124 = msg("64", dup168); + + var select63 = linear_select([ + msg123, + msg124, + ]); + + var msg125 = msg("65:01", dup151); + + var msg126 = msg("65", dup152); + + var select64 = linear_select([ + msg125, + msg126, + ]); + + var msg127 = msg("66:01", dup169); + + var msg128 = msg("66", dup170); + + var select65 = linear_select([ + msg127, + msg128, + ]); + + var msg129 = msg("67:01", dup169); + + var msg130 = msg("67", dup170); + + var select66 = linear_select([ + msg129, + msg130, + ]); + + var msg131 = msg("68:01", dup169); + + var msg132 = msg("68", dup170); + + var select67 = linear_select([ + msg131, + msg132, + ]); + + var msg133 = msg("69:01", dup169); + + var msg134 = msg("69", dup170); + + var select68 = linear_select([ + msg133, + msg134, + ]); + + var msg135 = msg("70:01", dup151); + + var msg136 = msg("70", dup152); + + var select69 = linear_select([ + msg135, + msg136, + ]); + + var msg137 = msg("71:01", dup169); + + var msg138 = msg("71", dup170); + + var select70 = linear_select([ + msg137, + msg138, + ]); + + var msg139 = msg("72:01", dup151); + + var msg140 = msg("72", dup152); + + var select71 = linear_select([ + msg139, + msg140, + ]); + + var msg141 = msg("73:01", dup169); + + var msg142 = msg("73", dup170); + + var select72 = linear_select([ + msg141, + msg142, + ]); + + var msg143 = msg("74:01", dup151); + + var msg144 = msg("74", dup152); + + var select73 = linear_select([ + msg143, + msg144, + ]); + + var msg145 = msg("75:01", dup169); + + var msg146 = msg("75", dup170); + + var select74 = linear_select([ + msg145, + msg146, + ]); + + var msg147 = msg("76:01", dup151); + + var msg148 = msg("76", dup152); + + var select75 = linear_select([ + msg147, + msg148, + ]); + + var msg149 = msg("77:01", dup151); + + var msg150 = msg("77", dup152); + + var select76 = linear_select([ + msg149, + msg150, + ]); + + var msg151 = msg("78:01", dup151); + + var msg152 = msg("78", dup152); + + var select77 = linear_select([ + msg151, + msg152, + ]); + + var msg153 = msg("79:01", dup169); + + var msg154 = msg("79", dup170); + + var select78 = linear_select([ + msg153, + msg154, + ]); + + var msg155 = msg("80:01", dup169); + + var msg156 = msg("80", dup170); + + var select79 = linear_select([ + msg155, + msg156, + ]); + + var msg157 = msg("81:01", dup167); + + var msg158 = msg("81", dup168); + + var select80 = linear_select([ + msg157, + msg158, + ]); + + var msg159 = msg("82:01", dup151); + + var msg160 = msg("82", dup152); + + var select81 = linear_select([ + msg159, + msg160, + ]); + + var msg161 = msg("83:01", dup169); + + var msg162 = msg("83", dup170); + + var select82 = linear_select([ + msg161, + msg162, + ]); + + var msg163 = msg("84:01", dup169); + + var msg164 = msg("84", dup170); + + var select83 = linear_select([ + msg163, + msg164, + ]); + + var msg165 = msg("85:01", dup151); + + var msg166 = msg("85", dup152); + + var select84 = linear_select([ + msg165, + msg166, + ]); + + var msg167 = msg("86:01", dup159); + + var msg168 = msg("86", dup160); + + var select85 = linear_select([ + msg167, + msg168, + ]); + + var msg169 = msg("87:01", dup151); + + var msg170 = msg("87", dup152); + + var select86 = linear_select([ + msg169, + msg170, + ]); + + var msg171 = msg("88:01", dup169); + + var msg172 = msg("88", dup170); + + var select87 = linear_select([ + msg171, + msg172, + ]); + + var msg173 = msg("89:01", dup151); + + var msg174 = msg("89", dup152); + + var select88 = linear_select([ + msg173, + msg174, + ]); + + var msg175 = msg("90:01", dup151); + + var msg176 = msg("90", dup152); + + var select89 = linear_select([ + msg175, + msg176, + ]); + + var msg177 = msg("91:01", dup151); + + var msg178 = msg("91", dup152); + + var select90 = linear_select([ + msg177, + msg178, + ]); + + var msg179 = msg("92:01", dup151); + + var msg180 = msg("92", dup152); + + var select91 = linear_select([ + msg179, + msg180, + ]); + + var msg181 = msg("93:01", dup151); + + var msg182 = msg("93", dup152); + + var select92 = linear_select([ + msg181, + msg182, + ]); + + var msg183 = msg("94:01", dup169); + + var msg184 = msg("94", dup170); + + var select93 = linear_select([ + msg183, + msg184, + ]); + + var msg185 = msg("95:01", dup169); + + var msg186 = msg("95", dup170); + + var select94 = linear_select([ + msg185, + msg186, + ]); + + var msg187 = msg("96:01", dup151); + + var msg188 = msg("96", dup152); + + var select95 = linear_select([ + msg187, + msg188, + ]); + + var msg189 = msg("97:01", dup151); + + var msg190 = msg("97", dup152); + + var select96 = linear_select([ + msg189, + msg190, + ]); + + var msg191 = msg("98:01", dup171); + + var msg192 = msg("98", dup170); + + var select97 = linear_select([ + msg191, + msg192, + ]); + + var msg193 = msg("99:01", dup171); + + var msg194 = msg("99", dup170); + + var select98 = linear_select([ + msg193, + msg194, + ]); + + var msg195 = msg("100:01", dup151); + + var msg196 = msg("100", dup152); + + var select99 = linear_select([ + msg195, + msg196, + ]); + + var msg197 = msg("101:01", dup151); + + var msg198 = msg("101", dup152); + + var select100 = linear_select([ + msg197, + msg198, + ]); + + var msg199 = msg("102:01", dup155); + + var msg200 = msg("102", dup156); + + var select101 = linear_select([ + msg199, + msg200, + ]); + + var part18 = tagval("MESSAGE#200:103:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup27, + dup6, + dup7, + dup8, + dup28, + dup2, + dup3, + ])); + + var msg201 = msg("103:01", part18); + + var part19 = match("MESSAGE#201:103", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup27, + dup6, + dup7, + dup8, + dup28, + dup2, + ])); + + var msg202 = msg("103", part19); + + var select102 = linear_select([ + msg201, + msg202, + ]); + + var part20 = tagval("MESSAGE#202:104:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup27, + dup6, + dup29, + dup2, + dup3, + ])); + + var msg203 = msg("104:01", part20); + + var part21 = match("MESSAGE#203:104", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup27, + dup6, + dup29, + dup2, + ])); + + var msg204 = msg("104", part21); + + var select103 = linear_select([ + msg203, + msg204, + ]); + + var msg205 = msg("105:01", dup169); + + var msg206 = msg("105", dup170); + + var select104 = linear_select([ + msg205, + msg206, + ]); + + var msg207 = msg("106:01", dup169); + + var msg208 = msg("106", dup170); + + var select105 = linear_select([ + msg207, + msg208, + ]); + + var msg209 = msg("107:01", dup169); + + var msg210 = msg("107", dup170); + + var select106 = linear_select([ + msg209, + msg210, + ]); + + var msg211 = msg("108:01", dup169); + + var msg212 = msg("108", dup170); + + var select107 = linear_select([ + msg211, + msg212, + ]); + + var msg213 = msg("109:01", dup169); + + var msg214 = msg("109", dup170); + + var select108 = linear_select([ + msg213, + msg214, + ]); + + var msg215 = msg("110:01", dup151); + + var msg216 = msg("110", dup152); + + var select109 = linear_select([ + msg215, + msg216, + ]); + + var msg217 = msg("111:01", dup169); + + var msg218 = msg("111", dup170); + + var select110 = linear_select([ + msg217, + msg218, + ]); + + var msg219 = msg("112:01", dup169); + + var msg220 = msg("112", dup170); + + var select111 = linear_select([ + msg219, + msg220, + ]); + + var msg221 = msg("114:01", dup169); + + var msg222 = msg("114", dup170); + + var select112 = linear_select([ + msg221, + msg222, + ]); + + var msg223 = msg("115:01", dup169); + + var msg224 = msg("115", dup170); + + var select113 = linear_select([ + msg223, + msg224, + ]); + + var msg225 = msg("116:01", dup151); + + var msg226 = msg("116", dup152); + + var select114 = linear_select([ + msg225, + msg226, + ]); + + var msg227 = msg("117:01", dup151); + + var msg228 = msg("117", dup152); + + var select115 = linear_select([ + msg227, + msg228, + ]); + + var msg229 = msg("118:01", dup169); + + var msg230 = msg("118", dup170); + + var select116 = linear_select([ + msg229, + msg230, + ]); + + var msg231 = msg("119:01", dup169); + + var msg232 = msg("119", dup170); + + var select117 = linear_select([ + msg231, + msg232, + ]); + + var msg233 = msg("120:01", dup169); + + var msg234 = msg("120", dup170); + + var select118 = linear_select([ + msg233, + msg234, + ]); + + var msg235 = msg("121:01", dup169); + + var msg236 = msg("121", dup170); + + var select119 = linear_select([ + msg235, + msg236, + ]); + + var msg237 = msg("122:01", dup169); + + var msg238 = msg("122", dup170); + + var select120 = linear_select([ + msg237, + msg238, + ]); + + var msg239 = msg("123:01", dup169); + + var msg240 = msg("123", dup170); + + var select121 = linear_select([ + msg239, + msg240, + ]); + + var msg241 = msg("124:01", dup169); + + var msg242 = msg("124", dup170); + + var select122 = linear_select([ + msg241, + msg242, + ]); + + var msg243 = msg("125:01", dup169); + + var msg244 = msg("125", dup170); + + var select123 = linear_select([ + msg243, + msg244, + ]); + + var msg245 = msg("126:01", dup169); + + var msg246 = msg("126", dup170); + + var select124 = linear_select([ + msg245, + msg246, + ]); + + var msg247 = msg("127:01", dup169); + + var msg248 = msg("127", dup170); + + var select125 = linear_select([ + msg247, + msg248, + ]); + + var msg249 = msg("128:01", dup169); + + var msg250 = msg("128", dup170); + + var select126 = linear_select([ + msg249, + msg250, + ]); + + var msg251 = msg("129:01", dup169); + + var msg252 = msg("129", dup170); + + var select127 = linear_select([ + msg251, + msg252, + ]); + + var msg253 = msg("130:01", dup169); + + var msg254 = msg("130", dup170); + + var select128 = linear_select([ + msg253, + msg254, + ]); + + var msg255 = msg("131:01", dup151); + + var msg256 = msg("131", dup152); + + var select129 = linear_select([ + msg255, + msg256, + ]); + + var msg257 = msg("132:01", dup151); + + var msg258 = msg("132", dup152); + + var select130 = linear_select([ + msg257, + msg258, + ]); + + var msg259 = msg("133:01", dup151); + + var msg260 = msg("133", dup152); + + var select131 = linear_select([ + msg259, + msg260, + ]); + + var part22 = tagval("MESSAGE#260:134:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup30, + dup2, + dup3, + ])); + + var msg261 = msg("134:01", part22); + + var part23 = match("MESSAGE#261:134", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup30, + dup2, + ])); + + var msg262 = msg("134", part23); + + var select132 = linear_select([ + msg261, + msg262, + ]); + + var msg263 = msg("135:01", dup151); + + var msg264 = msg("135", dup152); + + var select133 = linear_select([ + msg263, + msg264, + ]); + + var msg265 = msg("136:01", dup169); + + var msg266 = msg("136", dup170); + + var select134 = linear_select([ + msg265, + msg266, + ]); + + var msg267 = msg("137:01", dup169); + + var msg268 = msg("137", dup170); + + var select135 = linear_select([ + msg267, + msg268, + ]); + + var msg269 = msg("138:01", dup169); + + var msg270 = msg("138", dup170); + + var select136 = linear_select([ + msg269, + msg270, + ]); + + var msg271 = msg("139:01", dup169); + + var msg272 = msg("139", dup170); + + var select137 = linear_select([ + msg271, + msg272, + ]); + + var msg273 = msg("140:01", dup169); + + var msg274 = msg("140", dup170); + + var select138 = linear_select([ + msg273, + msg274, + ]); + + var msg275 = msg("141:01", dup169); + + var msg276 = msg("141", dup170); + + var select139 = linear_select([ + msg275, + msg276, + ]); + + var msg277 = msg("142:01", dup169); + + var msg278 = msg("142", dup170); + + var select140 = linear_select([ + msg277, + msg278, + ]); + + var msg279 = msg("143:01", dup169); + + var msg280 = msg("143", dup170); + + var select141 = linear_select([ + msg279, + msg280, + ]); + + var msg281 = msg("144:01", dup169); + + var msg282 = msg("144", dup170); + + var select142 = linear_select([ + msg281, + msg282, + ]); + + var msg283 = msg("145:01", dup169); + + var msg284 = msg("145", dup170); + + var select143 = linear_select([ + msg283, + msg284, + ]); + + var msg285 = msg("146:01", dup151); + + var msg286 = msg("146", dup152); + + var select144 = linear_select([ + msg285, + msg286, + ]); + + var msg287 = msg("147:01", dup151); + + var msg288 = msg("147", dup152); + + var select145 = linear_select([ + msg287, + msg288, + ]); + + var msg289 = msg("148:01", dup151); + + var msg290 = msg("148", dup152); + + var select146 = linear_select([ + msg289, + msg290, + ]); + + var msg291 = msg("149:01", dup151); + + var msg292 = msg("149", dup152); + + var select147 = linear_select([ + msg291, + msg292, + ]); + + var msg293 = msg("150:01", dup151); + + var msg294 = msg("150", dup152); + + var select148 = linear_select([ + msg293, + msg294, + ]); + + var msg295 = msg("152:01", dup151); + + var msg296 = msg("152", dup152); + + var select149 = linear_select([ + msg295, + msg296, + ]); + + var msg297 = msg("153:01", dup151); + + var msg298 = msg("153", dup152); + + var select150 = linear_select([ + msg297, + msg298, + ]); + + var msg299 = msg("154:01", dup151); + + var msg300 = msg("154", dup152); + + var select151 = linear_select([ + msg299, + msg300, + ]); + + var msg301 = msg("155:01", dup151); + + var msg302 = msg("155", dup152); + + var select152 = linear_select([ + msg301, + msg302, + ]); + + var msg303 = msg("156:01", dup151); + + var msg304 = msg("156", dup152); + + var select153 = linear_select([ + msg303, + msg304, + ]); + + var msg305 = msg("157:01", dup151); + + var msg306 = msg("157", dup152); + + var select154 = linear_select([ + msg305, + msg306, + ]); + + var msg307 = msg("158:01", dup151); + + var msg308 = msg("158", dup152); + + var select155 = linear_select([ + msg307, + msg308, + ]); + + var msg309 = msg("159:01", dup151); + + var msg310 = msg("159", dup152); + + var select156 = linear_select([ + msg309, + msg310, + ]); + + var msg311 = msg("160:01", dup151); + + var msg312 = msg("160", dup152); + + var select157 = linear_select([ + msg311, + msg312, + ]); + + var msg313 = msg("161:01", dup151); + + var msg314 = msg("161", dup152); + + var select158 = linear_select([ + msg313, + msg314, + ]); + + var msg315 = msg("162:01", dup151); + + var msg316 = msg("162", dup152); + + var select159 = linear_select([ + msg315, + msg316, + ]); + + var msg317 = msg("163:01", dup151); + + var msg318 = msg("163", dup152); + + var select160 = linear_select([ + msg317, + msg318, + ]); + + var msg319 = msg("164:01", dup151); + + var msg320 = msg("164", dup152); + + var select161 = linear_select([ + msg319, + msg320, + ]); + + var msg321 = msg("165:01", dup151); + + var msg322 = msg("165", dup152); + + var select162 = linear_select([ + msg321, + msg322, + ]); + + var msg323 = msg("166:01", dup151); + + var msg324 = msg("166", dup152); + + var select163 = linear_select([ + msg323, + msg324, + ]); + + var msg325 = msg("167:01", dup151); + + var msg326 = msg("167", dup152); + + var select164 = linear_select([ + msg325, + msg326, + ]); + + var msg327 = msg("168:01", dup151); + + var msg328 = msg("168", dup152); + + var select165 = linear_select([ + msg327, + msg328, + ]); + + var msg329 = msg("169:01", dup151); + + var msg330 = msg("169", dup152); + + var select166 = linear_select([ + msg329, + msg330, + ]); + + var msg331 = msg("170:01", dup169); + + var msg332 = msg("170", dup170); + + var select167 = linear_select([ + msg331, + msg332, + ]); + + var msg333 = msg("171:01", dup151); + + var msg334 = msg("171", dup152); + + var select168 = linear_select([ + msg333, + msg334, + ]); + + var msg335 = msg("172:01", dup169); + + var msg336 = msg("172", dup170); + + var select169 = linear_select([ + msg335, + msg336, + ]); + + var msg337 = msg("173:01", dup151); + + var msg338 = msg("173", dup152); + + var select170 = linear_select([ + msg337, + msg338, + ]); + + var msg339 = msg("174:01", dup151); + + var msg340 = msg("174", dup152); + + var select171 = linear_select([ + msg339, + msg340, + ]); + + var msg341 = msg("175:01", dup151); + + var msg342 = msg("175", dup152); + + var select172 = linear_select([ + msg341, + msg342, + ]); + + var msg343 = msg("176:01", dup151); + + var msg344 = msg("176", dup152); + + var select173 = linear_select([ + msg343, + msg344, + ]); + + var msg345 = msg("177:01", dup151); + + var msg346 = msg("177", dup152); + + var select174 = linear_select([ + msg345, + msg346, + ]); + + var msg347 = msg("178:01", dup151); + + var msg348 = msg("178", dup152); + + var select175 = linear_select([ + msg347, + msg348, + ]); + + var msg349 = msg("179:01", dup169); + + var msg350 = msg("179", dup170); + + var select176 = linear_select([ + msg349, + msg350, + ]); + + var msg351 = msg("180:01", dup169); + + var msg352 = msg("180", dup170); + + var select177 = linear_select([ + msg351, + msg352, + ]); + + var msg353 = msg("181:01", dup169); + + var msg354 = msg("181", dup170); + + var select178 = linear_select([ + msg353, + msg354, + ]); + + var msg355 = msg("182:01", dup169); + + var msg356 = msg("182", dup170); + + var select179 = linear_select([ + msg355, + msg356, + ]); + + var msg357 = msg("183:01", dup169); + + var msg358 = msg("183", dup170); + + var select180 = linear_select([ + msg357, + msg358, + ]); + + var msg359 = msg("184:01", dup169); + + var msg360 = msg("184", dup170); + + var select181 = linear_select([ + msg359, + msg360, + ]); + + var msg361 = msg("185:01", dup169); + + var msg362 = msg("185", dup170); + + var select182 = linear_select([ + msg361, + msg362, + ]); + + var msg363 = msg("186:01", dup151); + + var msg364 = msg("186", dup152); + + var select183 = linear_select([ + msg363, + msg364, + ]); + + var msg365 = msg("187:01", dup169); + + var msg366 = msg("187", dup170); + + var select184 = linear_select([ + msg365, + msg366, + ]); + + var msg367 = msg("188:01", dup169); + + var msg368 = msg("188", dup170); + + var select185 = linear_select([ + msg367, + msg368, + ]); + + var msg369 = msg("189:01", dup169); + + var msg370 = msg("189", dup170); + + var select186 = linear_select([ + msg369, + msg370, + ]); + + var msg371 = msg("191:01", dup151); + + var msg372 = msg("191", dup152); + + var select187 = linear_select([ + msg371, + msg372, + ]); + + var msg373 = msg("192:01", dup169); + + var msg374 = msg("192", dup170); + + var select188 = linear_select([ + msg373, + msg374, + ]); + + var msg375 = msg("193:01", dup151); + + var msg376 = msg("193", dup152); + + var select189 = linear_select([ + msg375, + msg376, + ]); + + var msg377 = msg("194:01", dup169); + + var msg378 = msg("194", dup170); + + var select190 = linear_select([ + msg377, + msg378, + ]); + + var msg379 = msg("195:01", dup169); + + var msg380 = msg("195", dup170); + + var select191 = linear_select([ + msg379, + msg380, + ]); + + var msg381 = msg("196:01", dup151); + + var msg382 = msg("196", dup152); + + var select192 = linear_select([ + msg381, + msg382, + ]); + + var msg383 = msg("197:01", dup151); + + var msg384 = msg("197", dup152); + + var select193 = linear_select([ + msg383, + msg384, + ]); + + var msg385 = msg("198:01", dup169); + + var msg386 = msg("198", dup170); + + var select194 = linear_select([ + msg385, + msg386, + ]); + + var msg387 = msg("199:01", dup169); + + var msg388 = msg("199", dup170); + + var select195 = linear_select([ + msg387, + msg388, + ]); + + var msg389 = msg("200:01", dup169); + + var msg390 = msg("200", dup170); + + var select196 = linear_select([ + msg389, + msg390, + ]); + + var msg391 = msg("201:01", dup169); + + var msg392 = msg("201", dup170); + + var select197 = linear_select([ + msg391, + msg392, + ]); + + var msg393 = msg("202:01", dup169); + + var msg394 = msg("202", dup170); + + var select198 = linear_select([ + msg393, + msg394, + ]); + + var msg395 = msg("203:01", dup169); + + var msg396 = msg("203", dup170); + + var select199 = linear_select([ + msg395, + msg396, + ]); + + var msg397 = msg("204:01", dup151); + + var msg398 = msg("204", dup152); + + var select200 = linear_select([ + msg397, + msg398, + ]); + + var msg399 = msg("205:01", dup151); + + var msg400 = msg("205", dup152); + + var select201 = linear_select([ + msg399, + msg400, + ]); + + var msg401 = msg("206:01", dup151); + + var msg402 = msg("206", dup152); + + var select202 = linear_select([ + msg401, + msg402, + ]); + + var msg403 = msg("207:01", dup151); + + var msg404 = msg("207", dup152); + + var select203 = linear_select([ + msg403, + msg404, + ]); + + var msg405 = msg("208:01", dup151); + + var msg406 = msg("208", dup152); + + var select204 = linear_select([ + msg405, + msg406, + ]); + + var msg407 = msg("209:01", dup169); + + var msg408 = msg("209", dup170); + + var select205 = linear_select([ + msg407, + msg408, + ]); + + var msg409 = msg("211:01", dup169); + + var msg410 = msg("211", dup170); + + var select206 = linear_select([ + msg409, + msg410, + ]); + + var msg411 = msg("212:01", dup169); + + var msg412 = msg("212", dup170); + + var select207 = linear_select([ + msg411, + msg412, + ]); + + var msg413 = msg("213:01", dup169); + + var msg414 = msg("213", dup170); + + var select208 = linear_select([ + msg413, + msg414, + ]); + + var msg415 = msg("214:01", dup151); + + var msg416 = msg("214", dup152); + + var select209 = linear_select([ + msg415, + msg416, + ]); + + var msg417 = msg("215:01", dup151); + + var msg418 = msg("215", dup152); + + var select210 = linear_select([ + msg417, + msg418, + ]); + + var msg419 = msg("216:01", dup151); + + var msg420 = msg("216", dup152); + + var select211 = linear_select([ + msg419, + msg420, + ]); + + var msg421 = msg("217:01", dup169); + + var msg422 = msg("217", dup170); + + var select212 = linear_select([ + msg421, + msg422, + ]); + + var msg423 = msg("218:01", dup169); + + var msg424 = msg("218", dup170); + + var select213 = linear_select([ + msg423, + msg424, + ]); + + var msg425 = msg("219:01", dup169); + + var msg426 = msg("219", dup170); + + var select214 = linear_select([ + msg425, + msg426, + ]); + + var msg427 = msg("220:01", dup169); + + var msg428 = msg("220", dup170); + + var select215 = linear_select([ + msg427, + msg428, + ]); + + var msg429 = msg("221:01", dup169); + + var msg430 = msg("221", dup170); + + var select216 = linear_select([ + msg429, + msg430, + ]); + + var msg431 = msg("222:01", dup151); + + var msg432 = msg("222", dup152); + + var select217 = linear_select([ + msg431, + msg432, + ]); + + var msg433 = msg("223:01", dup169); + + var msg434 = msg("223", dup170); + + var select218 = linear_select([ + msg433, + msg434, + ]); + + var msg435 = msg("224:01", dup169); + + var msg436 = msg("224", dup170); + + var select219 = linear_select([ + msg435, + msg436, + ]); + + var msg437 = msg("229:01", dup169); + + var msg438 = msg("229", dup170); + + var select220 = linear_select([ + msg437, + msg438, + ]); + + var msg439 = msg("230:01", dup151); + + var msg440 = msg("230", dup152); + + var select221 = linear_select([ + msg439, + msg440, + ]); + + var msg441 = msg("231:01", dup151); + + var msg442 = msg("231", dup152); + + var select222 = linear_select([ + msg441, + msg442, + ]); + + var msg443 = msg("232:01", dup151); + + var msg444 = msg("232", dup152); + + var select223 = linear_select([ + msg443, + msg444, + ]); + + var msg445 = msg("233:01", dup151); + + var msg446 = msg("233", dup152); + + var select224 = linear_select([ + msg445, + msg446, + ]); + + var msg447 = msg("236:01", dup153); + + var msg448 = msg("236", dup154); + + var select225 = linear_select([ + msg447, + msg448, + ]); + + var msg449 = msg("237:01", dup169); + + var msg450 = msg("237", dup170); + + var select226 = linear_select([ + msg449, + msg450, + ]); + + var msg451 = msg("238:01", dup151); + + var msg452 = msg("238", dup152); + + var select227 = linear_select([ + msg451, + msg452, + ]); + + var msg453 = msg("239:01", dup169); + + var msg454 = msg("239", dup170); + + var select228 = linear_select([ + msg453, + msg454, + ]); + + var msg455 = msg("240:01", dup169); + + var msg456 = msg("240", dup170); + + var select229 = linear_select([ + msg455, + msg456, + ]); + + var msg457 = msg("241:01", dup169); + + var msg458 = msg("241", dup170); + + var select230 = linear_select([ + msg457, + msg458, + ]); + + var msg459 = msg("243:01", dup151); + + var msg460 = msg("243", dup152); + + var select231 = linear_select([ + msg459, + msg460, + ]); + + var msg461 = msg("244:01", dup151); + + var msg462 = msg("244", dup152); + + var select232 = linear_select([ + msg461, + msg462, + ]); + + var msg463 = msg("246:01", dup169); + + var msg464 = msg("246", dup170); + + var select233 = linear_select([ + msg463, + msg464, + ]); + + var msg465 = msg("247:01", dup169); + + var msg466 = msg("247", dup170); + + var select234 = linear_select([ + msg465, + msg466, + ]); + + var msg467 = msg("248:01", dup151); + + var msg468 = msg("248", dup152); + + var select235 = linear_select([ + msg467, + msg468, + ]); + + var msg469 = msg("249:01", dup151); + + var msg470 = msg("249", dup152); + + var select236 = linear_select([ + msg469, + msg470, + ]); + + var msg471 = msg("250:01", dup151); + + var msg472 = msg("250", dup152); + + var select237 = linear_select([ + msg471, + msg472, + ]); + + var msg473 = msg("251:01", dup169); + + var msg474 = msg("251", dup170); + + var select238 = linear_select([ + msg473, + msg474, + ]); + + var msg475 = msg("252:01", dup169); + + var msg476 = msg("252", dup170); + + var select239 = linear_select([ + msg475, + msg476, + ]); + + var msg477 = msg("253:01", dup151); + + var msg478 = msg("253", dup152); + + var select240 = linear_select([ + msg477, + msg478, + ]); + + var msg479 = msg("254:01", dup169); + + var msg480 = msg("254", dup170); + + var select241 = linear_select([ + msg479, + msg480, + ]); + + var msg481 = msg("255:01", dup151); + + var msg482 = msg("255", dup152); + + var select242 = linear_select([ + msg481, + msg482, + ]); + + var msg483 = msg("256:01", dup169); + + var msg484 = msg("256", dup170); + + var select243 = linear_select([ + msg483, + msg484, + ]); + + var msg485 = msg("257:01", dup169); + + var msg486 = msg("257", dup170); + + var select244 = linear_select([ + msg485, + msg486, + ]); + + var msg487 = msg("259:01", dup169); + + var msg488 = msg("259", dup170); + + var select245 = linear_select([ + msg487, + msg488, + ]); + + var msg489 = msg("260:01", dup151); + + var msg490 = msg("260", dup152); + + var select246 = linear_select([ + msg489, + msg490, + ]); + + var msg491 = msg("261:01", dup151); + + var msg492 = msg("261", dup152); + + var select247 = linear_select([ + msg491, + msg492, + ]); + + var msg493 = msg("262:01", dup151); + + var msg494 = msg("262", dup152); + + var select248 = linear_select([ + msg493, + msg494, + ]); + + var msg495 = msg("263:01", dup151); + + var msg496 = msg("263", dup152); + + var select249 = linear_select([ + msg495, + msg496, + ]); + + var msg497 = msg("264:01", dup169); + + var msg498 = msg("264", dup170); + + var select250 = linear_select([ + msg497, + msg498, + ]); + + var msg499 = msg("265:01", dup169); + + var msg500 = msg("265", dup170); + + var select251 = linear_select([ + msg499, + msg500, + ]); + + var msg501 = msg("266:01", dup169); + + var msg502 = msg("266", dup170); + + var select252 = linear_select([ + msg501, + msg502, + ]); + + var msg503 = msg("267:01", dup169); + + var msg504 = msg("267", dup170); + + var select253 = linear_select([ + msg503, + msg504, + ]); + + var msg505 = msg("268:01", dup169); + + var msg506 = msg("268", dup170); + + var select254 = linear_select([ + msg505, + msg506, + ]); + + var msg507 = msg("269:01", dup151); + + var msg508 = msg("269", dup152); + + var select255 = linear_select([ + msg507, + msg508, + ]); + + var msg509 = msg("270:01", dup169); + + var msg510 = msg("270", dup170); + + var select256 = linear_select([ + msg509, + msg510, + ]); + + var msg511 = msg("271:01", dup151); + + var msg512 = msg("271", dup152); + + var select257 = linear_select([ + msg511, + msg512, + ]); + + var msg513 = msg("272:01", dup169); + + var msg514 = msg("272", dup170); + + var select258 = linear_select([ + msg513, + msg514, + ]); + + var msg515 = msg("273:01", dup169); + + var msg516 = msg("273", dup170); + + var select259 = linear_select([ + msg515, + msg516, + ]); + + var msg517 = msg("274:01", dup169); + + var msg518 = msg("274", dup170); + + var select260 = linear_select([ + msg517, + msg518, + ]); + + var msg519 = msg("275:01", dup169); + + var msg520 = msg("275", dup170); + + var select261 = linear_select([ + msg519, + msg520, + ]); + + var msg521 = msg("276:01", dup169); + + var msg522 = msg("276", dup170); + + var select262 = linear_select([ + msg521, + msg522, + ]); + + var msg523 = msg("277:01", dup169); + + var msg524 = msg("277", dup170); + + var select263 = linear_select([ + msg523, + msg524, + ]); + + var msg525 = msg("278:01", dup169); + + var msg526 = msg("278", dup170); + + var select264 = linear_select([ + msg525, + msg526, + ]); + + var msg527 = msg("279:01", dup169); + + var msg528 = msg("279", dup170); + + var select265 = linear_select([ + msg527, + msg528, + ]); + + var msg529 = msg("280:01", dup151); + + var msg530 = msg("280", dup152); + + var select266 = linear_select([ + msg529, + msg530, + ]); + + var msg531 = msg("281:01", dup151); + + var msg532 = msg("281", dup152); + + var select267 = linear_select([ + msg531, + msg532, + ]); + + var msg533 = msg("282:01", dup169); + + var msg534 = msg("282", dup170); + + var select268 = linear_select([ + msg533, + msg534, + ]); + + var msg535 = msg("283:01", dup169); + + var msg536 = msg("283", dup170); + + var select269 = linear_select([ + msg535, + msg536, + ]); + + var msg537 = msg("284:01", dup151); + + var msg538 = msg("284", dup152); + + var select270 = linear_select([ + msg537, + msg538, + ]); + + var msg539 = msg("285:01", dup159); + + var msg540 = msg("285", dup160); + + var select271 = linear_select([ + msg539, + msg540, + ]); + + var msg541 = msg("286:01", dup169); + + var msg542 = msg("286", dup170); + + var select272 = linear_select([ + msg541, + msg542, + ]); + + var msg543 = msg("287:01", dup169); + + var msg544 = msg("287", dup170); + + var select273 = linear_select([ + msg543, + msg544, + ]); + + var msg545 = msg("288:01", dup169); + + var msg546 = msg("288", dup170); + + var select274 = linear_select([ + msg545, + msg546, + ]); + + var msg547 = msg("289:01", dup169); + + var msg548 = msg("289", dup170); + + var select275 = linear_select([ + msg547, + msg548, + ]); + + var msg549 = msg("290:01", dup169); + + var msg550 = msg("290", dup170); + + var select276 = linear_select([ + msg549, + msg550, + ]); + + var msg551 = msg("291:01", dup169); + + var msg552 = msg("291", dup170); + + var select277 = linear_select([ + msg551, + msg552, + ]); + + var msg553 = msg("292:01", dup169); + + var msg554 = msg("292", dup170); + + var select278 = linear_select([ + msg553, + msg554, + ]); + + var msg555 = msg("293:01", dup169); + + var msg556 = msg("293", dup170); + + var select279 = linear_select([ + msg555, + msg556, + ]); + + var msg557 = msg("294:01", dup169); + + var msg558 = msg("294", dup170); + + var select280 = linear_select([ + msg557, + msg558, + ]); + + var msg559 = msg("295:01", dup169); + + var msg560 = msg("295", dup170); + + var select281 = linear_select([ + msg559, + msg560, + ]); + + var msg561 = msg("296:01", dup169); + + var msg562 = msg("296", dup170); + + var select282 = linear_select([ + msg561, + msg562, + ]); + + var msg563 = msg("297:01", dup151); + + var msg564 = msg("297", dup152); + + var select283 = linear_select([ + msg563, + msg564, + ]); + + var msg565 = msg("298:01", dup151); + + var msg566 = msg("298", dup152); + + var select284 = linear_select([ + msg565, + msg566, + ]); + + var msg567 = msg("299:01", dup169); + + var msg568 = msg("299", dup170); + + var select285 = linear_select([ + msg567, + msg568, + ]); + + var part24 = match("MESSAGE#568:300:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); + + var all1 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + dup188, + dup189, + dup190, + dup191, + dup192, + dup193, + dup194, + part24, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + dup24, + ]), + }); + + var msg569 = msg("300:02", all1); + + var part25 = tagval("MESSAGE#569:300:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup4, + dup2, + dup3, + dup24, + ])); + + var msg570 = msg("300:01", part25); + + var msg571 = msg("300", dup154); + + var select286 = linear_select([ + msg569, + msg570, + msg571, + ]); + + var msg572 = msg("301:01", dup163); + + var msg573 = msg("301", dup164); + + var select287 = linear_select([ + msg572, + msg573, + ]); + + var part26 = match("MESSAGE#573:302:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld12};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); + + var all2 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + dup188, + dup189, + dup190, + dup191, + dup192, + dup193, + dup194, + part26, + ], + on_success: processor_chain([ + dup21, + dup2, + dup3, + dup24, + ]), + }); + + var msg574 = msg("302:02", all2); + + var msg575 = msg("302:01", dup163); + + var msg576 = msg("302", dup164); + + var select288 = linear_select([ + msg574, + msg575, + msg576, + ]); + + var msg577 = msg("303:01", dup163); + + var msg578 = msg("303", dup164); + + var select289 = linear_select([ + msg577, + msg578, + ]); + + var part27 = match("MESSAGE#578:304:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"DstHost=%{p0}"); + + var part28 = match("MESSAGE#578:304:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"DstHost=%{p0}"); + + var select290 = linear_select([ + part27, + part28, + ]); + + var part29 = match("MESSAGE#578:304:02/24", "nwparser.p0", "%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); + + var all3 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + dup188, + dup189, + dup190, + dup191, + dup192, + dup193, + select290, + part29, + ], + on_success: processor_chain([ + dup26, + dup2, + dup3, + dup24, + ]), + }); + + var msg579 = msg("304:02", all3); + + var msg580 = msg("304:01", dup169); + + var msg581 = msg("304", dup170); + + var select291 = linear_select([ + msg579, + msg580, + msg581, + ]); + + var msg582 = msg("305:01", dup169); + + var msg583 = msg("305", dup170); + + var select292 = linear_select([ + msg582, + msg583, + ]); + + var msg584 = msg("306:01", dup151); + + var msg585 = msg("306", dup152); + + var select293 = linear_select([ + msg584, + msg585, + ]); + + var msg586 = msg("307:01", dup151); + + var msg587 = msg("307", dup152); + + var select294 = linear_select([ + msg586, + msg587, + ]); + + var part30 = tagval("MESSAGE#587:308:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup78, + dup2, + dup3, + ])); + + var msg588 = msg("308:01", part30); + + var part31 = match("MESSAGE#588:308", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup78, + dup2, + ])); + + var msg589 = msg("308", part31); + + var select295 = linear_select([ + msg588, + msg589, + ]); + + var part32 = tagval("MESSAGE#589:309:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup9, + dup2, + dup3, + ])); + + var msg590 = msg("309:01", part32); + + var part33 = match("MESSAGE#590:309", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup9, + dup2, + ])); + + var msg591 = msg("309", part33); + + var select296 = linear_select([ + msg590, + msg591, + ]); + + var msg592 = msg("317:01", dup195); + + var msg593 = msg("317", dup196); + + var select297 = linear_select([ + msg592, + msg593, + ]); + + var msg594 = msg("316:01", dup195); + + var msg595 = msg("316", dup196); + + var select298 = linear_select([ + msg594, + msg595, + ]); + + var msg596 = msg("355:01", dup197); + + var msg597 = msg("355", dup198); + + var select299 = linear_select([ + msg596, + msg597, + ]); + + var msg598 = msg("356:01", dup197); + + var msg599 = msg("356", dup198); + + var select300 = linear_select([ + msg598, + msg599, + ]); + + var msg600 = msg("357:01", dup199); + + var msg601 = msg("357", dup200); + + var select301 = linear_select([ + msg600, + msg601, + ]); + + var msg602 = msg("358:01", dup199); + + var msg603 = msg("358", dup200); + + var select302 = linear_select([ + msg602, + msg603, + ]); + + var part34 = tagval("MESSAGE#603:190:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup84, + dup2, + dup3, + ])); + + var msg604 = msg("190:01", part34); + + var part35 = match("MESSAGE#604:190", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup84, + dup2, + ])); + + var msg605 = msg("190", part35); + + var select303 = linear_select([ + msg604, + msg605, + ]); + + var msg606 = msg("5:01", dup161); + + var msg607 = msg("5", dup162); + + var select304 = linear_select([ + msg606, + msg607, + ]); + + var msg608 = msg("310:01", dup153); + + var msg609 = msg("310", dup154); + + var select305 = linear_select([ + msg608, + msg609, + ]); + + var msg610 = msg("311:01", dup153); + + var msg611 = msg("311", dup154); + + var select306 = linear_select([ + msg610, + msg611, + ]); + + var msg612 = msg("312:01", dup153); + + var msg613 = msg("312", dup154); + + var select307 = linear_select([ + msg612, + msg613, + ]); + + var msg614 = msg("313:01", dup153); + + var msg615 = msg("313", dup154); + + var select308 = linear_select([ + msg614, + msg615, + ]); + + var msg616 = msg("359:01", dup153); + + var msg617 = msg("359", dup154); + + var select309 = linear_select([ + msg616, + msg617, + ]); + + var msg618 = msg("372", dup201); + + var msg619 = msg("374", dup201); + + var msg620 = msg("376", dup201); + + var part36 = match("MESSAGE#620:411:01/17_0", "nwparser.p0", "\"%{fld89}\";LogonDomain=%{p0}"); + + var part37 = match("MESSAGE#620:411:01/17_1", "nwparser.p0", "%{fld89};LogonDomain=%{p0}"); + + var select310 = linear_select([ + part36, + part37, + ]); + + var part38 = match("MESSAGE#620:411:01/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"Command=%{p0}"); + + var part39 = match("MESSAGE#620:411:01/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"Command=%{p0}"); + + var select311 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#620:411:01/24", "nwparser.p0", "%{param};ConnectionComponentId=%{fld67};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld11};RDPOffset=%{fld12};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};VIDOffset=%{fld13};"); + + var all4 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + select310, + dup189, + dup190, + dup191, + dup192, + dup193, + select311, + part40, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + dup24, + ]), + }); + + var msg621 = msg("411:01", all4); + + var part41 = match("MESSAGE#621:411/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};ProcessId=%{process_id};ProcessName=%{process};Protocol=%{protocol};PSMID=%{fld3};RDPOffset=%{fld4};SessionID=%{sessionid};SrcHost=%{shost};User=%{fld5};VIDOffset=%{fld6};\""); + + var select312 = linear_select([ + part41, + dup150, + ]); + + var all5 = all_match({ + processors: [ + dup31, + dup202, + dup87, + dup203, + dup90, + dup204, + dup93, + dup205, + dup96, + dup206, + dup99, + dup207, + dup102, + dup208, + dup105, + dup209, + dup108, + dup210, + dup111, + dup211, + dup114, + dup212, + dup119, + dup213, + dup122, + dup214, + dup125, + dup215, + dup128, + dup216, + dup131, + dup217, + dup134, + dup218, + dup137, + dup219, + dup140, + dup220, + dup143, + dup221, + dup146, + dup222, + dup149, + select312, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), + }); + + var msg622 = msg("411", all5); + + var select313 = linear_select([ + msg621, + msg622, + ]); + + var part42 = match("MESSAGE#622:385", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=\"%{directory}\";Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg623 = msg("385", part42); + + var part43 = match("MESSAGE#623:361/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};SSHOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); + + var select314 = linear_select([ + part43, + dup150, + ]); + + var all6 = all_match({ + processors: [ + dup31, + dup202, + dup87, + dup203, + dup90, + dup204, + dup93, + dup205, + dup96, + dup206, + dup99, + dup207, + dup102, + dup208, + dup105, + dup209, + dup108, + dup210, + dup111, + dup211, + dup114, + dup212, + dup119, + dup213, + dup122, + dup214, + dup125, + dup215, + dup128, + dup216, + dup131, + dup217, + dup134, + dup218, + dup137, + dup219, + dup140, + dup220, + dup143, + dup221, + dup146, + dup222, + dup149, + select314, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), + }); + + var msg624 = msg("361", all6); + + var part44 = match("MESSAGE#624:412/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};TXTOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); + + var select315 = linear_select([ + part44, + dup150, + ]); + + var all7 = all_match({ + processors: [ + dup31, + dup202, + dup87, + dup203, + dup90, + dup204, + dup93, + dup205, + dup96, + dup206, + dup99, + dup207, + dup102, + dup208, + dup105, + dup209, + dup108, + dup210, + dup111, + dup211, + dup114, + dup212, + dup119, + dup213, + dup122, + dup214, + dup125, + dup215, + dup128, + dup216, + dup131, + dup217, + dup134, + dup218, + dup137, + dup219, + dup140, + dup220, + dup143, + dup221, + dup146, + dup222, + dup149, + select315, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), + }); + + var msg625 = msg("412", all7); + + var msg626 = msg("378", dup153); + + var msg627 = msg("321", dup153); + + var msg628 = msg("322", dup153); + + var msg629 = msg("323", dup153); + + var msg630 = msg("318", dup153); + + var msg631 = msg("380", dup153); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "1": select2, + "10": select9, + "100": select99, + "101": select100, + "102": select101, + "103": select102, + "104": select103, + "105": select104, + "106": select105, + "107": select106, + "108": select107, + "109": select108, + "11": select10, + "110": select109, + "111": select110, + "112": select111, + "114": select112, + "115": select113, + "116": select114, + "117": select115, + "118": select116, + "119": select117, + "12": select11, + "120": select118, + "121": select119, + "122": select120, + "123": select121, + "124": select122, + "125": select123, + "126": select124, + "127": select125, + "128": select126, + "129": select127, + "13": select12, + "130": select128, + "131": select129, + "132": select130, + "133": select131, + "134": select132, + "135": select133, + "136": select134, + "137": select135, + "138": select136, + "139": select137, + "14": select13, + "140": select138, + "141": select139, + "142": select140, + "143": select141, + "144": select142, + "145": select143, + "146": select144, + "147": select145, + "148": select146, + "149": select147, + "15": select14, + "150": select148, + "152": select149, + "153": select150, + "154": select151, + "155": select152, + "156": select153, + "157": select154, + "158": select155, + "159": select156, + "16": select15, + "160": select157, + "161": select158, + "162": select159, + "163": select160, + "164": select161, + "165": select162, + "166": select163, + "167": select164, + "168": select165, + "169": select166, + "17": select16, + "170": select167, + "171": select168, + "172": select169, + "173": select170, + "174": select171, + "175": select172, + "176": select173, + "177": select174, + "178": select175, + "179": select176, + "18": select17, + "180": select177, + "181": select178, + "182": select179, + "183": select180, + "184": select181, + "185": select182, + "186": select183, + "187": select184, + "188": select185, + "189": select186, + "19": select18, + "190": select303, + "191": select187, + "192": select188, + "193": select189, + "194": select190, + "195": select191, + "196": select192, + "197": select193, + "198": select194, + "199": select195, + "2": select3, + "20": select19, + "200": select196, + "201": select197, + "202": select198, + "203": select199, + "204": select200, + "205": select201, + "206": select202, + "207": select203, + "208": select204, + "209": select205, + "21": select20, + "211": select206, + "212": select207, + "213": select208, + "214": select209, + "215": select210, + "216": select211, + "217": select212, + "218": select213, + "219": select214, + "22": select21, + "220": select215, + "221": select216, + "222": select217, + "223": select218, + "224": select219, + "229": select220, + "23": select22, + "230": select221, + "231": select222, + "232": select223, + "233": select224, + "236": select225, + "237": select226, + "238": select227, + "239": select228, + "24": select23, + "240": select229, + "241": select230, + "243": select231, + "244": select232, + "246": select233, + "247": select234, + "248": select235, + "249": select236, + "25": select24, + "250": select237, + "251": select238, + "252": select239, + "253": select240, + "254": select241, + "255": select242, + "256": select243, + "257": select244, + "259": select245, + "26": select25, + "260": select246, + "261": select247, + "262": select248, + "263": select249, + "264": select250, + "265": select251, + "266": select252, + "267": select253, + "268": select254, + "269": select255, + "27": select26, + "270": select256, + "271": select257, + "272": select258, + "273": select259, + "274": select260, + "275": select261, + "276": select262, + "277": select263, + "278": select264, + "279": select265, + "28": select27, + "280": select266, + "281": select267, + "282": select268, + "283": select269, + "284": select270, + "285": select271, + "286": select272, + "287": select273, + "288": select274, + "289": select275, + "29": select28, + "290": select276, + "291": select277, + "292": select278, + "293": select279, + "294": select280, + "295": select281, + "296": select282, + "297": select283, + "298": select284, + "299": select285, + "3": select4, + "30": select29, + "300": select286, + "301": select287, + "302": select288, + "303": select289, + "304": select291, + "305": select292, + "306": select293, + "307": select294, + "308": select295, + "309": select296, + "31": select30, + "310": select305, + "311": select306, + "312": select307, + "313": select308, + "316": select298, + "317": select297, + "318": msg630, + "32": select31, + "321": msg627, + "322": msg628, + "323": msg629, + "33": select32, + "34": select33, + "35": select34, + "355": select299, + "356": select300, + "357": select301, + "358": select302, + "359": select309, + "36": select35, + "361": msg624, + "37": select36, + "372": msg618, + "374": msg619, + "376": msg620, + "378": msg626, + "38": select37, + "380": msg631, + "385": msg623, + "39": select38, + "4": select5, + "40": select39, + "41": select40, + "411": select313, + "412": msg625, + "42": select41, + "43": select42, + "44": select43, + "45": select44, + "46": select45, + "47": select46, + "48": select47, + "49": select48, + "5": select304, + "50": select49, + "51": select50, + "52": select51, + "53": select52, + "54": select53, + "55": select54, + "56": select55, + "57": select56, + "58": select57, + "59": select58, + "60": select59, + "61": select60, + "62": select61, + "63": select62, + "64": select63, + "65": select64, + "66": select65, + "67": select66, + "68": select67, + "69": select68, + "7": select6, + "70": select69, + "71": select70, + "72": select71, + "73": select72, + "74": select73, + "75": select74, + "76": select75, + "77": select76, + "78": select77, + "79": select78, + "8": select7, + "80": select79, + "81": select80, + "82": select81, + "83": select82, + "84": select83, + "85": select84, + "86": select85, + "87": select86, + "88": select87, + "89": select88, + "9": select8, + "90": select89, + "91": select90, + "92": select91, + "93": select92, + "94": select93, + "95": select94, + "96": select95, + "97": select96, + "98": select97, + "99": select98, + }), + ]); + + var part45 = match("MESSAGE#568:300:02/0", "nwparser.payload", "Version=%{p0}"); + + var part46 = match("MESSAGE#568:300:02/1_0", "nwparser.p0", "\"%{version}\";Message=%{p0}"); + + var part47 = match("MESSAGE#568:300:02/1_1", "nwparser.p0", "%{version};Message=%{p0}"); + + var part48 = match("MESSAGE#568:300:02/2_0", "nwparser.p0", "\"%{action}\";Issuer=%{p0}"); + + var part49 = match("MESSAGE#568:300:02/2_1", "nwparser.p0", "%{action};Issuer=%{p0}"); + + var part50 = match("MESSAGE#568:300:02/3_0", "nwparser.p0", "\"%{username}\";Station=%{p0}"); + + var part51 = match("MESSAGE#568:300:02/3_1", "nwparser.p0", "%{username};Station=%{p0}"); + + var part52 = match("MESSAGE#568:300:02/4_0", "nwparser.p0", "\"%{hostip}\";File=%{p0}"); + + var part53 = match("MESSAGE#568:300:02/4_1", "nwparser.p0", "%{hostip};File=%{p0}"); + + var part54 = match("MESSAGE#568:300:02/5_0", "nwparser.p0", "\"%{filename}\";Safe=%{p0}"); + + var part55 = match("MESSAGE#568:300:02/5_1", "nwparser.p0", "%{filename};Safe=%{p0}"); + + var part56 = match("MESSAGE#568:300:02/6_0", "nwparser.p0", "\"%{group_object}\";Location=%{p0}"); + + var part57 = match("MESSAGE#568:300:02/6_1", "nwparser.p0", "%{group_object};Location=%{p0}"); + + var part58 = match("MESSAGE#568:300:02/7_0", "nwparser.p0", "\"%{directory}\";Category=%{p0}"); + + var part59 = match("MESSAGE#568:300:02/7_1", "nwparser.p0", "%{directory};Category=%{p0}"); + + var part60 = match("MESSAGE#568:300:02/8_0", "nwparser.p0", "\"%{category}\";RequestId=%{p0}"); + + var part61 = match("MESSAGE#568:300:02/8_1", "nwparser.p0", "%{category};RequestId=%{p0}"); + + var part62 = match("MESSAGE#568:300:02/9_0", "nwparser.p0", "\"%{id1}\";Reason=%{p0}"); + + var part63 = match("MESSAGE#568:300:02/9_1", "nwparser.p0", "%{id1};Reason=%{p0}"); + + var part64 = match("MESSAGE#568:300:02/10_0", "nwparser.p0", "\"%{event_description}\";Severity=%{p0}"); + + var part65 = match("MESSAGE#568:300:02/10_1", "nwparser.p0", "%{event_description};Severity=%{p0}"); + + var part66 = match("MESSAGE#568:300:02/11_0", "nwparser.p0", "\"%{severity}\";SourceUser=%{p0}"); + + var part67 = match("MESSAGE#568:300:02/11_1", "nwparser.p0", "%{severity};SourceUser=%{p0}"); + + var part68 = match("MESSAGE#568:300:02/12_0", "nwparser.p0", "\"%{group}\";TargetUser=%{p0}"); + + var part69 = match("MESSAGE#568:300:02/12_1", "nwparser.p0", "%{group};TargetUser=%{p0}"); + + var part70 = match("MESSAGE#568:300:02/13_0", "nwparser.p0", "\"%{uid}\";GatewayStation=%{p0}"); + + var part71 = match("MESSAGE#568:300:02/13_1", "nwparser.p0", "%{uid};GatewayStation=%{p0}"); + + var part72 = match("MESSAGE#568:300:02/14_0", "nwparser.p0", "\"%{saddr}\";TicketID=%{p0}"); + + var part73 = match("MESSAGE#568:300:02/14_1", "nwparser.p0", "%{saddr};TicketID=%{p0}"); + + var part74 = match("MESSAGE#568:300:02/15_0", "nwparser.p0", "\"%{operation_id}\";PolicyID=%{p0}"); + + var part75 = match("MESSAGE#568:300:02/15_1", "nwparser.p0", "%{operation_id};PolicyID=%{p0}"); + + var part76 = match("MESSAGE#568:300:02/16_0", "nwparser.p0", "\"%{policyname}\";UserName=%{p0}"); + + var part77 = match("MESSAGE#568:300:02/16_1", "nwparser.p0", "%{policyname};UserName=%{p0}"); + + var part78 = match("MESSAGE#568:300:02/17_0", "nwparser.p0", "\"%{fld11}\";LogonDomain=%{p0}"); + + var part79 = match("MESSAGE#568:300:02/17_1", "nwparser.p0", "%{fld11};LogonDomain=%{p0}"); + + var part80 = match("MESSAGE#568:300:02/18_0", "nwparser.p0", "\"%{domain}\";Address=%{p0}"); + + var part81 = match("MESSAGE#568:300:02/18_1", "nwparser.p0", "%{domain};Address=%{p0}"); + + var part82 = match("MESSAGE#568:300:02/19_0", "nwparser.p0", "\"%{fld14}\";CPMStatus=%{p0}"); + + var part83 = match("MESSAGE#568:300:02/19_1", "nwparser.p0", "%{fld14};CPMStatus=%{p0}"); + + var part84 = match("MESSAGE#568:300:02/20_0", "nwparser.p0", "\"%{disposition}\";Port=%{p0}"); + + var part85 = match("MESSAGE#568:300:02/20_1", "nwparser.p0", "%{disposition};Port=%{p0}"); + + var part86 = match("MESSAGE#568:300:02/21_0", "nwparser.p0", "\"%{dport}\";Database=%{p0}"); + + var part87 = match("MESSAGE#568:300:02/21_1", "nwparser.p0", "%{dport};Database=%{p0}"); + + var part88 = match("MESSAGE#568:300:02/22_0", "nwparser.p0", "\"%{db_name}\";DeviceType=%{p0}"); + + var part89 = match("MESSAGE#568:300:02/22_1", "nwparser.p0", "%{db_name};DeviceType=%{p0}"); + + var part90 = match("MESSAGE#568:300:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"ApplicationType=%{p0}"); + + var part91 = match("MESSAGE#568:300:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"ApplicationType=%{p0}"); + + var part92 = match("MESSAGE#621:411/1_0", "nwparser.p0", "\"%{version}\";%{p0}"); + + var part93 = match("MESSAGE#621:411/1_1", "nwparser.p0", "%{version};%{p0}"); + + var part94 = match("MESSAGE#621:411/2", "nwparser.p0", "Message=%{p0}"); + + var part95 = match("MESSAGE#621:411/3_0", "nwparser.p0", "\"%{action}\";%{p0}"); + + var part96 = match("MESSAGE#621:411/3_1", "nwparser.p0", "%{action};%{p0}"); + + var part97 = match("MESSAGE#621:411/4", "nwparser.p0", "Issuer=%{p0}"); + + var part98 = match("MESSAGE#621:411/5_0", "nwparser.p0", "\"%{username}\";%{p0}"); + + var part99 = match("MESSAGE#621:411/5_1", "nwparser.p0", "%{username};%{p0}"); + + var part100 = match("MESSAGE#621:411/6", "nwparser.p0", "Station=%{p0}"); + + var part101 = match("MESSAGE#621:411/7_0", "nwparser.p0", "\"%{hostip}\";%{p0}"); + + var part102 = match("MESSAGE#621:411/7_1", "nwparser.p0", "%{hostip};%{p0}"); + + var part103 = match("MESSAGE#621:411/8", "nwparser.p0", "File=%{p0}"); + + var part104 = match("MESSAGE#621:411/9_0", "nwparser.p0", "\"%{filename}\";%{p0}"); + + var part105 = match("MESSAGE#621:411/9_1", "nwparser.p0", "%{filename};%{p0}"); + + var part106 = match("MESSAGE#621:411/10", "nwparser.p0", "Safe=%{p0}"); + + var part107 = match("MESSAGE#621:411/11_0", "nwparser.p0", "\"%{group_object}\";%{p0}"); + + var part108 = match("MESSAGE#621:411/11_1", "nwparser.p0", "%{group_object};%{p0}"); + + var part109 = match("MESSAGE#621:411/12", "nwparser.p0", "Location=%{p0}"); + + var part110 = match("MESSAGE#621:411/13_0", "nwparser.p0", "\"%{directory}\";%{p0}"); + + var part111 = match("MESSAGE#621:411/13_1", "nwparser.p0", "%{directory};%{p0}"); + + var part112 = match("MESSAGE#621:411/14", "nwparser.p0", "Category=%{p0}"); + + var part113 = match("MESSAGE#621:411/15_0", "nwparser.p0", "\"%{category}\";%{p0}"); + + var part114 = match("MESSAGE#621:411/15_1", "nwparser.p0", "%{category};%{p0}"); + + var part115 = match("MESSAGE#621:411/16", "nwparser.p0", "RequestId=%{p0}"); + + var part116 = match("MESSAGE#621:411/17_0", "nwparser.p0", "\"%{id1}\";%{p0}"); + + var part117 = match("MESSAGE#621:411/17_1", "nwparser.p0", "%{id1};%{p0}"); + + var part118 = match("MESSAGE#621:411/18", "nwparser.p0", "Reason=%{p0}"); + + var part119 = match("MESSAGE#621:411/19_0", "nwparser.p0", "\"%{event_description}\";%{p0}"); + + var part120 = match("MESSAGE#621:411/19_1", "nwparser.p0", "%{event_description};%{p0}"); + + var part121 = match("MESSAGE#621:411/20", "nwparser.p0", "Severity=%{p0}"); + + var part122 = match("MESSAGE#621:411/21_0", "nwparser.p0", "\"%{severity}\";SourceUser=\"%{group}\";TargetUser=\"%{uid}\";%{p0}"); + + var part123 = match("MESSAGE#621:411/21_1", "nwparser.p0", "%{severity};SourceUser=%{group};TargetUser=%{uid};%{p0}"); + + var part124 = match("MESSAGE#621:411/21_2", "nwparser.p0", "\"%{severity}\";%{p0}"); + + var part125 = match("MESSAGE#621:411/21_3", "nwparser.p0", "%{severity};%{p0}"); + + var part126 = match("MESSAGE#621:411/22", "nwparser.p0", "GatewayStation=%{p0}"); + + var part127 = match("MESSAGE#621:411/23_0", "nwparser.p0", "\"%{saddr}\";%{p0}"); + + var part128 = match("MESSAGE#621:411/23_1", "nwparser.p0", "%{saddr};%{p0}"); + + var part129 = match("MESSAGE#621:411/24", "nwparser.p0", "TicketID=%{p0}"); + + var part130 = match("MESSAGE#621:411/25_0", "nwparser.p0", "\"%{operation_id}\";%{p0}"); + + var part131 = match("MESSAGE#621:411/25_1", "nwparser.p0", "%{operation_id};%{p0}"); + + var part132 = match("MESSAGE#621:411/26", "nwparser.p0", "PolicyID=%{p0}"); + + var part133 = match("MESSAGE#621:411/27_0", "nwparser.p0", "\"%{policyname}\";%{p0}"); + + var part134 = match("MESSAGE#621:411/27_1", "nwparser.p0", "%{policyname};%{p0}"); + + var part135 = match("MESSAGE#621:411/28", "nwparser.p0", "UserName=%{p0}"); + + var part136 = match("MESSAGE#621:411/29_0", "nwparser.p0", "\"%{c_username}\";%{p0}"); + + var part137 = match("MESSAGE#621:411/29_1", "nwparser.p0", "%{c_username};%{p0}"); + + var part138 = match("MESSAGE#621:411/30", "nwparser.p0", "LogonDomain=%{p0}"); + + var part139 = match("MESSAGE#621:411/31_0", "nwparser.p0", "\"%{domain}\";%{p0}"); + + var part140 = match("MESSAGE#621:411/31_1", "nwparser.p0", "%{domain};%{p0}"); + + var part141 = match("MESSAGE#621:411/32", "nwparser.p0", "Address=%{p0}"); + + var part142 = match("MESSAGE#621:411/33_0", "nwparser.p0", "\"%{dhost}\";%{p0}"); + + var part143 = match("MESSAGE#621:411/33_1", "nwparser.p0", "%{dhost};%{p0}"); + + var part144 = match("MESSAGE#621:411/34", "nwparser.p0", "CPMStatus=%{p0}"); + + var part145 = match("MESSAGE#621:411/35_0", "nwparser.p0", "\"%{disposition}\";%{p0}"); + + var part146 = match("MESSAGE#621:411/35_1", "nwparser.p0", "%{disposition};%{p0}"); + + var part147 = match("MESSAGE#621:411/36", "nwparser.p0", "Port=%{p0}"); + + var part148 = match("MESSAGE#621:411/37_0", "nwparser.p0", "\"%{dport}\";%{p0}"); + + var part149 = match("MESSAGE#621:411/37_1", "nwparser.p0", "%{dport};%{p0}"); + + var part150 = match("MESSAGE#621:411/38", "nwparser.p0", "Database=%{p0}"); + + var part151 = match("MESSAGE#621:411/39_0", "nwparser.p0", "\"%{db_name}\";%{p0}"); + + var part152 = match("MESSAGE#621:411/39_1", "nwparser.p0", "%{db_name};%{p0}"); + + var part153 = match("MESSAGE#621:411/40", "nwparser.p0", "DeviceType=%{p0}"); + + var part154 = match("MESSAGE#621:411/41_0", "nwparser.p0", "\"%{obj_type}\";%{p0}"); + + var part155 = match("MESSAGE#621:411/41_1", "nwparser.p0", "%{obj_type};%{p0}"); + + var part156 = match("MESSAGE#621:411/42", "nwparser.p0", "ExtraDetails=%{p0}"); + + var part157 = match("MESSAGE#621:411/43_1", "nwparser.p0", "%{info};"); + + var part158 = tagval("MESSAGE#0:1:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup1, + dup2, + dup3, + ])); + + var part159 = match("MESSAGE#1:1", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup1, + dup2, + ])); + + var part160 = tagval("MESSAGE#2:2:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup4, + dup2, + dup3, + ])); + + var part161 = match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup4, + dup2, + ])); + + var part162 = tagval("MESSAGE#6:4:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, + dup3, + ])); + + var part163 = match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, + ])); + + var part164 = tagval("MESSAGE#20:13:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, + dup3, + ])); + + var part165 = match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, + ])); + + var part166 = tagval("MESSAGE#26:16:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup19, + dup2, + dup3, + ])); + + var part167 = match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup19, + dup2, + ])); + + var part168 = tagval("MESSAGE#30:18:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup15, + dup2, + dup3, + ])); + + var part169 = match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup2, + ])); + + var part170 = tagval("MESSAGE#38:22:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup21, + dup2, + dup3, + ])); + + var part171 = match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup21, + dup2, + ])); + + var part172 = tagval("MESSAGE#70:38:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup23, + dup2, + dup3, + ])); + + var part173 = match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup23, + dup2, + ])); + + var part174 = tagval("MESSAGE#116:61:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup20, + dup2, + dup3, + ])); + + var part175 = match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup20, + dup2, + ])); + + var part176 = tagval("MESSAGE#126:66:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup26, + dup2, + dup3, + ])); + + var part177 = match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup26, + dup2, + ])); + + var part178 = tagval("MESSAGE#190:98:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup26, + dup2, + dup3, + dup24, + dup25, + ])); + + var select316 = linear_select([ + dup32, + dup33, + ]); + + var select317 = linear_select([ + dup34, + dup35, + ]); + + var select318 = linear_select([ + dup36, + dup37, + ]); + + var select319 = linear_select([ + dup38, + dup39, + ]); + + var select320 = linear_select([ + dup40, + dup41, + ]); + + var select321 = linear_select([ + dup42, + dup43, + ]); + + var select322 = linear_select([ + dup44, + dup45, + ]); + + var select323 = linear_select([ + dup46, + dup47, + ]); + + var select324 = linear_select([ + dup48, + dup49, + ]); + + var select325 = linear_select([ + dup50, + dup51, + ]); + + var select326 = linear_select([ + dup52, + dup53, + ]); + + var select327 = linear_select([ + dup54, + dup55, + ]); + + var select328 = linear_select([ + dup56, + dup57, + ]); + + var select329 = linear_select([ + dup58, + dup59, + ]); + + var select330 = linear_select([ + dup60, + dup61, + ]); + + var select331 = linear_select([ + dup62, + dup63, + ]); + + var select332 = linear_select([ + dup64, + dup65, + ]); + + var select333 = linear_select([ + dup66, + dup67, + ]); + + var select334 = linear_select([ + dup68, + dup69, + ]); + + var select335 = linear_select([ + dup70, + dup71, + ]); + + var select336 = linear_select([ + dup72, + dup73, + ]); + + var select337 = linear_select([ + dup74, + dup75, + ]); + + var select338 = linear_select([ + dup76, + dup77, + ]); + + var part179 = tagval("MESSAGE#591:317:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup79, + dup80, + dup81, + dup2, + dup3, + ])); + + var part180 = match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup79, + dup80, + dup81, + dup2, + ])); + + var part181 = tagval("MESSAGE#595:355:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup82, + dup2, + dup3, + ])); + + var part182 = match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup82, + dup2, + ])); + + var part183 = tagval("MESSAGE#599:357:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup83, + dup2, + dup3, + ])); + + var part184 = match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup83, + dup2, + ])); + + var part185 = match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var select339 = linear_select([ + dup85, + dup86, + ]); + + var select340 = linear_select([ + dup88, + dup89, + ]); + + var select341 = linear_select([ + dup91, + dup92, + ]); + + var select342 = linear_select([ + dup94, + dup95, + ]); + + var select343 = linear_select([ + dup97, + dup98, + ]); + + var select344 = linear_select([ + dup100, + dup101, + ]); + + var select345 = linear_select([ + dup103, + dup104, + ]); + + var select346 = linear_select([ + dup106, + dup107, + ]); + + var select347 = linear_select([ + dup109, + dup110, + ]); + + var select348 = linear_select([ + dup112, + dup113, + ]); + + var select349 = linear_select([ + dup115, + dup116, + dup117, + dup118, + ]); + + var select350 = linear_select([ + dup120, + dup121, + ]); + + var select351 = linear_select([ + dup123, + dup124, + ]); + + var select352 = linear_select([ + dup126, + dup127, + ]); + + var select353 = linear_select([ + dup129, + dup130, + ]); + + var select354 = linear_select([ + dup132, + dup133, + ]); + + var select355 = linear_select([ + dup135, + dup136, + ]); + + var select356 = linear_select([ + dup138, + dup139, + ]); + + var select357 = linear_select([ + dup141, + dup142, + ]); + + var select358 = linear_select([ + dup144, + dup145, + ]); + + var select359 = linear_select([ + dup147, + dup148, + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/cyberark/0.5.1/data_stream/corepas/agent/stream/tcp.yml.hbs b/packages/cyberark/0.5.1/data_stream/corepas/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..b4fbd2f2ec --- /dev/null +++ b/packages/cyberark/0.5.1/data_stream/corepas/agent/stream/tcp.yml.hbs @@ -0,0 +1,8830 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Cyberark" + product: "Core" + type: "Access" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup1, + dup2, + ])); + + var dup153 = tagval("MESSAGE#2:2:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup4, + dup2, + dup3, + ])); + + var dup154 = match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup4, + dup2, + ])); + + var dup155 = tagval("MESSAGE#6:4:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, + dup3, + ])); + + var dup156 = match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, + ])); + + var dup157 = tagval("MESSAGE#20:13:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, + dup3, + ])); + + var dup158 = match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, + ])); + + var dup159 = tagval("MESSAGE#26:16:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup19, + dup2, + dup3, + ])); + + var dup160 = match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup19, + dup2, + ])); + + var dup161 = tagval("MESSAGE#30:18:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup15, + dup2, + dup3, + ])); + + var dup162 = match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup2, + ])); + + var dup163 = tagval("MESSAGE#38:22:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup21, + dup2, + dup3, + ])); + + var dup164 = match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup21, + dup2, + ])); + + var dup165 = tagval("MESSAGE#70:38:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup23, + dup2, + dup3, + ])); + + var dup166 = match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup23, + dup2, + ])); + + var dup167 = tagval("MESSAGE#116:61:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup20, + dup2, + dup3, + ])); + + var dup168 = match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup20, + dup2, + ])); + + var dup169 = tagval("MESSAGE#126:66:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup26, + dup2, + dup3, + ])); + + var dup170 = match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup26, + dup2, + ])); + + var dup171 = tagval("MESSAGE#190:98:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup26, + dup2, + dup3, + dup24, + dup25, + ])); + + var dup172 = linear_select([ + dup32, + dup33, + ]); + + var dup173 = linear_select([ + dup34, + dup35, + ]); + + var dup174 = linear_select([ + dup36, + dup37, + ]); + + var dup175 = linear_select([ + dup38, + dup39, + ]); + + var dup176 = linear_select([ + dup40, + dup41, + ]); + + var dup177 = linear_select([ + dup42, + dup43, + ]); + + var dup178 = linear_select([ + dup44, + dup45, + ]); + + var dup179 = linear_select([ + dup46, + dup47, + ]); + + var dup180 = linear_select([ + dup48, + dup49, + ]); + + var dup181 = linear_select([ + dup50, + dup51, + ]); + + var dup182 = linear_select([ + dup52, + dup53, + ]); + + var dup183 = linear_select([ + dup54, + dup55, + ]); + + var dup184 = linear_select([ + dup56, + dup57, + ]); + + var dup185 = linear_select([ + dup58, + dup59, + ]); + + var dup186 = linear_select([ + dup60, + dup61, + ]); + + var dup187 = linear_select([ + dup62, + dup63, + ]); + + var dup188 = linear_select([ + dup64, + dup65, + ]); + + var dup189 = linear_select([ + dup66, + dup67, + ]); + + var dup190 = linear_select([ + dup68, + dup69, + ]); + + var dup191 = linear_select([ + dup70, + dup71, + ]); + + var dup192 = linear_select([ + dup72, + dup73, + ]); + + var dup193 = linear_select([ + dup74, + dup75, + ]); + + var dup194 = linear_select([ + dup76, + dup77, + ]); + + var dup195 = tagval("MESSAGE#591:317:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup79, + dup80, + dup81, + dup2, + dup3, + ])); + + var dup196 = match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup79, + dup80, + dup81, + dup2, + ])); + + var dup197 = tagval("MESSAGE#595:355:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup82, + dup2, + dup3, + ])); + + var dup198 = match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup82, + dup2, + ])); + + var dup199 = tagval("MESSAGE#599:357:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup83, + dup2, + dup3, + ])); + + var dup200 = match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup83, + dup2, + ])); + + var dup201 = match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var dup202 = linear_select([ + dup85, + dup86, + ]); + + var dup203 = linear_select([ + dup88, + dup89, + ]); + + var dup204 = linear_select([ + dup91, + dup92, + ]); + + var dup205 = linear_select([ + dup94, + dup95, + ]); + + var dup206 = linear_select([ + dup97, + dup98, + ]); + + var dup207 = linear_select([ + dup100, + dup101, + ]); + + var dup208 = linear_select([ + dup103, + dup104, + ]); + + var dup209 = linear_select([ + dup106, + dup107, + ]); + + var dup210 = linear_select([ + dup109, + dup110, + ]); + + var dup211 = linear_select([ + dup112, + dup113, + ]); + + var dup212 = linear_select([ + dup115, + dup116, + dup117, + dup118, + ]); + + var dup213 = linear_select([ + dup120, + dup121, + ]); + + var dup214 = linear_select([ + dup123, + dup124, + ]); + + var dup215 = linear_select([ + dup126, + dup127, + ]); + + var dup216 = linear_select([ + dup129, + dup130, + ]); + + var dup217 = linear_select([ + dup132, + dup133, + ]); + + var dup218 = linear_select([ + dup135, + dup136, + ]); + + var dup219 = linear_select([ + dup138, + dup139, + ]); + + var dup220 = linear_select([ + dup141, + dup142, + ]); + + var dup221 = linear_select([ + dup144, + dup145, + ]); + + var dup222 = linear_select([ + dup147, + dup148, + ]); + + var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld1}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdevice"), + constant("\",ProductAccount=\""), + field("hfld1"), + constant("\",ProductProcess=\""), + field("process"), + constant("\",EventId=\""), + field("messageid"), + constant("\", "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0005", "message", "%{hfld1->} %{hdatetime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld4}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ + setc("header_id","0005"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdevice"), + constant("\",ProductAccount=\""), + field("hfld4"), + constant("\",ProductProcess=\""), + field("process"), + constant("\",EventId=\""), + field("messageid"), + constant("\", "), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0002"), + ])); + + var hdr4 = match("HEADER#3:0003", "message", "%{hfld1->} %{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr5 = match("HEADER#4:0004", "message", "%CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var hdr6 = match("HEADER#5:0006", "message", "%{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0006"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + ]); + + var msg1 = msg("1:01", dup151); + + var msg2 = msg("1", dup152); + + var select2 = linear_select([ + msg1, + msg2, + ]); + + var msg3 = msg("2:01", dup153); + + var msg4 = msg("2", dup154); + + var select3 = linear_select([ + msg3, + msg4, + ]); + + var msg5 = msg("3:01", dup151); + + var msg6 = msg("3", dup152); + + var select4 = linear_select([ + msg5, + msg6, + ]); + + var msg7 = msg("4:01", dup155); + + var msg8 = msg("4", dup156); + + var select5 = linear_select([ + msg7, + msg8, + ]); + + var part1 = tagval("MESSAGE#8:7:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup11, + dup2, + dup3, + ])); + + var msg9 = msg("7:01", part1); + + var part2 = match("MESSAGE#9:7", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup11, + dup2, + ])); + + var msg10 = msg("7", part2); + + var select6 = linear_select([ + msg9, + msg10, + ]); + + var part3 = tagval("MESSAGE#10:8:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup12, + dup6, + dup13, + dup8, + dup11, + dup2, + dup3, + ])); + + var msg11 = msg("8:01", part3); + + var part4 = match("MESSAGE#11:8", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup12, + dup6, + dup13, + dup8, + dup11, + dup2, + ])); + + var msg12 = msg("8", part4); + + var select7 = linear_select([ + msg11, + msg12, + ]); + + var part5 = tagval("MESSAGE#12:9:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup1, + dup14, + dup9, + dup2, + dup3, + ])); + + var msg13 = msg("9:01", part5); + + var part6 = match("MESSAGE#13:9", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup1, + dup14, + dup9, + dup2, + ])); + + var msg14 = msg("9", part6); + + var select8 = linear_select([ + msg13, + msg14, + ]); + + var msg15 = msg("10:01", dup151); + + var msg16 = msg("10", dup152); + + var select9 = linear_select([ + msg15, + msg16, + ]); + + var msg17 = msg("11:01", dup151); + + var msg18 = msg("11", dup152); + + var select10 = linear_select([ + msg17, + msg18, + ]); + + var msg19 = msg("12:01", dup151); + + var msg20 = msg("12", dup152); + + var select11 = linear_select([ + msg19, + msg20, + ]); + + var msg21 = msg("13:01", dup157); + + var msg22 = msg("13", dup158); + + var select12 = linear_select([ + msg21, + msg22, + ]); + + var msg23 = msg("14:01", dup157); + + var msg24 = msg("14", dup158); + + var select13 = linear_select([ + msg23, + msg24, + ]); + + var part7 = tagval("MESSAGE#24:15:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup15, + dup18, + dup9, + dup2, + dup3, + ])); + + var msg25 = msg("15:01", part7); + + var part8 = match("MESSAGE#25:15", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup18, + dup9, + dup2, + ])); + + var msg26 = msg("15", part8); + + var select14 = linear_select([ + msg25, + msg26, + ]); + + var msg27 = msg("16:01", dup159); + + var msg28 = msg("16", dup160); + + var select15 = linear_select([ + msg27, + msg28, + ]); + + var msg29 = msg("17:01", dup151); + + var msg30 = msg("17", dup152); + + var select16 = linear_select([ + msg29, + msg30, + ]); + + var msg31 = msg("18:01", dup161); + + var msg32 = msg("18", dup162); + + var select17 = linear_select([ + msg31, + msg32, + ]); + + var part9 = tagval("MESSAGE#32:19:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup20, + dup16, + dup11, + dup2, + dup3, + ])); + + var msg33 = msg("19:01", part9); + + var part10 = match("MESSAGE#33:19", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup20, + dup16, + dup11, + dup2, + ])); + + var msg34 = msg("19", part10); + + var select18 = linear_select([ + msg33, + msg34, + ]); + + var part11 = tagval("MESSAGE#34:20:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup19, + dup16, + dup2, + dup3, + ])); + + var msg35 = msg("20:01", part11); + + var part12 = match("MESSAGE#35:20", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup19, + dup16, + dup2, + ])); + + var msg36 = msg("20", part12); + + var select19 = linear_select([ + msg35, + msg36, + ]); + + var part13 = tagval("MESSAGE#36:21:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup15, + dup16, + dup9, + dup2, + dup3, + ])); + + var msg37 = msg("21:01", part13); + + var part14 = match("MESSAGE#37:21", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup16, + dup9, + dup2, + ])); + + var msg38 = msg("21", part14); + + var select20 = linear_select([ + msg37, + msg38, + ]); + + var msg39 = msg("22:01", dup163); + + var msg40 = msg("22", dup164); + + var select21 = linear_select([ + msg39, + msg40, + ]); + + var part15 = tagval("MESSAGE#40:23:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup22, + dup2, + dup3, + ])); + + var msg41 = msg("23:01", part15); + + var part16 = match("MESSAGE#41:23", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup22, + dup2, + ])); + + var msg42 = msg("23", part16); + + var select22 = linear_select([ + msg41, + msg42, + ]); + + var msg43 = msg("24:01", dup163); + + var msg44 = msg("24", dup164); + + var select23 = linear_select([ + msg43, + msg44, + ]); + + var msg45 = msg("25:01", dup151); + + var msg46 = msg("25", dup152); + + var select24 = linear_select([ + msg45, + msg46, + ]); + + var msg47 = msg("26:01", dup151); + + var msg48 = msg("26", dup152); + + var select25 = linear_select([ + msg47, + msg48, + ]); + + var msg49 = msg("27:01", dup151); + + var msg50 = msg("27", dup152); + + var select26 = linear_select([ + msg49, + msg50, + ]); + + var msg51 = msg("28:01", dup163); + + var msg52 = msg("28", dup164); + + var select27 = linear_select([ + msg51, + msg52, + ]); + + var msg53 = msg("29:01", dup151); + + var msg54 = msg("29", dup152); + + var select28 = linear_select([ + msg53, + msg54, + ]); + + var msg55 = msg("30:01", dup151); + + var msg56 = msg("30", dup152); + + var select29 = linear_select([ + msg55, + msg56, + ]); + + var msg57 = msg("31:01", dup163); + + var msg58 = msg("31", dup164); + + var select30 = linear_select([ + msg57, + msg58, + ]); + + var msg59 = msg("32:01", dup163); + + var msg60 = msg("32", dup164); + + var select31 = linear_select([ + msg59, + msg60, + ]); + + var msg61 = msg("33:01", dup163); + + var msg62 = msg("33", dup164); + + var select32 = linear_select([ + msg61, + msg62, + ]); + + var msg63 = msg("34:01", dup151); + + var msg64 = msg("34", dup152); + + var select33 = linear_select([ + msg63, + msg64, + ]); + + var msg65 = msg("35:01", dup151); + + var msg66 = msg("35", dup152); + + var select34 = linear_select([ + msg65, + msg66, + ]); + + var msg67 = msg("36:01", dup163); + + var msg68 = msg("36", dup164); + + var select35 = linear_select([ + msg67, + msg68, + ]); + + var msg69 = msg("37:01", dup163); + + var msg70 = msg("37", dup164); + + var select36 = linear_select([ + msg69, + msg70, + ]); + + var msg71 = msg("38:01", dup165); + + var msg72 = msg("38", dup166); + + var select37 = linear_select([ + msg71, + msg72, + ]); + + var msg73 = msg("39:01", dup163); + + var msg74 = msg("39", dup164); + + var select38 = linear_select([ + msg73, + msg74, + ]); + + var msg75 = msg("40:01", dup151); + + var msg76 = msg("40", dup152); + + var select39 = linear_select([ + msg75, + msg76, + ]); + + var msg77 = msg("41:01", dup151); + + var msg78 = msg("41", dup152); + + var select40 = linear_select([ + msg77, + msg78, + ]); + + var msg79 = msg("42:01", dup151); + + var msg80 = msg("42", dup152); + + var select41 = linear_select([ + msg79, + msg80, + ]); + + var msg81 = msg("43:01", dup151); + + var msg82 = msg("43", dup152); + + var select42 = linear_select([ + msg81, + msg82, + ]); + + var msg83 = msg("44:01", dup151); + + var msg84 = msg("44", dup152); + + var select43 = linear_select([ + msg83, + msg84, + ]); + + var msg85 = msg("45:01", dup151); + + var msg86 = msg("45", dup152); + + var select44 = linear_select([ + msg85, + msg86, + ]); + + var msg87 = msg("46:01", dup151); + + var msg88 = msg("46", dup152); + + var select45 = linear_select([ + msg87, + msg88, + ]); + + var msg89 = msg("47:01", dup151); + + var msg90 = msg("47", dup152); + + var select46 = linear_select([ + msg89, + msg90, + ]); + + var msg91 = msg("48:01", dup151); + + var msg92 = msg("48", dup152); + + var select47 = linear_select([ + msg91, + msg92, + ]); + + var msg93 = msg("49:01", dup151); + + var msg94 = msg("49", dup152); + + var select48 = linear_select([ + msg93, + msg94, + ]); + + var part17 = tagval("MESSAGE#94:50:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup21, + dup2, + dup3, + dup24, + dup25, + ])); + + var msg95 = msg("50:01", part17); + + var msg96 = msg("50", dup164); + + var select49 = linear_select([ + msg95, + msg96, + ]); + + var msg97 = msg("51:01", dup163); + + var msg98 = msg("51", dup164); + + var select50 = linear_select([ + msg97, + msg98, + ]); + + var msg99 = msg("52:01", dup163); + + var msg100 = msg("52", dup164); + + var select51 = linear_select([ + msg99, + msg100, + ]); + + var msg101 = msg("53:01", dup151); + + var msg102 = msg("53", dup152); + + var select52 = linear_select([ + msg101, + msg102, + ]); + + var msg103 = msg("54:01", dup151); + + var msg104 = msg("54", dup152); + + var select53 = linear_select([ + msg103, + msg104, + ]); + + var msg105 = msg("55:01", dup151); + + var msg106 = msg("55", dup152); + + var select54 = linear_select([ + msg105, + msg106, + ]); + + var msg107 = msg("56:01", dup151); + + var msg108 = msg("56", dup152); + + var select55 = linear_select([ + msg107, + msg108, + ]); + + var msg109 = msg("57:01", dup165); + + var msg110 = msg("57", dup166); + + var select56 = linear_select([ + msg109, + msg110, + ]); + + var msg111 = msg("58:01", dup163); + + var msg112 = msg("58", dup164); + + var select57 = linear_select([ + msg111, + msg112, + ]); + + var msg113 = msg("59:01", dup163); + + var msg114 = msg("59", dup164); + + var select58 = linear_select([ + msg113, + msg114, + ]); + + var msg115 = msg("60:01", dup165); + + var msg116 = msg("60", dup166); + + var select59 = linear_select([ + msg115, + msg116, + ]); + + var msg117 = msg("61:01", dup167); + + var msg118 = msg("61", dup168); + + var select60 = linear_select([ + msg117, + msg118, + ]); + + var msg119 = msg("62:01", dup163); + + var msg120 = msg("62", dup164); + + var select61 = linear_select([ + msg119, + msg120, + ]); + + var msg121 = msg("63:01", dup151); + + var msg122 = msg("63", dup152); + + var select62 = linear_select([ + msg121, + msg122, + ]); + + var msg123 = msg("64:01", dup167); + + var msg124 = msg("64", dup168); + + var select63 = linear_select([ + msg123, + msg124, + ]); + + var msg125 = msg("65:01", dup151); + + var msg126 = msg("65", dup152); + + var select64 = linear_select([ + msg125, + msg126, + ]); + + var msg127 = msg("66:01", dup169); + + var msg128 = msg("66", dup170); + + var select65 = linear_select([ + msg127, + msg128, + ]); + + var msg129 = msg("67:01", dup169); + + var msg130 = msg("67", dup170); + + var select66 = linear_select([ + msg129, + msg130, + ]); + + var msg131 = msg("68:01", dup169); + + var msg132 = msg("68", dup170); + + var select67 = linear_select([ + msg131, + msg132, + ]); + + var msg133 = msg("69:01", dup169); + + var msg134 = msg("69", dup170); + + var select68 = linear_select([ + msg133, + msg134, + ]); + + var msg135 = msg("70:01", dup151); + + var msg136 = msg("70", dup152); + + var select69 = linear_select([ + msg135, + msg136, + ]); + + var msg137 = msg("71:01", dup169); + + var msg138 = msg("71", dup170); + + var select70 = linear_select([ + msg137, + msg138, + ]); + + var msg139 = msg("72:01", dup151); + + var msg140 = msg("72", dup152); + + var select71 = linear_select([ + msg139, + msg140, + ]); + + var msg141 = msg("73:01", dup169); + + var msg142 = msg("73", dup170); + + var select72 = linear_select([ + msg141, + msg142, + ]); + + var msg143 = msg("74:01", dup151); + + var msg144 = msg("74", dup152); + + var select73 = linear_select([ + msg143, + msg144, + ]); + + var msg145 = msg("75:01", dup169); + + var msg146 = msg("75", dup170); + + var select74 = linear_select([ + msg145, + msg146, + ]); + + var msg147 = msg("76:01", dup151); + + var msg148 = msg("76", dup152); + + var select75 = linear_select([ + msg147, + msg148, + ]); + + var msg149 = msg("77:01", dup151); + + var msg150 = msg("77", dup152); + + var select76 = linear_select([ + msg149, + msg150, + ]); + + var msg151 = msg("78:01", dup151); + + var msg152 = msg("78", dup152); + + var select77 = linear_select([ + msg151, + msg152, + ]); + + var msg153 = msg("79:01", dup169); + + var msg154 = msg("79", dup170); + + var select78 = linear_select([ + msg153, + msg154, + ]); + + var msg155 = msg("80:01", dup169); + + var msg156 = msg("80", dup170); + + var select79 = linear_select([ + msg155, + msg156, + ]); + + var msg157 = msg("81:01", dup167); + + var msg158 = msg("81", dup168); + + var select80 = linear_select([ + msg157, + msg158, + ]); + + var msg159 = msg("82:01", dup151); + + var msg160 = msg("82", dup152); + + var select81 = linear_select([ + msg159, + msg160, + ]); + + var msg161 = msg("83:01", dup169); + + var msg162 = msg("83", dup170); + + var select82 = linear_select([ + msg161, + msg162, + ]); + + var msg163 = msg("84:01", dup169); + + var msg164 = msg("84", dup170); + + var select83 = linear_select([ + msg163, + msg164, + ]); + + var msg165 = msg("85:01", dup151); + + var msg166 = msg("85", dup152); + + var select84 = linear_select([ + msg165, + msg166, + ]); + + var msg167 = msg("86:01", dup159); + + var msg168 = msg("86", dup160); + + var select85 = linear_select([ + msg167, + msg168, + ]); + + var msg169 = msg("87:01", dup151); + + var msg170 = msg("87", dup152); + + var select86 = linear_select([ + msg169, + msg170, + ]); + + var msg171 = msg("88:01", dup169); + + var msg172 = msg("88", dup170); + + var select87 = linear_select([ + msg171, + msg172, + ]); + + var msg173 = msg("89:01", dup151); + + var msg174 = msg("89", dup152); + + var select88 = linear_select([ + msg173, + msg174, + ]); + + var msg175 = msg("90:01", dup151); + + var msg176 = msg("90", dup152); + + var select89 = linear_select([ + msg175, + msg176, + ]); + + var msg177 = msg("91:01", dup151); + + var msg178 = msg("91", dup152); + + var select90 = linear_select([ + msg177, + msg178, + ]); + + var msg179 = msg("92:01", dup151); + + var msg180 = msg("92", dup152); + + var select91 = linear_select([ + msg179, + msg180, + ]); + + var msg181 = msg("93:01", dup151); + + var msg182 = msg("93", dup152); + + var select92 = linear_select([ + msg181, + msg182, + ]); + + var msg183 = msg("94:01", dup169); + + var msg184 = msg("94", dup170); + + var select93 = linear_select([ + msg183, + msg184, + ]); + + var msg185 = msg("95:01", dup169); + + var msg186 = msg("95", dup170); + + var select94 = linear_select([ + msg185, + msg186, + ]); + + var msg187 = msg("96:01", dup151); + + var msg188 = msg("96", dup152); + + var select95 = linear_select([ + msg187, + msg188, + ]); + + var msg189 = msg("97:01", dup151); + + var msg190 = msg("97", dup152); + + var select96 = linear_select([ + msg189, + msg190, + ]); + + var msg191 = msg("98:01", dup171); + + var msg192 = msg("98", dup170); + + var select97 = linear_select([ + msg191, + msg192, + ]); + + var msg193 = msg("99:01", dup171); + + var msg194 = msg("99", dup170); + + var select98 = linear_select([ + msg193, + msg194, + ]); + + var msg195 = msg("100:01", dup151); + + var msg196 = msg("100", dup152); + + var select99 = linear_select([ + msg195, + msg196, + ]); + + var msg197 = msg("101:01", dup151); + + var msg198 = msg("101", dup152); + + var select100 = linear_select([ + msg197, + msg198, + ]); + + var msg199 = msg("102:01", dup155); + + var msg200 = msg("102", dup156); + + var select101 = linear_select([ + msg199, + msg200, + ]); + + var part18 = tagval("MESSAGE#200:103:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup27, + dup6, + dup7, + dup8, + dup28, + dup2, + dup3, + ])); + + var msg201 = msg("103:01", part18); + + var part19 = match("MESSAGE#201:103", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup27, + dup6, + dup7, + dup8, + dup28, + dup2, + ])); + + var msg202 = msg("103", part19); + + var select102 = linear_select([ + msg201, + msg202, + ]); + + var part20 = tagval("MESSAGE#202:104:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup27, + dup6, + dup29, + dup2, + dup3, + ])); + + var msg203 = msg("104:01", part20); + + var part21 = match("MESSAGE#203:104", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup27, + dup6, + dup29, + dup2, + ])); + + var msg204 = msg("104", part21); + + var select103 = linear_select([ + msg203, + msg204, + ]); + + var msg205 = msg("105:01", dup169); + + var msg206 = msg("105", dup170); + + var select104 = linear_select([ + msg205, + msg206, + ]); + + var msg207 = msg("106:01", dup169); + + var msg208 = msg("106", dup170); + + var select105 = linear_select([ + msg207, + msg208, + ]); + + var msg209 = msg("107:01", dup169); + + var msg210 = msg("107", dup170); + + var select106 = linear_select([ + msg209, + msg210, + ]); + + var msg211 = msg("108:01", dup169); + + var msg212 = msg("108", dup170); + + var select107 = linear_select([ + msg211, + msg212, + ]); + + var msg213 = msg("109:01", dup169); + + var msg214 = msg("109", dup170); + + var select108 = linear_select([ + msg213, + msg214, + ]); + + var msg215 = msg("110:01", dup151); + + var msg216 = msg("110", dup152); + + var select109 = linear_select([ + msg215, + msg216, + ]); + + var msg217 = msg("111:01", dup169); + + var msg218 = msg("111", dup170); + + var select110 = linear_select([ + msg217, + msg218, + ]); + + var msg219 = msg("112:01", dup169); + + var msg220 = msg("112", dup170); + + var select111 = linear_select([ + msg219, + msg220, + ]); + + var msg221 = msg("114:01", dup169); + + var msg222 = msg("114", dup170); + + var select112 = linear_select([ + msg221, + msg222, + ]); + + var msg223 = msg("115:01", dup169); + + var msg224 = msg("115", dup170); + + var select113 = linear_select([ + msg223, + msg224, + ]); + + var msg225 = msg("116:01", dup151); + + var msg226 = msg("116", dup152); + + var select114 = linear_select([ + msg225, + msg226, + ]); + + var msg227 = msg("117:01", dup151); + + var msg228 = msg("117", dup152); + + var select115 = linear_select([ + msg227, + msg228, + ]); + + var msg229 = msg("118:01", dup169); + + var msg230 = msg("118", dup170); + + var select116 = linear_select([ + msg229, + msg230, + ]); + + var msg231 = msg("119:01", dup169); + + var msg232 = msg("119", dup170); + + var select117 = linear_select([ + msg231, + msg232, + ]); + + var msg233 = msg("120:01", dup169); + + var msg234 = msg("120", dup170); + + var select118 = linear_select([ + msg233, + msg234, + ]); + + var msg235 = msg("121:01", dup169); + + var msg236 = msg("121", dup170); + + var select119 = linear_select([ + msg235, + msg236, + ]); + + var msg237 = msg("122:01", dup169); + + var msg238 = msg("122", dup170); + + var select120 = linear_select([ + msg237, + msg238, + ]); + + var msg239 = msg("123:01", dup169); + + var msg240 = msg("123", dup170); + + var select121 = linear_select([ + msg239, + msg240, + ]); + + var msg241 = msg("124:01", dup169); + + var msg242 = msg("124", dup170); + + var select122 = linear_select([ + msg241, + msg242, + ]); + + var msg243 = msg("125:01", dup169); + + var msg244 = msg("125", dup170); + + var select123 = linear_select([ + msg243, + msg244, + ]); + + var msg245 = msg("126:01", dup169); + + var msg246 = msg("126", dup170); + + var select124 = linear_select([ + msg245, + msg246, + ]); + + var msg247 = msg("127:01", dup169); + + var msg248 = msg("127", dup170); + + var select125 = linear_select([ + msg247, + msg248, + ]); + + var msg249 = msg("128:01", dup169); + + var msg250 = msg("128", dup170); + + var select126 = linear_select([ + msg249, + msg250, + ]); + + var msg251 = msg("129:01", dup169); + + var msg252 = msg("129", dup170); + + var select127 = linear_select([ + msg251, + msg252, + ]); + + var msg253 = msg("130:01", dup169); + + var msg254 = msg("130", dup170); + + var select128 = linear_select([ + msg253, + msg254, + ]); + + var msg255 = msg("131:01", dup151); + + var msg256 = msg("131", dup152); + + var select129 = linear_select([ + msg255, + msg256, + ]); + + var msg257 = msg("132:01", dup151); + + var msg258 = msg("132", dup152); + + var select130 = linear_select([ + msg257, + msg258, + ]); + + var msg259 = msg("133:01", dup151); + + var msg260 = msg("133", dup152); + + var select131 = linear_select([ + msg259, + msg260, + ]); + + var part22 = tagval("MESSAGE#260:134:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup30, + dup2, + dup3, + ])); + + var msg261 = msg("134:01", part22); + + var part23 = match("MESSAGE#261:134", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup30, + dup2, + ])); + + var msg262 = msg("134", part23); + + var select132 = linear_select([ + msg261, + msg262, + ]); + + var msg263 = msg("135:01", dup151); + + var msg264 = msg("135", dup152); + + var select133 = linear_select([ + msg263, + msg264, + ]); + + var msg265 = msg("136:01", dup169); + + var msg266 = msg("136", dup170); + + var select134 = linear_select([ + msg265, + msg266, + ]); + + var msg267 = msg("137:01", dup169); + + var msg268 = msg("137", dup170); + + var select135 = linear_select([ + msg267, + msg268, + ]); + + var msg269 = msg("138:01", dup169); + + var msg270 = msg("138", dup170); + + var select136 = linear_select([ + msg269, + msg270, + ]); + + var msg271 = msg("139:01", dup169); + + var msg272 = msg("139", dup170); + + var select137 = linear_select([ + msg271, + msg272, + ]); + + var msg273 = msg("140:01", dup169); + + var msg274 = msg("140", dup170); + + var select138 = linear_select([ + msg273, + msg274, + ]); + + var msg275 = msg("141:01", dup169); + + var msg276 = msg("141", dup170); + + var select139 = linear_select([ + msg275, + msg276, + ]); + + var msg277 = msg("142:01", dup169); + + var msg278 = msg("142", dup170); + + var select140 = linear_select([ + msg277, + msg278, + ]); + + var msg279 = msg("143:01", dup169); + + var msg280 = msg("143", dup170); + + var select141 = linear_select([ + msg279, + msg280, + ]); + + var msg281 = msg("144:01", dup169); + + var msg282 = msg("144", dup170); + + var select142 = linear_select([ + msg281, + msg282, + ]); + + var msg283 = msg("145:01", dup169); + + var msg284 = msg("145", dup170); + + var select143 = linear_select([ + msg283, + msg284, + ]); + + var msg285 = msg("146:01", dup151); + + var msg286 = msg("146", dup152); + + var select144 = linear_select([ + msg285, + msg286, + ]); + + var msg287 = msg("147:01", dup151); + + var msg288 = msg("147", dup152); + + var select145 = linear_select([ + msg287, + msg288, + ]); + + var msg289 = msg("148:01", dup151); + + var msg290 = msg("148", dup152); + + var select146 = linear_select([ + msg289, + msg290, + ]); + + var msg291 = msg("149:01", dup151); + + var msg292 = msg("149", dup152); + + var select147 = linear_select([ + msg291, + msg292, + ]); + + var msg293 = msg("150:01", dup151); + + var msg294 = msg("150", dup152); + + var select148 = linear_select([ + msg293, + msg294, + ]); + + var msg295 = msg("152:01", dup151); + + var msg296 = msg("152", dup152); + + var select149 = linear_select([ + msg295, + msg296, + ]); + + var msg297 = msg("153:01", dup151); + + var msg298 = msg("153", dup152); + + var select150 = linear_select([ + msg297, + msg298, + ]); + + var msg299 = msg("154:01", dup151); + + var msg300 = msg("154", dup152); + + var select151 = linear_select([ + msg299, + msg300, + ]); + + var msg301 = msg("155:01", dup151); + + var msg302 = msg("155", dup152); + + var select152 = linear_select([ + msg301, + msg302, + ]); + + var msg303 = msg("156:01", dup151); + + var msg304 = msg("156", dup152); + + var select153 = linear_select([ + msg303, + msg304, + ]); + + var msg305 = msg("157:01", dup151); + + var msg306 = msg("157", dup152); + + var select154 = linear_select([ + msg305, + msg306, + ]); + + var msg307 = msg("158:01", dup151); + + var msg308 = msg("158", dup152); + + var select155 = linear_select([ + msg307, + msg308, + ]); + + var msg309 = msg("159:01", dup151); + + var msg310 = msg("159", dup152); + + var select156 = linear_select([ + msg309, + msg310, + ]); + + var msg311 = msg("160:01", dup151); + + var msg312 = msg("160", dup152); + + var select157 = linear_select([ + msg311, + msg312, + ]); + + var msg313 = msg("161:01", dup151); + + var msg314 = msg("161", dup152); + + var select158 = linear_select([ + msg313, + msg314, + ]); + + var msg315 = msg("162:01", dup151); + + var msg316 = msg("162", dup152); + + var select159 = linear_select([ + msg315, + msg316, + ]); + + var msg317 = msg("163:01", dup151); + + var msg318 = msg("163", dup152); + + var select160 = linear_select([ + msg317, + msg318, + ]); + + var msg319 = msg("164:01", dup151); + + var msg320 = msg("164", dup152); + + var select161 = linear_select([ + msg319, + msg320, + ]); + + var msg321 = msg("165:01", dup151); + + var msg322 = msg("165", dup152); + + var select162 = linear_select([ + msg321, + msg322, + ]); + + var msg323 = msg("166:01", dup151); + + var msg324 = msg("166", dup152); + + var select163 = linear_select([ + msg323, + msg324, + ]); + + var msg325 = msg("167:01", dup151); + + var msg326 = msg("167", dup152); + + var select164 = linear_select([ + msg325, + msg326, + ]); + + var msg327 = msg("168:01", dup151); + + var msg328 = msg("168", dup152); + + var select165 = linear_select([ + msg327, + msg328, + ]); + + var msg329 = msg("169:01", dup151); + + var msg330 = msg("169", dup152); + + var select166 = linear_select([ + msg329, + msg330, + ]); + + var msg331 = msg("170:01", dup169); + + var msg332 = msg("170", dup170); + + var select167 = linear_select([ + msg331, + msg332, + ]); + + var msg333 = msg("171:01", dup151); + + var msg334 = msg("171", dup152); + + var select168 = linear_select([ + msg333, + msg334, + ]); + + var msg335 = msg("172:01", dup169); + + var msg336 = msg("172", dup170); + + var select169 = linear_select([ + msg335, + msg336, + ]); + + var msg337 = msg("173:01", dup151); + + var msg338 = msg("173", dup152); + + var select170 = linear_select([ + msg337, + msg338, + ]); + + var msg339 = msg("174:01", dup151); + + var msg340 = msg("174", dup152); + + var select171 = linear_select([ + msg339, + msg340, + ]); + + var msg341 = msg("175:01", dup151); + + var msg342 = msg("175", dup152); + + var select172 = linear_select([ + msg341, + msg342, + ]); + + var msg343 = msg("176:01", dup151); + + var msg344 = msg("176", dup152); + + var select173 = linear_select([ + msg343, + msg344, + ]); + + var msg345 = msg("177:01", dup151); + + var msg346 = msg("177", dup152); + + var select174 = linear_select([ + msg345, + msg346, + ]); + + var msg347 = msg("178:01", dup151); + + var msg348 = msg("178", dup152); + + var select175 = linear_select([ + msg347, + msg348, + ]); + + var msg349 = msg("179:01", dup169); + + var msg350 = msg("179", dup170); + + var select176 = linear_select([ + msg349, + msg350, + ]); + + var msg351 = msg("180:01", dup169); + + var msg352 = msg("180", dup170); + + var select177 = linear_select([ + msg351, + msg352, + ]); + + var msg353 = msg("181:01", dup169); + + var msg354 = msg("181", dup170); + + var select178 = linear_select([ + msg353, + msg354, + ]); + + var msg355 = msg("182:01", dup169); + + var msg356 = msg("182", dup170); + + var select179 = linear_select([ + msg355, + msg356, + ]); + + var msg357 = msg("183:01", dup169); + + var msg358 = msg("183", dup170); + + var select180 = linear_select([ + msg357, + msg358, + ]); + + var msg359 = msg("184:01", dup169); + + var msg360 = msg("184", dup170); + + var select181 = linear_select([ + msg359, + msg360, + ]); + + var msg361 = msg("185:01", dup169); + + var msg362 = msg("185", dup170); + + var select182 = linear_select([ + msg361, + msg362, + ]); + + var msg363 = msg("186:01", dup151); + + var msg364 = msg("186", dup152); + + var select183 = linear_select([ + msg363, + msg364, + ]); + + var msg365 = msg("187:01", dup169); + + var msg366 = msg("187", dup170); + + var select184 = linear_select([ + msg365, + msg366, + ]); + + var msg367 = msg("188:01", dup169); + + var msg368 = msg("188", dup170); + + var select185 = linear_select([ + msg367, + msg368, + ]); + + var msg369 = msg("189:01", dup169); + + var msg370 = msg("189", dup170); + + var select186 = linear_select([ + msg369, + msg370, + ]); + + var msg371 = msg("191:01", dup151); + + var msg372 = msg("191", dup152); + + var select187 = linear_select([ + msg371, + msg372, + ]); + + var msg373 = msg("192:01", dup169); + + var msg374 = msg("192", dup170); + + var select188 = linear_select([ + msg373, + msg374, + ]); + + var msg375 = msg("193:01", dup151); + + var msg376 = msg("193", dup152); + + var select189 = linear_select([ + msg375, + msg376, + ]); + + var msg377 = msg("194:01", dup169); + + var msg378 = msg("194", dup170); + + var select190 = linear_select([ + msg377, + msg378, + ]); + + var msg379 = msg("195:01", dup169); + + var msg380 = msg("195", dup170); + + var select191 = linear_select([ + msg379, + msg380, + ]); + + var msg381 = msg("196:01", dup151); + + var msg382 = msg("196", dup152); + + var select192 = linear_select([ + msg381, + msg382, + ]); + + var msg383 = msg("197:01", dup151); + + var msg384 = msg("197", dup152); + + var select193 = linear_select([ + msg383, + msg384, + ]); + + var msg385 = msg("198:01", dup169); + + var msg386 = msg("198", dup170); + + var select194 = linear_select([ + msg385, + msg386, + ]); + + var msg387 = msg("199:01", dup169); + + var msg388 = msg("199", dup170); + + var select195 = linear_select([ + msg387, + msg388, + ]); + + var msg389 = msg("200:01", dup169); + + var msg390 = msg("200", dup170); + + var select196 = linear_select([ + msg389, + msg390, + ]); + + var msg391 = msg("201:01", dup169); + + var msg392 = msg("201", dup170); + + var select197 = linear_select([ + msg391, + msg392, + ]); + + var msg393 = msg("202:01", dup169); + + var msg394 = msg("202", dup170); + + var select198 = linear_select([ + msg393, + msg394, + ]); + + var msg395 = msg("203:01", dup169); + + var msg396 = msg("203", dup170); + + var select199 = linear_select([ + msg395, + msg396, + ]); + + var msg397 = msg("204:01", dup151); + + var msg398 = msg("204", dup152); + + var select200 = linear_select([ + msg397, + msg398, + ]); + + var msg399 = msg("205:01", dup151); + + var msg400 = msg("205", dup152); + + var select201 = linear_select([ + msg399, + msg400, + ]); + + var msg401 = msg("206:01", dup151); + + var msg402 = msg("206", dup152); + + var select202 = linear_select([ + msg401, + msg402, + ]); + + var msg403 = msg("207:01", dup151); + + var msg404 = msg("207", dup152); + + var select203 = linear_select([ + msg403, + msg404, + ]); + + var msg405 = msg("208:01", dup151); + + var msg406 = msg("208", dup152); + + var select204 = linear_select([ + msg405, + msg406, + ]); + + var msg407 = msg("209:01", dup169); + + var msg408 = msg("209", dup170); + + var select205 = linear_select([ + msg407, + msg408, + ]); + + var msg409 = msg("211:01", dup169); + + var msg410 = msg("211", dup170); + + var select206 = linear_select([ + msg409, + msg410, + ]); + + var msg411 = msg("212:01", dup169); + + var msg412 = msg("212", dup170); + + var select207 = linear_select([ + msg411, + msg412, + ]); + + var msg413 = msg("213:01", dup169); + + var msg414 = msg("213", dup170); + + var select208 = linear_select([ + msg413, + msg414, + ]); + + var msg415 = msg("214:01", dup151); + + var msg416 = msg("214", dup152); + + var select209 = linear_select([ + msg415, + msg416, + ]); + + var msg417 = msg("215:01", dup151); + + var msg418 = msg("215", dup152); + + var select210 = linear_select([ + msg417, + msg418, + ]); + + var msg419 = msg("216:01", dup151); + + var msg420 = msg("216", dup152); + + var select211 = linear_select([ + msg419, + msg420, + ]); + + var msg421 = msg("217:01", dup169); + + var msg422 = msg("217", dup170); + + var select212 = linear_select([ + msg421, + msg422, + ]); + + var msg423 = msg("218:01", dup169); + + var msg424 = msg("218", dup170); + + var select213 = linear_select([ + msg423, + msg424, + ]); + + var msg425 = msg("219:01", dup169); + + var msg426 = msg("219", dup170); + + var select214 = linear_select([ + msg425, + msg426, + ]); + + var msg427 = msg("220:01", dup169); + + var msg428 = msg("220", dup170); + + var select215 = linear_select([ + msg427, + msg428, + ]); + + var msg429 = msg("221:01", dup169); + + var msg430 = msg("221", dup170); + + var select216 = linear_select([ + msg429, + msg430, + ]); + + var msg431 = msg("222:01", dup151); + + var msg432 = msg("222", dup152); + + var select217 = linear_select([ + msg431, + msg432, + ]); + + var msg433 = msg("223:01", dup169); + + var msg434 = msg("223", dup170); + + var select218 = linear_select([ + msg433, + msg434, + ]); + + var msg435 = msg("224:01", dup169); + + var msg436 = msg("224", dup170); + + var select219 = linear_select([ + msg435, + msg436, + ]); + + var msg437 = msg("229:01", dup169); + + var msg438 = msg("229", dup170); + + var select220 = linear_select([ + msg437, + msg438, + ]); + + var msg439 = msg("230:01", dup151); + + var msg440 = msg("230", dup152); + + var select221 = linear_select([ + msg439, + msg440, + ]); + + var msg441 = msg("231:01", dup151); + + var msg442 = msg("231", dup152); + + var select222 = linear_select([ + msg441, + msg442, + ]); + + var msg443 = msg("232:01", dup151); + + var msg444 = msg("232", dup152); + + var select223 = linear_select([ + msg443, + msg444, + ]); + + var msg445 = msg("233:01", dup151); + + var msg446 = msg("233", dup152); + + var select224 = linear_select([ + msg445, + msg446, + ]); + + var msg447 = msg("236:01", dup153); + + var msg448 = msg("236", dup154); + + var select225 = linear_select([ + msg447, + msg448, + ]); + + var msg449 = msg("237:01", dup169); + + var msg450 = msg("237", dup170); + + var select226 = linear_select([ + msg449, + msg450, + ]); + + var msg451 = msg("238:01", dup151); + + var msg452 = msg("238", dup152); + + var select227 = linear_select([ + msg451, + msg452, + ]); + + var msg453 = msg("239:01", dup169); + + var msg454 = msg("239", dup170); + + var select228 = linear_select([ + msg453, + msg454, + ]); + + var msg455 = msg("240:01", dup169); + + var msg456 = msg("240", dup170); + + var select229 = linear_select([ + msg455, + msg456, + ]); + + var msg457 = msg("241:01", dup169); + + var msg458 = msg("241", dup170); + + var select230 = linear_select([ + msg457, + msg458, + ]); + + var msg459 = msg("243:01", dup151); + + var msg460 = msg("243", dup152); + + var select231 = linear_select([ + msg459, + msg460, + ]); + + var msg461 = msg("244:01", dup151); + + var msg462 = msg("244", dup152); + + var select232 = linear_select([ + msg461, + msg462, + ]); + + var msg463 = msg("246:01", dup169); + + var msg464 = msg("246", dup170); + + var select233 = linear_select([ + msg463, + msg464, + ]); + + var msg465 = msg("247:01", dup169); + + var msg466 = msg("247", dup170); + + var select234 = linear_select([ + msg465, + msg466, + ]); + + var msg467 = msg("248:01", dup151); + + var msg468 = msg("248", dup152); + + var select235 = linear_select([ + msg467, + msg468, + ]); + + var msg469 = msg("249:01", dup151); + + var msg470 = msg("249", dup152); + + var select236 = linear_select([ + msg469, + msg470, + ]); + + var msg471 = msg("250:01", dup151); + + var msg472 = msg("250", dup152); + + var select237 = linear_select([ + msg471, + msg472, + ]); + + var msg473 = msg("251:01", dup169); + + var msg474 = msg("251", dup170); + + var select238 = linear_select([ + msg473, + msg474, + ]); + + var msg475 = msg("252:01", dup169); + + var msg476 = msg("252", dup170); + + var select239 = linear_select([ + msg475, + msg476, + ]); + + var msg477 = msg("253:01", dup151); + + var msg478 = msg("253", dup152); + + var select240 = linear_select([ + msg477, + msg478, + ]); + + var msg479 = msg("254:01", dup169); + + var msg480 = msg("254", dup170); + + var select241 = linear_select([ + msg479, + msg480, + ]); + + var msg481 = msg("255:01", dup151); + + var msg482 = msg("255", dup152); + + var select242 = linear_select([ + msg481, + msg482, + ]); + + var msg483 = msg("256:01", dup169); + + var msg484 = msg("256", dup170); + + var select243 = linear_select([ + msg483, + msg484, + ]); + + var msg485 = msg("257:01", dup169); + + var msg486 = msg("257", dup170); + + var select244 = linear_select([ + msg485, + msg486, + ]); + + var msg487 = msg("259:01", dup169); + + var msg488 = msg("259", dup170); + + var select245 = linear_select([ + msg487, + msg488, + ]); + + var msg489 = msg("260:01", dup151); + + var msg490 = msg("260", dup152); + + var select246 = linear_select([ + msg489, + msg490, + ]); + + var msg491 = msg("261:01", dup151); + + var msg492 = msg("261", dup152); + + var select247 = linear_select([ + msg491, + msg492, + ]); + + var msg493 = msg("262:01", dup151); + + var msg494 = msg("262", dup152); + + var select248 = linear_select([ + msg493, + msg494, + ]); + + var msg495 = msg("263:01", dup151); + + var msg496 = msg("263", dup152); + + var select249 = linear_select([ + msg495, + msg496, + ]); + + var msg497 = msg("264:01", dup169); + + var msg498 = msg("264", dup170); + + var select250 = linear_select([ + msg497, + msg498, + ]); + + var msg499 = msg("265:01", dup169); + + var msg500 = msg("265", dup170); + + var select251 = linear_select([ + msg499, + msg500, + ]); + + var msg501 = msg("266:01", dup169); + + var msg502 = msg("266", dup170); + + var select252 = linear_select([ + msg501, + msg502, + ]); + + var msg503 = msg("267:01", dup169); + + var msg504 = msg("267", dup170); + + var select253 = linear_select([ + msg503, + msg504, + ]); + + var msg505 = msg("268:01", dup169); + + var msg506 = msg("268", dup170); + + var select254 = linear_select([ + msg505, + msg506, + ]); + + var msg507 = msg("269:01", dup151); + + var msg508 = msg("269", dup152); + + var select255 = linear_select([ + msg507, + msg508, + ]); + + var msg509 = msg("270:01", dup169); + + var msg510 = msg("270", dup170); + + var select256 = linear_select([ + msg509, + msg510, + ]); + + var msg511 = msg("271:01", dup151); + + var msg512 = msg("271", dup152); + + var select257 = linear_select([ + msg511, + msg512, + ]); + + var msg513 = msg("272:01", dup169); + + var msg514 = msg("272", dup170); + + var select258 = linear_select([ + msg513, + msg514, + ]); + + var msg515 = msg("273:01", dup169); + + var msg516 = msg("273", dup170); + + var select259 = linear_select([ + msg515, + msg516, + ]); + + var msg517 = msg("274:01", dup169); + + var msg518 = msg("274", dup170); + + var select260 = linear_select([ + msg517, + msg518, + ]); + + var msg519 = msg("275:01", dup169); + + var msg520 = msg("275", dup170); + + var select261 = linear_select([ + msg519, + msg520, + ]); + + var msg521 = msg("276:01", dup169); + + var msg522 = msg("276", dup170); + + var select262 = linear_select([ + msg521, + msg522, + ]); + + var msg523 = msg("277:01", dup169); + + var msg524 = msg("277", dup170); + + var select263 = linear_select([ + msg523, + msg524, + ]); + + var msg525 = msg("278:01", dup169); + + var msg526 = msg("278", dup170); + + var select264 = linear_select([ + msg525, + msg526, + ]); + + var msg527 = msg("279:01", dup169); + + var msg528 = msg("279", dup170); + + var select265 = linear_select([ + msg527, + msg528, + ]); + + var msg529 = msg("280:01", dup151); + + var msg530 = msg("280", dup152); + + var select266 = linear_select([ + msg529, + msg530, + ]); + + var msg531 = msg("281:01", dup151); + + var msg532 = msg("281", dup152); + + var select267 = linear_select([ + msg531, + msg532, + ]); + + var msg533 = msg("282:01", dup169); + + var msg534 = msg("282", dup170); + + var select268 = linear_select([ + msg533, + msg534, + ]); + + var msg535 = msg("283:01", dup169); + + var msg536 = msg("283", dup170); + + var select269 = linear_select([ + msg535, + msg536, + ]); + + var msg537 = msg("284:01", dup151); + + var msg538 = msg("284", dup152); + + var select270 = linear_select([ + msg537, + msg538, + ]); + + var msg539 = msg("285:01", dup159); + + var msg540 = msg("285", dup160); + + var select271 = linear_select([ + msg539, + msg540, + ]); + + var msg541 = msg("286:01", dup169); + + var msg542 = msg("286", dup170); + + var select272 = linear_select([ + msg541, + msg542, + ]); + + var msg543 = msg("287:01", dup169); + + var msg544 = msg("287", dup170); + + var select273 = linear_select([ + msg543, + msg544, + ]); + + var msg545 = msg("288:01", dup169); + + var msg546 = msg("288", dup170); + + var select274 = linear_select([ + msg545, + msg546, + ]); + + var msg547 = msg("289:01", dup169); + + var msg548 = msg("289", dup170); + + var select275 = linear_select([ + msg547, + msg548, + ]); + + var msg549 = msg("290:01", dup169); + + var msg550 = msg("290", dup170); + + var select276 = linear_select([ + msg549, + msg550, + ]); + + var msg551 = msg("291:01", dup169); + + var msg552 = msg("291", dup170); + + var select277 = linear_select([ + msg551, + msg552, + ]); + + var msg553 = msg("292:01", dup169); + + var msg554 = msg("292", dup170); + + var select278 = linear_select([ + msg553, + msg554, + ]); + + var msg555 = msg("293:01", dup169); + + var msg556 = msg("293", dup170); + + var select279 = linear_select([ + msg555, + msg556, + ]); + + var msg557 = msg("294:01", dup169); + + var msg558 = msg("294", dup170); + + var select280 = linear_select([ + msg557, + msg558, + ]); + + var msg559 = msg("295:01", dup169); + + var msg560 = msg("295", dup170); + + var select281 = linear_select([ + msg559, + msg560, + ]); + + var msg561 = msg("296:01", dup169); + + var msg562 = msg("296", dup170); + + var select282 = linear_select([ + msg561, + msg562, + ]); + + var msg563 = msg("297:01", dup151); + + var msg564 = msg("297", dup152); + + var select283 = linear_select([ + msg563, + msg564, + ]); + + var msg565 = msg("298:01", dup151); + + var msg566 = msg("298", dup152); + + var select284 = linear_select([ + msg565, + msg566, + ]); + + var msg567 = msg("299:01", dup169); + + var msg568 = msg("299", dup170); + + var select285 = linear_select([ + msg567, + msg568, + ]); + + var part24 = match("MESSAGE#568:300:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); + + var all1 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + dup188, + dup189, + dup190, + dup191, + dup192, + dup193, + dup194, + part24, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + dup24, + ]), + }); + + var msg569 = msg("300:02", all1); + + var part25 = tagval("MESSAGE#569:300:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup4, + dup2, + dup3, + dup24, + ])); + + var msg570 = msg("300:01", part25); + + var msg571 = msg("300", dup154); + + var select286 = linear_select([ + msg569, + msg570, + msg571, + ]); + + var msg572 = msg("301:01", dup163); + + var msg573 = msg("301", dup164); + + var select287 = linear_select([ + msg572, + msg573, + ]); + + var part26 = match("MESSAGE#573:302:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld12};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); + + var all2 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + dup188, + dup189, + dup190, + dup191, + dup192, + dup193, + dup194, + part26, + ], + on_success: processor_chain([ + dup21, + dup2, + dup3, + dup24, + ]), + }); + + var msg574 = msg("302:02", all2); + + var msg575 = msg("302:01", dup163); + + var msg576 = msg("302", dup164); + + var select288 = linear_select([ + msg574, + msg575, + msg576, + ]); + + var msg577 = msg("303:01", dup163); + + var msg578 = msg("303", dup164); + + var select289 = linear_select([ + msg577, + msg578, + ]); + + var part27 = match("MESSAGE#578:304:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"DstHost=%{p0}"); + + var part28 = match("MESSAGE#578:304:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"DstHost=%{p0}"); + + var select290 = linear_select([ + part27, + part28, + ]); + + var part29 = match("MESSAGE#578:304:02/24", "nwparser.p0", "%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); + + var all3 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + dup188, + dup189, + dup190, + dup191, + dup192, + dup193, + select290, + part29, + ], + on_success: processor_chain([ + dup26, + dup2, + dup3, + dup24, + ]), + }); + + var msg579 = msg("304:02", all3); + + var msg580 = msg("304:01", dup169); + + var msg581 = msg("304", dup170); + + var select291 = linear_select([ + msg579, + msg580, + msg581, + ]); + + var msg582 = msg("305:01", dup169); + + var msg583 = msg("305", dup170); + + var select292 = linear_select([ + msg582, + msg583, + ]); + + var msg584 = msg("306:01", dup151); + + var msg585 = msg("306", dup152); + + var select293 = linear_select([ + msg584, + msg585, + ]); + + var msg586 = msg("307:01", dup151); + + var msg587 = msg("307", dup152); + + var select294 = linear_select([ + msg586, + msg587, + ]); + + var part30 = tagval("MESSAGE#587:308:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup78, + dup2, + dup3, + ])); + + var msg588 = msg("308:01", part30); + + var part31 = match("MESSAGE#588:308", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup78, + dup2, + ])); + + var msg589 = msg("308", part31); + + var select295 = linear_select([ + msg588, + msg589, + ]); + + var part32 = tagval("MESSAGE#589:309:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup9, + dup2, + dup3, + ])); + + var msg590 = msg("309:01", part32); + + var part33 = match("MESSAGE#590:309", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup9, + dup2, + ])); + + var msg591 = msg("309", part33); + + var select296 = linear_select([ + msg590, + msg591, + ]); + + var msg592 = msg("317:01", dup195); + + var msg593 = msg("317", dup196); + + var select297 = linear_select([ + msg592, + msg593, + ]); + + var msg594 = msg("316:01", dup195); + + var msg595 = msg("316", dup196); + + var select298 = linear_select([ + msg594, + msg595, + ]); + + var msg596 = msg("355:01", dup197); + + var msg597 = msg("355", dup198); + + var select299 = linear_select([ + msg596, + msg597, + ]); + + var msg598 = msg("356:01", dup197); + + var msg599 = msg("356", dup198); + + var select300 = linear_select([ + msg598, + msg599, + ]); + + var msg600 = msg("357:01", dup199); + + var msg601 = msg("357", dup200); + + var select301 = linear_select([ + msg600, + msg601, + ]); + + var msg602 = msg("358:01", dup199); + + var msg603 = msg("358", dup200); + + var select302 = linear_select([ + msg602, + msg603, + ]); + + var part34 = tagval("MESSAGE#603:190:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup84, + dup2, + dup3, + ])); + + var msg604 = msg("190:01", part34); + + var part35 = match("MESSAGE#604:190", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup84, + dup2, + ])); + + var msg605 = msg("190", part35); + + var select303 = linear_select([ + msg604, + msg605, + ]); + + var msg606 = msg("5:01", dup161); + + var msg607 = msg("5", dup162); + + var select304 = linear_select([ + msg606, + msg607, + ]); + + var msg608 = msg("310:01", dup153); + + var msg609 = msg("310", dup154); + + var select305 = linear_select([ + msg608, + msg609, + ]); + + var msg610 = msg("311:01", dup153); + + var msg611 = msg("311", dup154); + + var select306 = linear_select([ + msg610, + msg611, + ]); + + var msg612 = msg("312:01", dup153); + + var msg613 = msg("312", dup154); + + var select307 = linear_select([ + msg612, + msg613, + ]); + + var msg614 = msg("313:01", dup153); + + var msg615 = msg("313", dup154); + + var select308 = linear_select([ + msg614, + msg615, + ]); + + var msg616 = msg("359:01", dup153); + + var msg617 = msg("359", dup154); + + var select309 = linear_select([ + msg616, + msg617, + ]); + + var msg618 = msg("372", dup201); + + var msg619 = msg("374", dup201); + + var msg620 = msg("376", dup201); + + var part36 = match("MESSAGE#620:411:01/17_0", "nwparser.p0", "\"%{fld89}\";LogonDomain=%{p0}"); + + var part37 = match("MESSAGE#620:411:01/17_1", "nwparser.p0", "%{fld89};LogonDomain=%{p0}"); + + var select310 = linear_select([ + part36, + part37, + ]); + + var part38 = match("MESSAGE#620:411:01/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"Command=%{p0}"); + + var part39 = match("MESSAGE#620:411:01/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"Command=%{p0}"); + + var select311 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#620:411:01/24", "nwparser.p0", "%{param};ConnectionComponentId=%{fld67};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld11};RDPOffset=%{fld12};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};VIDOffset=%{fld13};"); + + var all4 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + select310, + dup189, + dup190, + dup191, + dup192, + dup193, + select311, + part40, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + dup24, + ]), + }); + + var msg621 = msg("411:01", all4); + + var part41 = match("MESSAGE#621:411/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};ProcessId=%{process_id};ProcessName=%{process};Protocol=%{protocol};PSMID=%{fld3};RDPOffset=%{fld4};SessionID=%{sessionid};SrcHost=%{shost};User=%{fld5};VIDOffset=%{fld6};\""); + + var select312 = linear_select([ + part41, + dup150, + ]); + + var all5 = all_match({ + processors: [ + dup31, + dup202, + dup87, + dup203, + dup90, + dup204, + dup93, + dup205, + dup96, + dup206, + dup99, + dup207, + dup102, + dup208, + dup105, + dup209, + dup108, + dup210, + dup111, + dup211, + dup114, + dup212, + dup119, + dup213, + dup122, + dup214, + dup125, + dup215, + dup128, + dup216, + dup131, + dup217, + dup134, + dup218, + dup137, + dup219, + dup140, + dup220, + dup143, + dup221, + dup146, + dup222, + dup149, + select312, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), + }); + + var msg622 = msg("411", all5); + + var select313 = linear_select([ + msg621, + msg622, + ]); + + var part42 = match("MESSAGE#622:385", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=\"%{directory}\";Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg623 = msg("385", part42); + + var part43 = match("MESSAGE#623:361/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};SSHOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); + + var select314 = linear_select([ + part43, + dup150, + ]); + + var all6 = all_match({ + processors: [ + dup31, + dup202, + dup87, + dup203, + dup90, + dup204, + dup93, + dup205, + dup96, + dup206, + dup99, + dup207, + dup102, + dup208, + dup105, + dup209, + dup108, + dup210, + dup111, + dup211, + dup114, + dup212, + dup119, + dup213, + dup122, + dup214, + dup125, + dup215, + dup128, + dup216, + dup131, + dup217, + dup134, + dup218, + dup137, + dup219, + dup140, + dup220, + dup143, + dup221, + dup146, + dup222, + dup149, + select314, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), + }); + + var msg624 = msg("361", all6); + + var part44 = match("MESSAGE#624:412/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};TXTOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); + + var select315 = linear_select([ + part44, + dup150, + ]); + + var all7 = all_match({ + processors: [ + dup31, + dup202, + dup87, + dup203, + dup90, + dup204, + dup93, + dup205, + dup96, + dup206, + dup99, + dup207, + dup102, + dup208, + dup105, + dup209, + dup108, + dup210, + dup111, + dup211, + dup114, + dup212, + dup119, + dup213, + dup122, + dup214, + dup125, + dup215, + dup128, + dup216, + dup131, + dup217, + dup134, + dup218, + dup137, + dup219, + dup140, + dup220, + dup143, + dup221, + dup146, + dup222, + dup149, + select315, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), + }); + + var msg625 = msg("412", all7); + + var msg626 = msg("378", dup153); + + var msg627 = msg("321", dup153); + + var msg628 = msg("322", dup153); + + var msg629 = msg("323", dup153); + + var msg630 = msg("318", dup153); + + var msg631 = msg("380", dup153); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "1": select2, + "10": select9, + "100": select99, + "101": select100, + "102": select101, + "103": select102, + "104": select103, + "105": select104, + "106": select105, + "107": select106, + "108": select107, + "109": select108, + "11": select10, + "110": select109, + "111": select110, + "112": select111, + "114": select112, + "115": select113, + "116": select114, + "117": select115, + "118": select116, + "119": select117, + "12": select11, + "120": select118, + "121": select119, + "122": select120, + "123": select121, + "124": select122, + "125": select123, + "126": select124, + "127": select125, + "128": select126, + "129": select127, + "13": select12, + "130": select128, + "131": select129, + "132": select130, + "133": select131, + "134": select132, + "135": select133, + "136": select134, + "137": select135, + "138": select136, + "139": select137, + "14": select13, + "140": select138, + "141": select139, + "142": select140, + "143": select141, + "144": select142, + "145": select143, + "146": select144, + "147": select145, + "148": select146, + "149": select147, + "15": select14, + "150": select148, + "152": select149, + "153": select150, + "154": select151, + "155": select152, + "156": select153, + "157": select154, + "158": select155, + "159": select156, + "16": select15, + "160": select157, + "161": select158, + "162": select159, + "163": select160, + "164": select161, + "165": select162, + "166": select163, + "167": select164, + "168": select165, + "169": select166, + "17": select16, + "170": select167, + "171": select168, + "172": select169, + "173": select170, + "174": select171, + "175": select172, + "176": select173, + "177": select174, + "178": select175, + "179": select176, + "18": select17, + "180": select177, + "181": select178, + "182": select179, + "183": select180, + "184": select181, + "185": select182, + "186": select183, + "187": select184, + "188": select185, + "189": select186, + "19": select18, + "190": select303, + "191": select187, + "192": select188, + "193": select189, + "194": select190, + "195": select191, + "196": select192, + "197": select193, + "198": select194, + "199": select195, + "2": select3, + "20": select19, + "200": select196, + "201": select197, + "202": select198, + "203": select199, + "204": select200, + "205": select201, + "206": select202, + "207": select203, + "208": select204, + "209": select205, + "21": select20, + "211": select206, + "212": select207, + "213": select208, + "214": select209, + "215": select210, + "216": select211, + "217": select212, + "218": select213, + "219": select214, + "22": select21, + "220": select215, + "221": select216, + "222": select217, + "223": select218, + "224": select219, + "229": select220, + "23": select22, + "230": select221, + "231": select222, + "232": select223, + "233": select224, + "236": select225, + "237": select226, + "238": select227, + "239": select228, + "24": select23, + "240": select229, + "241": select230, + "243": select231, + "244": select232, + "246": select233, + "247": select234, + "248": select235, + "249": select236, + "25": select24, + "250": select237, + "251": select238, + "252": select239, + "253": select240, + "254": select241, + "255": select242, + "256": select243, + "257": select244, + "259": select245, + "26": select25, + "260": select246, + "261": select247, + "262": select248, + "263": select249, + "264": select250, + "265": select251, + "266": select252, + "267": select253, + "268": select254, + "269": select255, + "27": select26, + "270": select256, + "271": select257, + "272": select258, + "273": select259, + "274": select260, + "275": select261, + "276": select262, + "277": select263, + "278": select264, + "279": select265, + "28": select27, + "280": select266, + "281": select267, + "282": select268, + "283": select269, + "284": select270, + "285": select271, + "286": select272, + "287": select273, + "288": select274, + "289": select275, + "29": select28, + "290": select276, + "291": select277, + "292": select278, + "293": select279, + "294": select280, + "295": select281, + "296": select282, + "297": select283, + "298": select284, + "299": select285, + "3": select4, + "30": select29, + "300": select286, + "301": select287, + "302": select288, + "303": select289, + "304": select291, + "305": select292, + "306": select293, + "307": select294, + "308": select295, + "309": select296, + "31": select30, + "310": select305, + "311": select306, + "312": select307, + "313": select308, + "316": select298, + "317": select297, + "318": msg630, + "32": select31, + "321": msg627, + "322": msg628, + "323": msg629, + "33": select32, + "34": select33, + "35": select34, + "355": select299, + "356": select300, + "357": select301, + "358": select302, + "359": select309, + "36": select35, + "361": msg624, + "37": select36, + "372": msg618, + "374": msg619, + "376": msg620, + "378": msg626, + "38": select37, + "380": msg631, + "385": msg623, + "39": select38, + "4": select5, + "40": select39, + "41": select40, + "411": select313, + "412": msg625, + "42": select41, + "43": select42, + "44": select43, + "45": select44, + "46": select45, + "47": select46, + "48": select47, + "49": select48, + "5": select304, + "50": select49, + "51": select50, + "52": select51, + "53": select52, + "54": select53, + "55": select54, + "56": select55, + "57": select56, + "58": select57, + "59": select58, + "60": select59, + "61": select60, + "62": select61, + "63": select62, + "64": select63, + "65": select64, + "66": select65, + "67": select66, + "68": select67, + "69": select68, + "7": select6, + "70": select69, + "71": select70, + "72": select71, + "73": select72, + "74": select73, + "75": select74, + "76": select75, + "77": select76, + "78": select77, + "79": select78, + "8": select7, + "80": select79, + "81": select80, + "82": select81, + "83": select82, + "84": select83, + "85": select84, + "86": select85, + "87": select86, + "88": select87, + "89": select88, + "9": select8, + "90": select89, + "91": select90, + "92": select91, + "93": select92, + "94": select93, + "95": select94, + "96": select95, + "97": select96, + "98": select97, + "99": select98, + }), + ]); + + var part45 = match("MESSAGE#568:300:02/0", "nwparser.payload", "Version=%{p0}"); + + var part46 = match("MESSAGE#568:300:02/1_0", "nwparser.p0", "\"%{version}\";Message=%{p0}"); + + var part47 = match("MESSAGE#568:300:02/1_1", "nwparser.p0", "%{version};Message=%{p0}"); + + var part48 = match("MESSAGE#568:300:02/2_0", "nwparser.p0", "\"%{action}\";Issuer=%{p0}"); + + var part49 = match("MESSAGE#568:300:02/2_1", "nwparser.p0", "%{action};Issuer=%{p0}"); + + var part50 = match("MESSAGE#568:300:02/3_0", "nwparser.p0", "\"%{username}\";Station=%{p0}"); + + var part51 = match("MESSAGE#568:300:02/3_1", "nwparser.p0", "%{username};Station=%{p0}"); + + var part52 = match("MESSAGE#568:300:02/4_0", "nwparser.p0", "\"%{hostip}\";File=%{p0}"); + + var part53 = match("MESSAGE#568:300:02/4_1", "nwparser.p0", "%{hostip};File=%{p0}"); + + var part54 = match("MESSAGE#568:300:02/5_0", "nwparser.p0", "\"%{filename}\";Safe=%{p0}"); + + var part55 = match("MESSAGE#568:300:02/5_1", "nwparser.p0", "%{filename};Safe=%{p0}"); + + var part56 = match("MESSAGE#568:300:02/6_0", "nwparser.p0", "\"%{group_object}\";Location=%{p0}"); + + var part57 = match("MESSAGE#568:300:02/6_1", "nwparser.p0", "%{group_object};Location=%{p0}"); + + var part58 = match("MESSAGE#568:300:02/7_0", "nwparser.p0", "\"%{directory}\";Category=%{p0}"); + + var part59 = match("MESSAGE#568:300:02/7_1", "nwparser.p0", "%{directory};Category=%{p0}"); + + var part60 = match("MESSAGE#568:300:02/8_0", "nwparser.p0", "\"%{category}\";RequestId=%{p0}"); + + var part61 = match("MESSAGE#568:300:02/8_1", "nwparser.p0", "%{category};RequestId=%{p0}"); + + var part62 = match("MESSAGE#568:300:02/9_0", "nwparser.p0", "\"%{id1}\";Reason=%{p0}"); + + var part63 = match("MESSAGE#568:300:02/9_1", "nwparser.p0", "%{id1};Reason=%{p0}"); + + var part64 = match("MESSAGE#568:300:02/10_0", "nwparser.p0", "\"%{event_description}\";Severity=%{p0}"); + + var part65 = match("MESSAGE#568:300:02/10_1", "nwparser.p0", "%{event_description};Severity=%{p0}"); + + var part66 = match("MESSAGE#568:300:02/11_0", "nwparser.p0", "\"%{severity}\";SourceUser=%{p0}"); + + var part67 = match("MESSAGE#568:300:02/11_1", "nwparser.p0", "%{severity};SourceUser=%{p0}"); + + var part68 = match("MESSAGE#568:300:02/12_0", "nwparser.p0", "\"%{group}\";TargetUser=%{p0}"); + + var part69 = match("MESSAGE#568:300:02/12_1", "nwparser.p0", "%{group};TargetUser=%{p0}"); + + var part70 = match("MESSAGE#568:300:02/13_0", "nwparser.p0", "\"%{uid}\";GatewayStation=%{p0}"); + + var part71 = match("MESSAGE#568:300:02/13_1", "nwparser.p0", "%{uid};GatewayStation=%{p0}"); + + var part72 = match("MESSAGE#568:300:02/14_0", "nwparser.p0", "\"%{saddr}\";TicketID=%{p0}"); + + var part73 = match("MESSAGE#568:300:02/14_1", "nwparser.p0", "%{saddr};TicketID=%{p0}"); + + var part74 = match("MESSAGE#568:300:02/15_0", "nwparser.p0", "\"%{operation_id}\";PolicyID=%{p0}"); + + var part75 = match("MESSAGE#568:300:02/15_1", "nwparser.p0", "%{operation_id};PolicyID=%{p0}"); + + var part76 = match("MESSAGE#568:300:02/16_0", "nwparser.p0", "\"%{policyname}\";UserName=%{p0}"); + + var part77 = match("MESSAGE#568:300:02/16_1", "nwparser.p0", "%{policyname};UserName=%{p0}"); + + var part78 = match("MESSAGE#568:300:02/17_0", "nwparser.p0", "\"%{fld11}\";LogonDomain=%{p0}"); + + var part79 = match("MESSAGE#568:300:02/17_1", "nwparser.p0", "%{fld11};LogonDomain=%{p0}"); + + var part80 = match("MESSAGE#568:300:02/18_0", "nwparser.p0", "\"%{domain}\";Address=%{p0}"); + + var part81 = match("MESSAGE#568:300:02/18_1", "nwparser.p0", "%{domain};Address=%{p0}"); + + var part82 = match("MESSAGE#568:300:02/19_0", "nwparser.p0", "\"%{fld14}\";CPMStatus=%{p0}"); + + var part83 = match("MESSAGE#568:300:02/19_1", "nwparser.p0", "%{fld14};CPMStatus=%{p0}"); + + var part84 = match("MESSAGE#568:300:02/20_0", "nwparser.p0", "\"%{disposition}\";Port=%{p0}"); + + var part85 = match("MESSAGE#568:300:02/20_1", "nwparser.p0", "%{disposition};Port=%{p0}"); + + var part86 = match("MESSAGE#568:300:02/21_0", "nwparser.p0", "\"%{dport}\";Database=%{p0}"); + + var part87 = match("MESSAGE#568:300:02/21_1", "nwparser.p0", "%{dport};Database=%{p0}"); + + var part88 = match("MESSAGE#568:300:02/22_0", "nwparser.p0", "\"%{db_name}\";DeviceType=%{p0}"); + + var part89 = match("MESSAGE#568:300:02/22_1", "nwparser.p0", "%{db_name};DeviceType=%{p0}"); + + var part90 = match("MESSAGE#568:300:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"ApplicationType=%{p0}"); + + var part91 = match("MESSAGE#568:300:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"ApplicationType=%{p0}"); + + var part92 = match("MESSAGE#621:411/1_0", "nwparser.p0", "\"%{version}\";%{p0}"); + + var part93 = match("MESSAGE#621:411/1_1", "nwparser.p0", "%{version};%{p0}"); + + var part94 = match("MESSAGE#621:411/2", "nwparser.p0", "Message=%{p0}"); + + var part95 = match("MESSAGE#621:411/3_0", "nwparser.p0", "\"%{action}\";%{p0}"); + + var part96 = match("MESSAGE#621:411/3_1", "nwparser.p0", "%{action};%{p0}"); + + var part97 = match("MESSAGE#621:411/4", "nwparser.p0", "Issuer=%{p0}"); + + var part98 = match("MESSAGE#621:411/5_0", "nwparser.p0", "\"%{username}\";%{p0}"); + + var part99 = match("MESSAGE#621:411/5_1", "nwparser.p0", "%{username};%{p0}"); + + var part100 = match("MESSAGE#621:411/6", "nwparser.p0", "Station=%{p0}"); + + var part101 = match("MESSAGE#621:411/7_0", "nwparser.p0", "\"%{hostip}\";%{p0}"); + + var part102 = match("MESSAGE#621:411/7_1", "nwparser.p0", "%{hostip};%{p0}"); + + var part103 = match("MESSAGE#621:411/8", "nwparser.p0", "File=%{p0}"); + + var part104 = match("MESSAGE#621:411/9_0", "nwparser.p0", "\"%{filename}\";%{p0}"); + + var part105 = match("MESSAGE#621:411/9_1", "nwparser.p0", "%{filename};%{p0}"); + + var part106 = match("MESSAGE#621:411/10", "nwparser.p0", "Safe=%{p0}"); + + var part107 = match("MESSAGE#621:411/11_0", "nwparser.p0", "\"%{group_object}\";%{p0}"); + + var part108 = match("MESSAGE#621:411/11_1", "nwparser.p0", "%{group_object};%{p0}"); + + var part109 = match("MESSAGE#621:411/12", "nwparser.p0", "Location=%{p0}"); + + var part110 = match("MESSAGE#621:411/13_0", "nwparser.p0", "\"%{directory}\";%{p0}"); + + var part111 = match("MESSAGE#621:411/13_1", "nwparser.p0", "%{directory};%{p0}"); + + var part112 = match("MESSAGE#621:411/14", "nwparser.p0", "Category=%{p0}"); + + var part113 = match("MESSAGE#621:411/15_0", "nwparser.p0", "\"%{category}\";%{p0}"); + + var part114 = match("MESSAGE#621:411/15_1", "nwparser.p0", "%{category};%{p0}"); + + var part115 = match("MESSAGE#621:411/16", "nwparser.p0", "RequestId=%{p0}"); + + var part116 = match("MESSAGE#621:411/17_0", "nwparser.p0", "\"%{id1}\";%{p0}"); + + var part117 = match("MESSAGE#621:411/17_1", "nwparser.p0", "%{id1};%{p0}"); + + var part118 = match("MESSAGE#621:411/18", "nwparser.p0", "Reason=%{p0}"); + + var part119 = match("MESSAGE#621:411/19_0", "nwparser.p0", "\"%{event_description}\";%{p0}"); + + var part120 = match("MESSAGE#621:411/19_1", "nwparser.p0", "%{event_description};%{p0}"); + + var part121 = match("MESSAGE#621:411/20", "nwparser.p0", "Severity=%{p0}"); + + var part122 = match("MESSAGE#621:411/21_0", "nwparser.p0", "\"%{severity}\";SourceUser=\"%{group}\";TargetUser=\"%{uid}\";%{p0}"); + + var part123 = match("MESSAGE#621:411/21_1", "nwparser.p0", "%{severity};SourceUser=%{group};TargetUser=%{uid};%{p0}"); + + var part124 = match("MESSAGE#621:411/21_2", "nwparser.p0", "\"%{severity}\";%{p0}"); + + var part125 = match("MESSAGE#621:411/21_3", "nwparser.p0", "%{severity};%{p0}"); + + var part126 = match("MESSAGE#621:411/22", "nwparser.p0", "GatewayStation=%{p0}"); + + var part127 = match("MESSAGE#621:411/23_0", "nwparser.p0", "\"%{saddr}\";%{p0}"); + + var part128 = match("MESSAGE#621:411/23_1", "nwparser.p0", "%{saddr};%{p0}"); + + var part129 = match("MESSAGE#621:411/24", "nwparser.p0", "TicketID=%{p0}"); + + var part130 = match("MESSAGE#621:411/25_0", "nwparser.p0", "\"%{operation_id}\";%{p0}"); + + var part131 = match("MESSAGE#621:411/25_1", "nwparser.p0", "%{operation_id};%{p0}"); + + var part132 = match("MESSAGE#621:411/26", "nwparser.p0", "PolicyID=%{p0}"); + + var part133 = match("MESSAGE#621:411/27_0", "nwparser.p0", "\"%{policyname}\";%{p0}"); + + var part134 = match("MESSAGE#621:411/27_1", "nwparser.p0", "%{policyname};%{p0}"); + + var part135 = match("MESSAGE#621:411/28", "nwparser.p0", "UserName=%{p0}"); + + var part136 = match("MESSAGE#621:411/29_0", "nwparser.p0", "\"%{c_username}\";%{p0}"); + + var part137 = match("MESSAGE#621:411/29_1", "nwparser.p0", "%{c_username};%{p0}"); + + var part138 = match("MESSAGE#621:411/30", "nwparser.p0", "LogonDomain=%{p0}"); + + var part139 = match("MESSAGE#621:411/31_0", "nwparser.p0", "\"%{domain}\";%{p0}"); + + var part140 = match("MESSAGE#621:411/31_1", "nwparser.p0", "%{domain};%{p0}"); + + var part141 = match("MESSAGE#621:411/32", "nwparser.p0", "Address=%{p0}"); + + var part142 = match("MESSAGE#621:411/33_0", "nwparser.p0", "\"%{dhost}\";%{p0}"); + + var part143 = match("MESSAGE#621:411/33_1", "nwparser.p0", "%{dhost};%{p0}"); + + var part144 = match("MESSAGE#621:411/34", "nwparser.p0", "CPMStatus=%{p0}"); + + var part145 = match("MESSAGE#621:411/35_0", "nwparser.p0", "\"%{disposition}\";%{p0}"); + + var part146 = match("MESSAGE#621:411/35_1", "nwparser.p0", "%{disposition};%{p0}"); + + var part147 = match("MESSAGE#621:411/36", "nwparser.p0", "Port=%{p0}"); + + var part148 = match("MESSAGE#621:411/37_0", "nwparser.p0", "\"%{dport}\";%{p0}"); + + var part149 = match("MESSAGE#621:411/37_1", "nwparser.p0", "%{dport};%{p0}"); + + var part150 = match("MESSAGE#621:411/38", "nwparser.p0", "Database=%{p0}"); + + var part151 = match("MESSAGE#621:411/39_0", "nwparser.p0", "\"%{db_name}\";%{p0}"); + + var part152 = match("MESSAGE#621:411/39_1", "nwparser.p0", "%{db_name};%{p0}"); + + var part153 = match("MESSAGE#621:411/40", "nwparser.p0", "DeviceType=%{p0}"); + + var part154 = match("MESSAGE#621:411/41_0", "nwparser.p0", "\"%{obj_type}\";%{p0}"); + + var part155 = match("MESSAGE#621:411/41_1", "nwparser.p0", "%{obj_type};%{p0}"); + + var part156 = match("MESSAGE#621:411/42", "nwparser.p0", "ExtraDetails=%{p0}"); + + var part157 = match("MESSAGE#621:411/43_1", "nwparser.p0", "%{info};"); + + var part158 = tagval("MESSAGE#0:1:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup1, + dup2, + dup3, + ])); + + var part159 = match("MESSAGE#1:1", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup1, + dup2, + ])); + + var part160 = tagval("MESSAGE#2:2:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup4, + dup2, + dup3, + ])); + + var part161 = match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup4, + dup2, + ])); + + var part162 = tagval("MESSAGE#6:4:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, + dup3, + ])); + + var part163 = match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, + ])); + + var part164 = tagval("MESSAGE#20:13:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, + dup3, + ])); + + var part165 = match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, + ])); + + var part166 = tagval("MESSAGE#26:16:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup19, + dup2, + dup3, + ])); + + var part167 = match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup19, + dup2, + ])); + + var part168 = tagval("MESSAGE#30:18:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup15, + dup2, + dup3, + ])); + + var part169 = match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup2, + ])); + + var part170 = tagval("MESSAGE#38:22:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup21, + dup2, + dup3, + ])); + + var part171 = match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup21, + dup2, + ])); + + var part172 = tagval("MESSAGE#70:38:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup23, + dup2, + dup3, + ])); + + var part173 = match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup23, + dup2, + ])); + + var part174 = tagval("MESSAGE#116:61:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup20, + dup2, + dup3, + ])); + + var part175 = match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup20, + dup2, + ])); + + var part176 = tagval("MESSAGE#126:66:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup26, + dup2, + dup3, + ])); + + var part177 = match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup26, + dup2, + ])); + + var part178 = tagval("MESSAGE#190:98:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup26, + dup2, + dup3, + dup24, + dup25, + ])); + + var select316 = linear_select([ + dup32, + dup33, + ]); + + var select317 = linear_select([ + dup34, + dup35, + ]); + + var select318 = linear_select([ + dup36, + dup37, + ]); + + var select319 = linear_select([ + dup38, + dup39, + ]); + + var select320 = linear_select([ + dup40, + dup41, + ]); + + var select321 = linear_select([ + dup42, + dup43, + ]); + + var select322 = linear_select([ + dup44, + dup45, + ]); + + var select323 = linear_select([ + dup46, + dup47, + ]); + + var select324 = linear_select([ + dup48, + dup49, + ]); + + var select325 = linear_select([ + dup50, + dup51, + ]); + + var select326 = linear_select([ + dup52, + dup53, + ]); + + var select327 = linear_select([ + dup54, + dup55, + ]); + + var select328 = linear_select([ + dup56, + dup57, + ]); + + var select329 = linear_select([ + dup58, + dup59, + ]); + + var select330 = linear_select([ + dup60, + dup61, + ]); + + var select331 = linear_select([ + dup62, + dup63, + ]); + + var select332 = linear_select([ + dup64, + dup65, + ]); + + var select333 = linear_select([ + dup66, + dup67, + ]); + + var select334 = linear_select([ + dup68, + dup69, + ]); + + var select335 = linear_select([ + dup70, + dup71, + ]); + + var select336 = linear_select([ + dup72, + dup73, + ]); + + var select337 = linear_select([ + dup74, + dup75, + ]); + + var select338 = linear_select([ + dup76, + dup77, + ]); + + var part179 = tagval("MESSAGE#591:317:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup79, + dup80, + dup81, + dup2, + dup3, + ])); + + var part180 = match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup79, + dup80, + dup81, + dup2, + ])); + + var part181 = tagval("MESSAGE#595:355:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup82, + dup2, + dup3, + ])); + + var part182 = match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup82, + dup2, + ])); + + var part183 = tagval("MESSAGE#599:357:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup83, + dup2, + dup3, + ])); + + var part184 = match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup83, + dup2, + ])); + + var part185 = match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var select339 = linear_select([ + dup85, + dup86, + ]); + + var select340 = linear_select([ + dup88, + dup89, + ]); + + var select341 = linear_select([ + dup91, + dup92, + ]); + + var select342 = linear_select([ + dup94, + dup95, + ]); + + var select343 = linear_select([ + dup97, + dup98, + ]); + + var select344 = linear_select([ + dup100, + dup101, + ]); + + var select345 = linear_select([ + dup103, + dup104, + ]); + + var select346 = linear_select([ + dup106, + dup107, + ]); + + var select347 = linear_select([ + dup109, + dup110, + ]); + + var select348 = linear_select([ + dup112, + dup113, + ]); + + var select349 = linear_select([ + dup115, + dup116, + dup117, + dup118, + ]); + + var select350 = linear_select([ + dup120, + dup121, + ]); + + var select351 = linear_select([ + dup123, + dup124, + ]); + + var select352 = linear_select([ + dup126, + dup127, + ]); + + var select353 = linear_select([ + dup129, + dup130, + ]); + + var select354 = linear_select([ + dup132, + dup133, + ]); + + var select355 = linear_select([ + dup135, + dup136, + ]); + + var select356 = linear_select([ + dup138, + dup139, + ]); + + var select357 = linear_select([ + dup141, + dup142, + ]); + + var select358 = linear_select([ + dup144, + dup145, + ]); + + var select359 = linear_select([ + dup147, + dup148, + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/cyberark/0.5.1/data_stream/corepas/agent/stream/udp.yml.hbs b/packages/cyberark/0.5.1/data_stream/corepas/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..dae40c6604 --- /dev/null +++ b/packages/cyberark/0.5.1/data_stream/corepas/agent/stream/udp.yml.hbs @@ -0,0 +1,8830 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Cyberark" + product: "Core" + type: "Access" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup1, + dup2, + ])); + + var dup153 = tagval("MESSAGE#2:2:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup4, + dup2, + dup3, + ])); + + var dup154 = match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup4, + dup2, + ])); + + var dup155 = tagval("MESSAGE#6:4:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, + dup3, + ])); + + var dup156 = match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, + ])); + + var dup157 = tagval("MESSAGE#20:13:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, + dup3, + ])); + + var dup158 = match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, + ])); + + var dup159 = tagval("MESSAGE#26:16:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup19, + dup2, + dup3, + ])); + + var dup160 = match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup19, + dup2, + ])); + + var dup161 = tagval("MESSAGE#30:18:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup15, + dup2, + dup3, + ])); + + var dup162 = match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup2, + ])); + + var dup163 = tagval("MESSAGE#38:22:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup21, + dup2, + dup3, + ])); + + var dup164 = match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup21, + dup2, + ])); + + var dup165 = tagval("MESSAGE#70:38:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup23, + dup2, + dup3, + ])); + + var dup166 = match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup23, + dup2, + ])); + + var dup167 = tagval("MESSAGE#116:61:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup20, + dup2, + dup3, + ])); + + var dup168 = match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup20, + dup2, + ])); + + var dup169 = tagval("MESSAGE#126:66:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup26, + dup2, + dup3, + ])); + + var dup170 = match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup26, + dup2, + ])); + + var dup171 = tagval("MESSAGE#190:98:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup26, + dup2, + dup3, + dup24, + dup25, + ])); + + var dup172 = linear_select([ + dup32, + dup33, + ]); + + var dup173 = linear_select([ + dup34, + dup35, + ]); + + var dup174 = linear_select([ + dup36, + dup37, + ]); + + var dup175 = linear_select([ + dup38, + dup39, + ]); + + var dup176 = linear_select([ + dup40, + dup41, + ]); + + var dup177 = linear_select([ + dup42, + dup43, + ]); + + var dup178 = linear_select([ + dup44, + dup45, + ]); + + var dup179 = linear_select([ + dup46, + dup47, + ]); + + var dup180 = linear_select([ + dup48, + dup49, + ]); + + var dup181 = linear_select([ + dup50, + dup51, + ]); + + var dup182 = linear_select([ + dup52, + dup53, + ]); + + var dup183 = linear_select([ + dup54, + dup55, + ]); + + var dup184 = linear_select([ + dup56, + dup57, + ]); + + var dup185 = linear_select([ + dup58, + dup59, + ]); + + var dup186 = linear_select([ + dup60, + dup61, + ]); + + var dup187 = linear_select([ + dup62, + dup63, + ]); + + var dup188 = linear_select([ + dup64, + dup65, + ]); + + var dup189 = linear_select([ + dup66, + dup67, + ]); + + var dup190 = linear_select([ + dup68, + dup69, + ]); + + var dup191 = linear_select([ + dup70, + dup71, + ]); + + var dup192 = linear_select([ + dup72, + dup73, + ]); + + var dup193 = linear_select([ + dup74, + dup75, + ]); + + var dup194 = linear_select([ + dup76, + dup77, + ]); + + var dup195 = tagval("MESSAGE#591:317:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup79, + dup80, + dup81, + dup2, + dup3, + ])); + + var dup196 = match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup79, + dup80, + dup81, + dup2, + ])); + + var dup197 = tagval("MESSAGE#595:355:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup82, + dup2, + dup3, + ])); + + var dup198 = match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup82, + dup2, + ])); + + var dup199 = tagval("MESSAGE#599:357:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup83, + dup2, + dup3, + ])); + + var dup200 = match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup83, + dup2, + ])); + + var dup201 = match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var dup202 = linear_select([ + dup85, + dup86, + ]); + + var dup203 = linear_select([ + dup88, + dup89, + ]); + + var dup204 = linear_select([ + dup91, + dup92, + ]); + + var dup205 = linear_select([ + dup94, + dup95, + ]); + + var dup206 = linear_select([ + dup97, + dup98, + ]); + + var dup207 = linear_select([ + dup100, + dup101, + ]); + + var dup208 = linear_select([ + dup103, + dup104, + ]); + + var dup209 = linear_select([ + dup106, + dup107, + ]); + + var dup210 = linear_select([ + dup109, + dup110, + ]); + + var dup211 = linear_select([ + dup112, + dup113, + ]); + + var dup212 = linear_select([ + dup115, + dup116, + dup117, + dup118, + ]); + + var dup213 = linear_select([ + dup120, + dup121, + ]); + + var dup214 = linear_select([ + dup123, + dup124, + ]); + + var dup215 = linear_select([ + dup126, + dup127, + ]); + + var dup216 = linear_select([ + dup129, + dup130, + ]); + + var dup217 = linear_select([ + dup132, + dup133, + ]); + + var dup218 = linear_select([ + dup135, + dup136, + ]); + + var dup219 = linear_select([ + dup138, + dup139, + ]); + + var dup220 = linear_select([ + dup141, + dup142, + ]); + + var dup221 = linear_select([ + dup144, + dup145, + ]); + + var dup222 = linear_select([ + dup147, + dup148, + ]); + + var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld1}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdevice"), + constant("\",ProductAccount=\""), + field("hfld1"), + constant("\",ProductProcess=\""), + field("process"), + constant("\",EventId=\""), + field("messageid"), + constant("\", "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0005", "message", "%{hfld1->} %{hdatetime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld4}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ + setc("header_id","0005"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdevice"), + constant("\",ProductAccount=\""), + field("hfld4"), + constant("\",ProductProcess=\""), + field("process"), + constant("\",EventId=\""), + field("messageid"), + constant("\", "), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0002"), + ])); + + var hdr4 = match("HEADER#3:0003", "message", "%{hfld1->} %{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr5 = match("HEADER#4:0004", "message", "%CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var hdr6 = match("HEADER#5:0006", "message", "%{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0006"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + ]); + + var msg1 = msg("1:01", dup151); + + var msg2 = msg("1", dup152); + + var select2 = linear_select([ + msg1, + msg2, + ]); + + var msg3 = msg("2:01", dup153); + + var msg4 = msg("2", dup154); + + var select3 = linear_select([ + msg3, + msg4, + ]); + + var msg5 = msg("3:01", dup151); + + var msg6 = msg("3", dup152); + + var select4 = linear_select([ + msg5, + msg6, + ]); + + var msg7 = msg("4:01", dup155); + + var msg8 = msg("4", dup156); + + var select5 = linear_select([ + msg7, + msg8, + ]); + + var part1 = tagval("MESSAGE#8:7:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup11, + dup2, + dup3, + ])); + + var msg9 = msg("7:01", part1); + + var part2 = match("MESSAGE#9:7", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup11, + dup2, + ])); + + var msg10 = msg("7", part2); + + var select6 = linear_select([ + msg9, + msg10, + ]); + + var part3 = tagval("MESSAGE#10:8:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup12, + dup6, + dup13, + dup8, + dup11, + dup2, + dup3, + ])); + + var msg11 = msg("8:01", part3); + + var part4 = match("MESSAGE#11:8", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup12, + dup6, + dup13, + dup8, + dup11, + dup2, + ])); + + var msg12 = msg("8", part4); + + var select7 = linear_select([ + msg11, + msg12, + ]); + + var part5 = tagval("MESSAGE#12:9:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup1, + dup14, + dup9, + dup2, + dup3, + ])); + + var msg13 = msg("9:01", part5); + + var part6 = match("MESSAGE#13:9", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup1, + dup14, + dup9, + dup2, + ])); + + var msg14 = msg("9", part6); + + var select8 = linear_select([ + msg13, + msg14, + ]); + + var msg15 = msg("10:01", dup151); + + var msg16 = msg("10", dup152); + + var select9 = linear_select([ + msg15, + msg16, + ]); + + var msg17 = msg("11:01", dup151); + + var msg18 = msg("11", dup152); + + var select10 = linear_select([ + msg17, + msg18, + ]); + + var msg19 = msg("12:01", dup151); + + var msg20 = msg("12", dup152); + + var select11 = linear_select([ + msg19, + msg20, + ]); + + var msg21 = msg("13:01", dup157); + + var msg22 = msg("13", dup158); + + var select12 = linear_select([ + msg21, + msg22, + ]); + + var msg23 = msg("14:01", dup157); + + var msg24 = msg("14", dup158); + + var select13 = linear_select([ + msg23, + msg24, + ]); + + var part7 = tagval("MESSAGE#24:15:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup15, + dup18, + dup9, + dup2, + dup3, + ])); + + var msg25 = msg("15:01", part7); + + var part8 = match("MESSAGE#25:15", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup18, + dup9, + dup2, + ])); + + var msg26 = msg("15", part8); + + var select14 = linear_select([ + msg25, + msg26, + ]); + + var msg27 = msg("16:01", dup159); + + var msg28 = msg("16", dup160); + + var select15 = linear_select([ + msg27, + msg28, + ]); + + var msg29 = msg("17:01", dup151); + + var msg30 = msg("17", dup152); + + var select16 = linear_select([ + msg29, + msg30, + ]); + + var msg31 = msg("18:01", dup161); + + var msg32 = msg("18", dup162); + + var select17 = linear_select([ + msg31, + msg32, + ]); + + var part9 = tagval("MESSAGE#32:19:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup20, + dup16, + dup11, + dup2, + dup3, + ])); + + var msg33 = msg("19:01", part9); + + var part10 = match("MESSAGE#33:19", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup20, + dup16, + dup11, + dup2, + ])); + + var msg34 = msg("19", part10); + + var select18 = linear_select([ + msg33, + msg34, + ]); + + var part11 = tagval("MESSAGE#34:20:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup19, + dup16, + dup2, + dup3, + ])); + + var msg35 = msg("20:01", part11); + + var part12 = match("MESSAGE#35:20", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup19, + dup16, + dup2, + ])); + + var msg36 = msg("20", part12); + + var select19 = linear_select([ + msg35, + msg36, + ]); + + var part13 = tagval("MESSAGE#36:21:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup15, + dup16, + dup9, + dup2, + dup3, + ])); + + var msg37 = msg("21:01", part13); + + var part14 = match("MESSAGE#37:21", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup16, + dup9, + dup2, + ])); + + var msg38 = msg("21", part14); + + var select20 = linear_select([ + msg37, + msg38, + ]); + + var msg39 = msg("22:01", dup163); + + var msg40 = msg("22", dup164); + + var select21 = linear_select([ + msg39, + msg40, + ]); + + var part15 = tagval("MESSAGE#40:23:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup22, + dup2, + dup3, + ])); + + var msg41 = msg("23:01", part15); + + var part16 = match("MESSAGE#41:23", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup22, + dup2, + ])); + + var msg42 = msg("23", part16); + + var select22 = linear_select([ + msg41, + msg42, + ]); + + var msg43 = msg("24:01", dup163); + + var msg44 = msg("24", dup164); + + var select23 = linear_select([ + msg43, + msg44, + ]); + + var msg45 = msg("25:01", dup151); + + var msg46 = msg("25", dup152); + + var select24 = linear_select([ + msg45, + msg46, + ]); + + var msg47 = msg("26:01", dup151); + + var msg48 = msg("26", dup152); + + var select25 = linear_select([ + msg47, + msg48, + ]); + + var msg49 = msg("27:01", dup151); + + var msg50 = msg("27", dup152); + + var select26 = linear_select([ + msg49, + msg50, + ]); + + var msg51 = msg("28:01", dup163); + + var msg52 = msg("28", dup164); + + var select27 = linear_select([ + msg51, + msg52, + ]); + + var msg53 = msg("29:01", dup151); + + var msg54 = msg("29", dup152); + + var select28 = linear_select([ + msg53, + msg54, + ]); + + var msg55 = msg("30:01", dup151); + + var msg56 = msg("30", dup152); + + var select29 = linear_select([ + msg55, + msg56, + ]); + + var msg57 = msg("31:01", dup163); + + var msg58 = msg("31", dup164); + + var select30 = linear_select([ + msg57, + msg58, + ]); + + var msg59 = msg("32:01", dup163); + + var msg60 = msg("32", dup164); + + var select31 = linear_select([ + msg59, + msg60, + ]); + + var msg61 = msg("33:01", dup163); + + var msg62 = msg("33", dup164); + + var select32 = linear_select([ + msg61, + msg62, + ]); + + var msg63 = msg("34:01", dup151); + + var msg64 = msg("34", dup152); + + var select33 = linear_select([ + msg63, + msg64, + ]); + + var msg65 = msg("35:01", dup151); + + var msg66 = msg("35", dup152); + + var select34 = linear_select([ + msg65, + msg66, + ]); + + var msg67 = msg("36:01", dup163); + + var msg68 = msg("36", dup164); + + var select35 = linear_select([ + msg67, + msg68, + ]); + + var msg69 = msg("37:01", dup163); + + var msg70 = msg("37", dup164); + + var select36 = linear_select([ + msg69, + msg70, + ]); + + var msg71 = msg("38:01", dup165); + + var msg72 = msg("38", dup166); + + var select37 = linear_select([ + msg71, + msg72, + ]); + + var msg73 = msg("39:01", dup163); + + var msg74 = msg("39", dup164); + + var select38 = linear_select([ + msg73, + msg74, + ]); + + var msg75 = msg("40:01", dup151); + + var msg76 = msg("40", dup152); + + var select39 = linear_select([ + msg75, + msg76, + ]); + + var msg77 = msg("41:01", dup151); + + var msg78 = msg("41", dup152); + + var select40 = linear_select([ + msg77, + msg78, + ]); + + var msg79 = msg("42:01", dup151); + + var msg80 = msg("42", dup152); + + var select41 = linear_select([ + msg79, + msg80, + ]); + + var msg81 = msg("43:01", dup151); + + var msg82 = msg("43", dup152); + + var select42 = linear_select([ + msg81, + msg82, + ]); + + var msg83 = msg("44:01", dup151); + + var msg84 = msg("44", dup152); + + var select43 = linear_select([ + msg83, + msg84, + ]); + + var msg85 = msg("45:01", dup151); + + var msg86 = msg("45", dup152); + + var select44 = linear_select([ + msg85, + msg86, + ]); + + var msg87 = msg("46:01", dup151); + + var msg88 = msg("46", dup152); + + var select45 = linear_select([ + msg87, + msg88, + ]); + + var msg89 = msg("47:01", dup151); + + var msg90 = msg("47", dup152); + + var select46 = linear_select([ + msg89, + msg90, + ]); + + var msg91 = msg("48:01", dup151); + + var msg92 = msg("48", dup152); + + var select47 = linear_select([ + msg91, + msg92, + ]); + + var msg93 = msg("49:01", dup151); + + var msg94 = msg("49", dup152); + + var select48 = linear_select([ + msg93, + msg94, + ]); + + var part17 = tagval("MESSAGE#94:50:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup21, + dup2, + dup3, + dup24, + dup25, + ])); + + var msg95 = msg("50:01", part17); + + var msg96 = msg("50", dup164); + + var select49 = linear_select([ + msg95, + msg96, + ]); + + var msg97 = msg("51:01", dup163); + + var msg98 = msg("51", dup164); + + var select50 = linear_select([ + msg97, + msg98, + ]); + + var msg99 = msg("52:01", dup163); + + var msg100 = msg("52", dup164); + + var select51 = linear_select([ + msg99, + msg100, + ]); + + var msg101 = msg("53:01", dup151); + + var msg102 = msg("53", dup152); + + var select52 = linear_select([ + msg101, + msg102, + ]); + + var msg103 = msg("54:01", dup151); + + var msg104 = msg("54", dup152); + + var select53 = linear_select([ + msg103, + msg104, + ]); + + var msg105 = msg("55:01", dup151); + + var msg106 = msg("55", dup152); + + var select54 = linear_select([ + msg105, + msg106, + ]); + + var msg107 = msg("56:01", dup151); + + var msg108 = msg("56", dup152); + + var select55 = linear_select([ + msg107, + msg108, + ]); + + var msg109 = msg("57:01", dup165); + + var msg110 = msg("57", dup166); + + var select56 = linear_select([ + msg109, + msg110, + ]); + + var msg111 = msg("58:01", dup163); + + var msg112 = msg("58", dup164); + + var select57 = linear_select([ + msg111, + msg112, + ]); + + var msg113 = msg("59:01", dup163); + + var msg114 = msg("59", dup164); + + var select58 = linear_select([ + msg113, + msg114, + ]); + + var msg115 = msg("60:01", dup165); + + var msg116 = msg("60", dup166); + + var select59 = linear_select([ + msg115, + msg116, + ]); + + var msg117 = msg("61:01", dup167); + + var msg118 = msg("61", dup168); + + var select60 = linear_select([ + msg117, + msg118, + ]); + + var msg119 = msg("62:01", dup163); + + var msg120 = msg("62", dup164); + + var select61 = linear_select([ + msg119, + msg120, + ]); + + var msg121 = msg("63:01", dup151); + + var msg122 = msg("63", dup152); + + var select62 = linear_select([ + msg121, + msg122, + ]); + + var msg123 = msg("64:01", dup167); + + var msg124 = msg("64", dup168); + + var select63 = linear_select([ + msg123, + msg124, + ]); + + var msg125 = msg("65:01", dup151); + + var msg126 = msg("65", dup152); + + var select64 = linear_select([ + msg125, + msg126, + ]); + + var msg127 = msg("66:01", dup169); + + var msg128 = msg("66", dup170); + + var select65 = linear_select([ + msg127, + msg128, + ]); + + var msg129 = msg("67:01", dup169); + + var msg130 = msg("67", dup170); + + var select66 = linear_select([ + msg129, + msg130, + ]); + + var msg131 = msg("68:01", dup169); + + var msg132 = msg("68", dup170); + + var select67 = linear_select([ + msg131, + msg132, + ]); + + var msg133 = msg("69:01", dup169); + + var msg134 = msg("69", dup170); + + var select68 = linear_select([ + msg133, + msg134, + ]); + + var msg135 = msg("70:01", dup151); + + var msg136 = msg("70", dup152); + + var select69 = linear_select([ + msg135, + msg136, + ]); + + var msg137 = msg("71:01", dup169); + + var msg138 = msg("71", dup170); + + var select70 = linear_select([ + msg137, + msg138, + ]); + + var msg139 = msg("72:01", dup151); + + var msg140 = msg("72", dup152); + + var select71 = linear_select([ + msg139, + msg140, + ]); + + var msg141 = msg("73:01", dup169); + + var msg142 = msg("73", dup170); + + var select72 = linear_select([ + msg141, + msg142, + ]); + + var msg143 = msg("74:01", dup151); + + var msg144 = msg("74", dup152); + + var select73 = linear_select([ + msg143, + msg144, + ]); + + var msg145 = msg("75:01", dup169); + + var msg146 = msg("75", dup170); + + var select74 = linear_select([ + msg145, + msg146, + ]); + + var msg147 = msg("76:01", dup151); + + var msg148 = msg("76", dup152); + + var select75 = linear_select([ + msg147, + msg148, + ]); + + var msg149 = msg("77:01", dup151); + + var msg150 = msg("77", dup152); + + var select76 = linear_select([ + msg149, + msg150, + ]); + + var msg151 = msg("78:01", dup151); + + var msg152 = msg("78", dup152); + + var select77 = linear_select([ + msg151, + msg152, + ]); + + var msg153 = msg("79:01", dup169); + + var msg154 = msg("79", dup170); + + var select78 = linear_select([ + msg153, + msg154, + ]); + + var msg155 = msg("80:01", dup169); + + var msg156 = msg("80", dup170); + + var select79 = linear_select([ + msg155, + msg156, + ]); + + var msg157 = msg("81:01", dup167); + + var msg158 = msg("81", dup168); + + var select80 = linear_select([ + msg157, + msg158, + ]); + + var msg159 = msg("82:01", dup151); + + var msg160 = msg("82", dup152); + + var select81 = linear_select([ + msg159, + msg160, + ]); + + var msg161 = msg("83:01", dup169); + + var msg162 = msg("83", dup170); + + var select82 = linear_select([ + msg161, + msg162, + ]); + + var msg163 = msg("84:01", dup169); + + var msg164 = msg("84", dup170); + + var select83 = linear_select([ + msg163, + msg164, + ]); + + var msg165 = msg("85:01", dup151); + + var msg166 = msg("85", dup152); + + var select84 = linear_select([ + msg165, + msg166, + ]); + + var msg167 = msg("86:01", dup159); + + var msg168 = msg("86", dup160); + + var select85 = linear_select([ + msg167, + msg168, + ]); + + var msg169 = msg("87:01", dup151); + + var msg170 = msg("87", dup152); + + var select86 = linear_select([ + msg169, + msg170, + ]); + + var msg171 = msg("88:01", dup169); + + var msg172 = msg("88", dup170); + + var select87 = linear_select([ + msg171, + msg172, + ]); + + var msg173 = msg("89:01", dup151); + + var msg174 = msg("89", dup152); + + var select88 = linear_select([ + msg173, + msg174, + ]); + + var msg175 = msg("90:01", dup151); + + var msg176 = msg("90", dup152); + + var select89 = linear_select([ + msg175, + msg176, + ]); + + var msg177 = msg("91:01", dup151); + + var msg178 = msg("91", dup152); + + var select90 = linear_select([ + msg177, + msg178, + ]); + + var msg179 = msg("92:01", dup151); + + var msg180 = msg("92", dup152); + + var select91 = linear_select([ + msg179, + msg180, + ]); + + var msg181 = msg("93:01", dup151); + + var msg182 = msg("93", dup152); + + var select92 = linear_select([ + msg181, + msg182, + ]); + + var msg183 = msg("94:01", dup169); + + var msg184 = msg("94", dup170); + + var select93 = linear_select([ + msg183, + msg184, + ]); + + var msg185 = msg("95:01", dup169); + + var msg186 = msg("95", dup170); + + var select94 = linear_select([ + msg185, + msg186, + ]); + + var msg187 = msg("96:01", dup151); + + var msg188 = msg("96", dup152); + + var select95 = linear_select([ + msg187, + msg188, + ]); + + var msg189 = msg("97:01", dup151); + + var msg190 = msg("97", dup152); + + var select96 = linear_select([ + msg189, + msg190, + ]); + + var msg191 = msg("98:01", dup171); + + var msg192 = msg("98", dup170); + + var select97 = linear_select([ + msg191, + msg192, + ]); + + var msg193 = msg("99:01", dup171); + + var msg194 = msg("99", dup170); + + var select98 = linear_select([ + msg193, + msg194, + ]); + + var msg195 = msg("100:01", dup151); + + var msg196 = msg("100", dup152); + + var select99 = linear_select([ + msg195, + msg196, + ]); + + var msg197 = msg("101:01", dup151); + + var msg198 = msg("101", dup152); + + var select100 = linear_select([ + msg197, + msg198, + ]); + + var msg199 = msg("102:01", dup155); + + var msg200 = msg("102", dup156); + + var select101 = linear_select([ + msg199, + msg200, + ]); + + var part18 = tagval("MESSAGE#200:103:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup27, + dup6, + dup7, + dup8, + dup28, + dup2, + dup3, + ])); + + var msg201 = msg("103:01", part18); + + var part19 = match("MESSAGE#201:103", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup27, + dup6, + dup7, + dup8, + dup28, + dup2, + ])); + + var msg202 = msg("103", part19); + + var select102 = linear_select([ + msg201, + msg202, + ]); + + var part20 = tagval("MESSAGE#202:104:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup27, + dup6, + dup29, + dup2, + dup3, + ])); + + var msg203 = msg("104:01", part20); + + var part21 = match("MESSAGE#203:104", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup27, + dup6, + dup29, + dup2, + ])); + + var msg204 = msg("104", part21); + + var select103 = linear_select([ + msg203, + msg204, + ]); + + var msg205 = msg("105:01", dup169); + + var msg206 = msg("105", dup170); + + var select104 = linear_select([ + msg205, + msg206, + ]); + + var msg207 = msg("106:01", dup169); + + var msg208 = msg("106", dup170); + + var select105 = linear_select([ + msg207, + msg208, + ]); + + var msg209 = msg("107:01", dup169); + + var msg210 = msg("107", dup170); + + var select106 = linear_select([ + msg209, + msg210, + ]); + + var msg211 = msg("108:01", dup169); + + var msg212 = msg("108", dup170); + + var select107 = linear_select([ + msg211, + msg212, + ]); + + var msg213 = msg("109:01", dup169); + + var msg214 = msg("109", dup170); + + var select108 = linear_select([ + msg213, + msg214, + ]); + + var msg215 = msg("110:01", dup151); + + var msg216 = msg("110", dup152); + + var select109 = linear_select([ + msg215, + msg216, + ]); + + var msg217 = msg("111:01", dup169); + + var msg218 = msg("111", dup170); + + var select110 = linear_select([ + msg217, + msg218, + ]); + + var msg219 = msg("112:01", dup169); + + var msg220 = msg("112", dup170); + + var select111 = linear_select([ + msg219, + msg220, + ]); + + var msg221 = msg("114:01", dup169); + + var msg222 = msg("114", dup170); + + var select112 = linear_select([ + msg221, + msg222, + ]); + + var msg223 = msg("115:01", dup169); + + var msg224 = msg("115", dup170); + + var select113 = linear_select([ + msg223, + msg224, + ]); + + var msg225 = msg("116:01", dup151); + + var msg226 = msg("116", dup152); + + var select114 = linear_select([ + msg225, + msg226, + ]); + + var msg227 = msg("117:01", dup151); + + var msg228 = msg("117", dup152); + + var select115 = linear_select([ + msg227, + msg228, + ]); + + var msg229 = msg("118:01", dup169); + + var msg230 = msg("118", dup170); + + var select116 = linear_select([ + msg229, + msg230, + ]); + + var msg231 = msg("119:01", dup169); + + var msg232 = msg("119", dup170); + + var select117 = linear_select([ + msg231, + msg232, + ]); + + var msg233 = msg("120:01", dup169); + + var msg234 = msg("120", dup170); + + var select118 = linear_select([ + msg233, + msg234, + ]); + + var msg235 = msg("121:01", dup169); + + var msg236 = msg("121", dup170); + + var select119 = linear_select([ + msg235, + msg236, + ]); + + var msg237 = msg("122:01", dup169); + + var msg238 = msg("122", dup170); + + var select120 = linear_select([ + msg237, + msg238, + ]); + + var msg239 = msg("123:01", dup169); + + var msg240 = msg("123", dup170); + + var select121 = linear_select([ + msg239, + msg240, + ]); + + var msg241 = msg("124:01", dup169); + + var msg242 = msg("124", dup170); + + var select122 = linear_select([ + msg241, + msg242, + ]); + + var msg243 = msg("125:01", dup169); + + var msg244 = msg("125", dup170); + + var select123 = linear_select([ + msg243, + msg244, + ]); + + var msg245 = msg("126:01", dup169); + + var msg246 = msg("126", dup170); + + var select124 = linear_select([ + msg245, + msg246, + ]); + + var msg247 = msg("127:01", dup169); + + var msg248 = msg("127", dup170); + + var select125 = linear_select([ + msg247, + msg248, + ]); + + var msg249 = msg("128:01", dup169); + + var msg250 = msg("128", dup170); + + var select126 = linear_select([ + msg249, + msg250, + ]); + + var msg251 = msg("129:01", dup169); + + var msg252 = msg("129", dup170); + + var select127 = linear_select([ + msg251, + msg252, + ]); + + var msg253 = msg("130:01", dup169); + + var msg254 = msg("130", dup170); + + var select128 = linear_select([ + msg253, + msg254, + ]); + + var msg255 = msg("131:01", dup151); + + var msg256 = msg("131", dup152); + + var select129 = linear_select([ + msg255, + msg256, + ]); + + var msg257 = msg("132:01", dup151); + + var msg258 = msg("132", dup152); + + var select130 = linear_select([ + msg257, + msg258, + ]); + + var msg259 = msg("133:01", dup151); + + var msg260 = msg("133", dup152); + + var select131 = linear_select([ + msg259, + msg260, + ]); + + var part22 = tagval("MESSAGE#260:134:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup30, + dup2, + dup3, + ])); + + var msg261 = msg("134:01", part22); + + var part23 = match("MESSAGE#261:134", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup30, + dup2, + ])); + + var msg262 = msg("134", part23); + + var select132 = linear_select([ + msg261, + msg262, + ]); + + var msg263 = msg("135:01", dup151); + + var msg264 = msg("135", dup152); + + var select133 = linear_select([ + msg263, + msg264, + ]); + + var msg265 = msg("136:01", dup169); + + var msg266 = msg("136", dup170); + + var select134 = linear_select([ + msg265, + msg266, + ]); + + var msg267 = msg("137:01", dup169); + + var msg268 = msg("137", dup170); + + var select135 = linear_select([ + msg267, + msg268, + ]); + + var msg269 = msg("138:01", dup169); + + var msg270 = msg("138", dup170); + + var select136 = linear_select([ + msg269, + msg270, + ]); + + var msg271 = msg("139:01", dup169); + + var msg272 = msg("139", dup170); + + var select137 = linear_select([ + msg271, + msg272, + ]); + + var msg273 = msg("140:01", dup169); + + var msg274 = msg("140", dup170); + + var select138 = linear_select([ + msg273, + msg274, + ]); + + var msg275 = msg("141:01", dup169); + + var msg276 = msg("141", dup170); + + var select139 = linear_select([ + msg275, + msg276, + ]); + + var msg277 = msg("142:01", dup169); + + var msg278 = msg("142", dup170); + + var select140 = linear_select([ + msg277, + msg278, + ]); + + var msg279 = msg("143:01", dup169); + + var msg280 = msg("143", dup170); + + var select141 = linear_select([ + msg279, + msg280, + ]); + + var msg281 = msg("144:01", dup169); + + var msg282 = msg("144", dup170); + + var select142 = linear_select([ + msg281, + msg282, + ]); + + var msg283 = msg("145:01", dup169); + + var msg284 = msg("145", dup170); + + var select143 = linear_select([ + msg283, + msg284, + ]); + + var msg285 = msg("146:01", dup151); + + var msg286 = msg("146", dup152); + + var select144 = linear_select([ + msg285, + msg286, + ]); + + var msg287 = msg("147:01", dup151); + + var msg288 = msg("147", dup152); + + var select145 = linear_select([ + msg287, + msg288, + ]); + + var msg289 = msg("148:01", dup151); + + var msg290 = msg("148", dup152); + + var select146 = linear_select([ + msg289, + msg290, + ]); + + var msg291 = msg("149:01", dup151); + + var msg292 = msg("149", dup152); + + var select147 = linear_select([ + msg291, + msg292, + ]); + + var msg293 = msg("150:01", dup151); + + var msg294 = msg("150", dup152); + + var select148 = linear_select([ + msg293, + msg294, + ]); + + var msg295 = msg("152:01", dup151); + + var msg296 = msg("152", dup152); + + var select149 = linear_select([ + msg295, + msg296, + ]); + + var msg297 = msg("153:01", dup151); + + var msg298 = msg("153", dup152); + + var select150 = linear_select([ + msg297, + msg298, + ]); + + var msg299 = msg("154:01", dup151); + + var msg300 = msg("154", dup152); + + var select151 = linear_select([ + msg299, + msg300, + ]); + + var msg301 = msg("155:01", dup151); + + var msg302 = msg("155", dup152); + + var select152 = linear_select([ + msg301, + msg302, + ]); + + var msg303 = msg("156:01", dup151); + + var msg304 = msg("156", dup152); + + var select153 = linear_select([ + msg303, + msg304, + ]); + + var msg305 = msg("157:01", dup151); + + var msg306 = msg("157", dup152); + + var select154 = linear_select([ + msg305, + msg306, + ]); + + var msg307 = msg("158:01", dup151); + + var msg308 = msg("158", dup152); + + var select155 = linear_select([ + msg307, + msg308, + ]); + + var msg309 = msg("159:01", dup151); + + var msg310 = msg("159", dup152); + + var select156 = linear_select([ + msg309, + msg310, + ]); + + var msg311 = msg("160:01", dup151); + + var msg312 = msg("160", dup152); + + var select157 = linear_select([ + msg311, + msg312, + ]); + + var msg313 = msg("161:01", dup151); + + var msg314 = msg("161", dup152); + + var select158 = linear_select([ + msg313, + msg314, + ]); + + var msg315 = msg("162:01", dup151); + + var msg316 = msg("162", dup152); + + var select159 = linear_select([ + msg315, + msg316, + ]); + + var msg317 = msg("163:01", dup151); + + var msg318 = msg("163", dup152); + + var select160 = linear_select([ + msg317, + msg318, + ]); + + var msg319 = msg("164:01", dup151); + + var msg320 = msg("164", dup152); + + var select161 = linear_select([ + msg319, + msg320, + ]); + + var msg321 = msg("165:01", dup151); + + var msg322 = msg("165", dup152); + + var select162 = linear_select([ + msg321, + msg322, + ]); + + var msg323 = msg("166:01", dup151); + + var msg324 = msg("166", dup152); + + var select163 = linear_select([ + msg323, + msg324, + ]); + + var msg325 = msg("167:01", dup151); + + var msg326 = msg("167", dup152); + + var select164 = linear_select([ + msg325, + msg326, + ]); + + var msg327 = msg("168:01", dup151); + + var msg328 = msg("168", dup152); + + var select165 = linear_select([ + msg327, + msg328, + ]); + + var msg329 = msg("169:01", dup151); + + var msg330 = msg("169", dup152); + + var select166 = linear_select([ + msg329, + msg330, + ]); + + var msg331 = msg("170:01", dup169); + + var msg332 = msg("170", dup170); + + var select167 = linear_select([ + msg331, + msg332, + ]); + + var msg333 = msg("171:01", dup151); + + var msg334 = msg("171", dup152); + + var select168 = linear_select([ + msg333, + msg334, + ]); + + var msg335 = msg("172:01", dup169); + + var msg336 = msg("172", dup170); + + var select169 = linear_select([ + msg335, + msg336, + ]); + + var msg337 = msg("173:01", dup151); + + var msg338 = msg("173", dup152); + + var select170 = linear_select([ + msg337, + msg338, + ]); + + var msg339 = msg("174:01", dup151); + + var msg340 = msg("174", dup152); + + var select171 = linear_select([ + msg339, + msg340, + ]); + + var msg341 = msg("175:01", dup151); + + var msg342 = msg("175", dup152); + + var select172 = linear_select([ + msg341, + msg342, + ]); + + var msg343 = msg("176:01", dup151); + + var msg344 = msg("176", dup152); + + var select173 = linear_select([ + msg343, + msg344, + ]); + + var msg345 = msg("177:01", dup151); + + var msg346 = msg("177", dup152); + + var select174 = linear_select([ + msg345, + msg346, + ]); + + var msg347 = msg("178:01", dup151); + + var msg348 = msg("178", dup152); + + var select175 = linear_select([ + msg347, + msg348, + ]); + + var msg349 = msg("179:01", dup169); + + var msg350 = msg("179", dup170); + + var select176 = linear_select([ + msg349, + msg350, + ]); + + var msg351 = msg("180:01", dup169); + + var msg352 = msg("180", dup170); + + var select177 = linear_select([ + msg351, + msg352, + ]); + + var msg353 = msg("181:01", dup169); + + var msg354 = msg("181", dup170); + + var select178 = linear_select([ + msg353, + msg354, + ]); + + var msg355 = msg("182:01", dup169); + + var msg356 = msg("182", dup170); + + var select179 = linear_select([ + msg355, + msg356, + ]); + + var msg357 = msg("183:01", dup169); + + var msg358 = msg("183", dup170); + + var select180 = linear_select([ + msg357, + msg358, + ]); + + var msg359 = msg("184:01", dup169); + + var msg360 = msg("184", dup170); + + var select181 = linear_select([ + msg359, + msg360, + ]); + + var msg361 = msg("185:01", dup169); + + var msg362 = msg("185", dup170); + + var select182 = linear_select([ + msg361, + msg362, + ]); + + var msg363 = msg("186:01", dup151); + + var msg364 = msg("186", dup152); + + var select183 = linear_select([ + msg363, + msg364, + ]); + + var msg365 = msg("187:01", dup169); + + var msg366 = msg("187", dup170); + + var select184 = linear_select([ + msg365, + msg366, + ]); + + var msg367 = msg("188:01", dup169); + + var msg368 = msg("188", dup170); + + var select185 = linear_select([ + msg367, + msg368, + ]); + + var msg369 = msg("189:01", dup169); + + var msg370 = msg("189", dup170); + + var select186 = linear_select([ + msg369, + msg370, + ]); + + var msg371 = msg("191:01", dup151); + + var msg372 = msg("191", dup152); + + var select187 = linear_select([ + msg371, + msg372, + ]); + + var msg373 = msg("192:01", dup169); + + var msg374 = msg("192", dup170); + + var select188 = linear_select([ + msg373, + msg374, + ]); + + var msg375 = msg("193:01", dup151); + + var msg376 = msg("193", dup152); + + var select189 = linear_select([ + msg375, + msg376, + ]); + + var msg377 = msg("194:01", dup169); + + var msg378 = msg("194", dup170); + + var select190 = linear_select([ + msg377, + msg378, + ]); + + var msg379 = msg("195:01", dup169); + + var msg380 = msg("195", dup170); + + var select191 = linear_select([ + msg379, + msg380, + ]); + + var msg381 = msg("196:01", dup151); + + var msg382 = msg("196", dup152); + + var select192 = linear_select([ + msg381, + msg382, + ]); + + var msg383 = msg("197:01", dup151); + + var msg384 = msg("197", dup152); + + var select193 = linear_select([ + msg383, + msg384, + ]); + + var msg385 = msg("198:01", dup169); + + var msg386 = msg("198", dup170); + + var select194 = linear_select([ + msg385, + msg386, + ]); + + var msg387 = msg("199:01", dup169); + + var msg388 = msg("199", dup170); + + var select195 = linear_select([ + msg387, + msg388, + ]); + + var msg389 = msg("200:01", dup169); + + var msg390 = msg("200", dup170); + + var select196 = linear_select([ + msg389, + msg390, + ]); + + var msg391 = msg("201:01", dup169); + + var msg392 = msg("201", dup170); + + var select197 = linear_select([ + msg391, + msg392, + ]); + + var msg393 = msg("202:01", dup169); + + var msg394 = msg("202", dup170); + + var select198 = linear_select([ + msg393, + msg394, + ]); + + var msg395 = msg("203:01", dup169); + + var msg396 = msg("203", dup170); + + var select199 = linear_select([ + msg395, + msg396, + ]); + + var msg397 = msg("204:01", dup151); + + var msg398 = msg("204", dup152); + + var select200 = linear_select([ + msg397, + msg398, + ]); + + var msg399 = msg("205:01", dup151); + + var msg400 = msg("205", dup152); + + var select201 = linear_select([ + msg399, + msg400, + ]); + + var msg401 = msg("206:01", dup151); + + var msg402 = msg("206", dup152); + + var select202 = linear_select([ + msg401, + msg402, + ]); + + var msg403 = msg("207:01", dup151); + + var msg404 = msg("207", dup152); + + var select203 = linear_select([ + msg403, + msg404, + ]); + + var msg405 = msg("208:01", dup151); + + var msg406 = msg("208", dup152); + + var select204 = linear_select([ + msg405, + msg406, + ]); + + var msg407 = msg("209:01", dup169); + + var msg408 = msg("209", dup170); + + var select205 = linear_select([ + msg407, + msg408, + ]); + + var msg409 = msg("211:01", dup169); + + var msg410 = msg("211", dup170); + + var select206 = linear_select([ + msg409, + msg410, + ]); + + var msg411 = msg("212:01", dup169); + + var msg412 = msg("212", dup170); + + var select207 = linear_select([ + msg411, + msg412, + ]); + + var msg413 = msg("213:01", dup169); + + var msg414 = msg("213", dup170); + + var select208 = linear_select([ + msg413, + msg414, + ]); + + var msg415 = msg("214:01", dup151); + + var msg416 = msg("214", dup152); + + var select209 = linear_select([ + msg415, + msg416, + ]); + + var msg417 = msg("215:01", dup151); + + var msg418 = msg("215", dup152); + + var select210 = linear_select([ + msg417, + msg418, + ]); + + var msg419 = msg("216:01", dup151); + + var msg420 = msg("216", dup152); + + var select211 = linear_select([ + msg419, + msg420, + ]); + + var msg421 = msg("217:01", dup169); + + var msg422 = msg("217", dup170); + + var select212 = linear_select([ + msg421, + msg422, + ]); + + var msg423 = msg("218:01", dup169); + + var msg424 = msg("218", dup170); + + var select213 = linear_select([ + msg423, + msg424, + ]); + + var msg425 = msg("219:01", dup169); + + var msg426 = msg("219", dup170); + + var select214 = linear_select([ + msg425, + msg426, + ]); + + var msg427 = msg("220:01", dup169); + + var msg428 = msg("220", dup170); + + var select215 = linear_select([ + msg427, + msg428, + ]); + + var msg429 = msg("221:01", dup169); + + var msg430 = msg("221", dup170); + + var select216 = linear_select([ + msg429, + msg430, + ]); + + var msg431 = msg("222:01", dup151); + + var msg432 = msg("222", dup152); + + var select217 = linear_select([ + msg431, + msg432, + ]); + + var msg433 = msg("223:01", dup169); + + var msg434 = msg("223", dup170); + + var select218 = linear_select([ + msg433, + msg434, + ]); + + var msg435 = msg("224:01", dup169); + + var msg436 = msg("224", dup170); + + var select219 = linear_select([ + msg435, + msg436, + ]); + + var msg437 = msg("229:01", dup169); + + var msg438 = msg("229", dup170); + + var select220 = linear_select([ + msg437, + msg438, + ]); + + var msg439 = msg("230:01", dup151); + + var msg440 = msg("230", dup152); + + var select221 = linear_select([ + msg439, + msg440, + ]); + + var msg441 = msg("231:01", dup151); + + var msg442 = msg("231", dup152); + + var select222 = linear_select([ + msg441, + msg442, + ]); + + var msg443 = msg("232:01", dup151); + + var msg444 = msg("232", dup152); + + var select223 = linear_select([ + msg443, + msg444, + ]); + + var msg445 = msg("233:01", dup151); + + var msg446 = msg("233", dup152); + + var select224 = linear_select([ + msg445, + msg446, + ]); + + var msg447 = msg("236:01", dup153); + + var msg448 = msg("236", dup154); + + var select225 = linear_select([ + msg447, + msg448, + ]); + + var msg449 = msg("237:01", dup169); + + var msg450 = msg("237", dup170); + + var select226 = linear_select([ + msg449, + msg450, + ]); + + var msg451 = msg("238:01", dup151); + + var msg452 = msg("238", dup152); + + var select227 = linear_select([ + msg451, + msg452, + ]); + + var msg453 = msg("239:01", dup169); + + var msg454 = msg("239", dup170); + + var select228 = linear_select([ + msg453, + msg454, + ]); + + var msg455 = msg("240:01", dup169); + + var msg456 = msg("240", dup170); + + var select229 = linear_select([ + msg455, + msg456, + ]); + + var msg457 = msg("241:01", dup169); + + var msg458 = msg("241", dup170); + + var select230 = linear_select([ + msg457, + msg458, + ]); + + var msg459 = msg("243:01", dup151); + + var msg460 = msg("243", dup152); + + var select231 = linear_select([ + msg459, + msg460, + ]); + + var msg461 = msg("244:01", dup151); + + var msg462 = msg("244", dup152); + + var select232 = linear_select([ + msg461, + msg462, + ]); + + var msg463 = msg("246:01", dup169); + + var msg464 = msg("246", dup170); + + var select233 = linear_select([ + msg463, + msg464, + ]); + + var msg465 = msg("247:01", dup169); + + var msg466 = msg("247", dup170); + + var select234 = linear_select([ + msg465, + msg466, + ]); + + var msg467 = msg("248:01", dup151); + + var msg468 = msg("248", dup152); + + var select235 = linear_select([ + msg467, + msg468, + ]); + + var msg469 = msg("249:01", dup151); + + var msg470 = msg("249", dup152); + + var select236 = linear_select([ + msg469, + msg470, + ]); + + var msg471 = msg("250:01", dup151); + + var msg472 = msg("250", dup152); + + var select237 = linear_select([ + msg471, + msg472, + ]); + + var msg473 = msg("251:01", dup169); + + var msg474 = msg("251", dup170); + + var select238 = linear_select([ + msg473, + msg474, + ]); + + var msg475 = msg("252:01", dup169); + + var msg476 = msg("252", dup170); + + var select239 = linear_select([ + msg475, + msg476, + ]); + + var msg477 = msg("253:01", dup151); + + var msg478 = msg("253", dup152); + + var select240 = linear_select([ + msg477, + msg478, + ]); + + var msg479 = msg("254:01", dup169); + + var msg480 = msg("254", dup170); + + var select241 = linear_select([ + msg479, + msg480, + ]); + + var msg481 = msg("255:01", dup151); + + var msg482 = msg("255", dup152); + + var select242 = linear_select([ + msg481, + msg482, + ]); + + var msg483 = msg("256:01", dup169); + + var msg484 = msg("256", dup170); + + var select243 = linear_select([ + msg483, + msg484, + ]); + + var msg485 = msg("257:01", dup169); + + var msg486 = msg("257", dup170); + + var select244 = linear_select([ + msg485, + msg486, + ]); + + var msg487 = msg("259:01", dup169); + + var msg488 = msg("259", dup170); + + var select245 = linear_select([ + msg487, + msg488, + ]); + + var msg489 = msg("260:01", dup151); + + var msg490 = msg("260", dup152); + + var select246 = linear_select([ + msg489, + msg490, + ]); + + var msg491 = msg("261:01", dup151); + + var msg492 = msg("261", dup152); + + var select247 = linear_select([ + msg491, + msg492, + ]); + + var msg493 = msg("262:01", dup151); + + var msg494 = msg("262", dup152); + + var select248 = linear_select([ + msg493, + msg494, + ]); + + var msg495 = msg("263:01", dup151); + + var msg496 = msg("263", dup152); + + var select249 = linear_select([ + msg495, + msg496, + ]); + + var msg497 = msg("264:01", dup169); + + var msg498 = msg("264", dup170); + + var select250 = linear_select([ + msg497, + msg498, + ]); + + var msg499 = msg("265:01", dup169); + + var msg500 = msg("265", dup170); + + var select251 = linear_select([ + msg499, + msg500, + ]); + + var msg501 = msg("266:01", dup169); + + var msg502 = msg("266", dup170); + + var select252 = linear_select([ + msg501, + msg502, + ]); + + var msg503 = msg("267:01", dup169); + + var msg504 = msg("267", dup170); + + var select253 = linear_select([ + msg503, + msg504, + ]); + + var msg505 = msg("268:01", dup169); + + var msg506 = msg("268", dup170); + + var select254 = linear_select([ + msg505, + msg506, + ]); + + var msg507 = msg("269:01", dup151); + + var msg508 = msg("269", dup152); + + var select255 = linear_select([ + msg507, + msg508, + ]); + + var msg509 = msg("270:01", dup169); + + var msg510 = msg("270", dup170); + + var select256 = linear_select([ + msg509, + msg510, + ]); + + var msg511 = msg("271:01", dup151); + + var msg512 = msg("271", dup152); + + var select257 = linear_select([ + msg511, + msg512, + ]); + + var msg513 = msg("272:01", dup169); + + var msg514 = msg("272", dup170); + + var select258 = linear_select([ + msg513, + msg514, + ]); + + var msg515 = msg("273:01", dup169); + + var msg516 = msg("273", dup170); + + var select259 = linear_select([ + msg515, + msg516, + ]); + + var msg517 = msg("274:01", dup169); + + var msg518 = msg("274", dup170); + + var select260 = linear_select([ + msg517, + msg518, + ]); + + var msg519 = msg("275:01", dup169); + + var msg520 = msg("275", dup170); + + var select261 = linear_select([ + msg519, + msg520, + ]); + + var msg521 = msg("276:01", dup169); + + var msg522 = msg("276", dup170); + + var select262 = linear_select([ + msg521, + msg522, + ]); + + var msg523 = msg("277:01", dup169); + + var msg524 = msg("277", dup170); + + var select263 = linear_select([ + msg523, + msg524, + ]); + + var msg525 = msg("278:01", dup169); + + var msg526 = msg("278", dup170); + + var select264 = linear_select([ + msg525, + msg526, + ]); + + var msg527 = msg("279:01", dup169); + + var msg528 = msg("279", dup170); + + var select265 = linear_select([ + msg527, + msg528, + ]); + + var msg529 = msg("280:01", dup151); + + var msg530 = msg("280", dup152); + + var select266 = linear_select([ + msg529, + msg530, + ]); + + var msg531 = msg("281:01", dup151); + + var msg532 = msg("281", dup152); + + var select267 = linear_select([ + msg531, + msg532, + ]); + + var msg533 = msg("282:01", dup169); + + var msg534 = msg("282", dup170); + + var select268 = linear_select([ + msg533, + msg534, + ]); + + var msg535 = msg("283:01", dup169); + + var msg536 = msg("283", dup170); + + var select269 = linear_select([ + msg535, + msg536, + ]); + + var msg537 = msg("284:01", dup151); + + var msg538 = msg("284", dup152); + + var select270 = linear_select([ + msg537, + msg538, + ]); + + var msg539 = msg("285:01", dup159); + + var msg540 = msg("285", dup160); + + var select271 = linear_select([ + msg539, + msg540, + ]); + + var msg541 = msg("286:01", dup169); + + var msg542 = msg("286", dup170); + + var select272 = linear_select([ + msg541, + msg542, + ]); + + var msg543 = msg("287:01", dup169); + + var msg544 = msg("287", dup170); + + var select273 = linear_select([ + msg543, + msg544, + ]); + + var msg545 = msg("288:01", dup169); + + var msg546 = msg("288", dup170); + + var select274 = linear_select([ + msg545, + msg546, + ]); + + var msg547 = msg("289:01", dup169); + + var msg548 = msg("289", dup170); + + var select275 = linear_select([ + msg547, + msg548, + ]); + + var msg549 = msg("290:01", dup169); + + var msg550 = msg("290", dup170); + + var select276 = linear_select([ + msg549, + msg550, + ]); + + var msg551 = msg("291:01", dup169); + + var msg552 = msg("291", dup170); + + var select277 = linear_select([ + msg551, + msg552, + ]); + + var msg553 = msg("292:01", dup169); + + var msg554 = msg("292", dup170); + + var select278 = linear_select([ + msg553, + msg554, + ]); + + var msg555 = msg("293:01", dup169); + + var msg556 = msg("293", dup170); + + var select279 = linear_select([ + msg555, + msg556, + ]); + + var msg557 = msg("294:01", dup169); + + var msg558 = msg("294", dup170); + + var select280 = linear_select([ + msg557, + msg558, + ]); + + var msg559 = msg("295:01", dup169); + + var msg560 = msg("295", dup170); + + var select281 = linear_select([ + msg559, + msg560, + ]); + + var msg561 = msg("296:01", dup169); + + var msg562 = msg("296", dup170); + + var select282 = linear_select([ + msg561, + msg562, + ]); + + var msg563 = msg("297:01", dup151); + + var msg564 = msg("297", dup152); + + var select283 = linear_select([ + msg563, + msg564, + ]); + + var msg565 = msg("298:01", dup151); + + var msg566 = msg("298", dup152); + + var select284 = linear_select([ + msg565, + msg566, + ]); + + var msg567 = msg("299:01", dup169); + + var msg568 = msg("299", dup170); + + var select285 = linear_select([ + msg567, + msg568, + ]); + + var part24 = match("MESSAGE#568:300:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); + + var all1 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + dup188, + dup189, + dup190, + dup191, + dup192, + dup193, + dup194, + part24, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + dup24, + ]), + }); + + var msg569 = msg("300:02", all1); + + var part25 = tagval("MESSAGE#569:300:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup4, + dup2, + dup3, + dup24, + ])); + + var msg570 = msg("300:01", part25); + + var msg571 = msg("300", dup154); + + var select286 = linear_select([ + msg569, + msg570, + msg571, + ]); + + var msg572 = msg("301:01", dup163); + + var msg573 = msg("301", dup164); + + var select287 = linear_select([ + msg572, + msg573, + ]); + + var part26 = match("MESSAGE#573:302:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld12};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); + + var all2 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + dup188, + dup189, + dup190, + dup191, + dup192, + dup193, + dup194, + part26, + ], + on_success: processor_chain([ + dup21, + dup2, + dup3, + dup24, + ]), + }); + + var msg574 = msg("302:02", all2); + + var msg575 = msg("302:01", dup163); + + var msg576 = msg("302", dup164); + + var select288 = linear_select([ + msg574, + msg575, + msg576, + ]); + + var msg577 = msg("303:01", dup163); + + var msg578 = msg("303", dup164); + + var select289 = linear_select([ + msg577, + msg578, + ]); + + var part27 = match("MESSAGE#578:304:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"DstHost=%{p0}"); + + var part28 = match("MESSAGE#578:304:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"DstHost=%{p0}"); + + var select290 = linear_select([ + part27, + part28, + ]); + + var part29 = match("MESSAGE#578:304:02/24", "nwparser.p0", "%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); + + var all3 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + dup188, + dup189, + dup190, + dup191, + dup192, + dup193, + select290, + part29, + ], + on_success: processor_chain([ + dup26, + dup2, + dup3, + dup24, + ]), + }); + + var msg579 = msg("304:02", all3); + + var msg580 = msg("304:01", dup169); + + var msg581 = msg("304", dup170); + + var select291 = linear_select([ + msg579, + msg580, + msg581, + ]); + + var msg582 = msg("305:01", dup169); + + var msg583 = msg("305", dup170); + + var select292 = linear_select([ + msg582, + msg583, + ]); + + var msg584 = msg("306:01", dup151); + + var msg585 = msg("306", dup152); + + var select293 = linear_select([ + msg584, + msg585, + ]); + + var msg586 = msg("307:01", dup151); + + var msg587 = msg("307", dup152); + + var select294 = linear_select([ + msg586, + msg587, + ]); + + var part30 = tagval("MESSAGE#587:308:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup78, + dup2, + dup3, + ])); + + var msg588 = msg("308:01", part30); + + var part31 = match("MESSAGE#588:308", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup78, + dup2, + ])); + + var msg589 = msg("308", part31); + + var select295 = linear_select([ + msg588, + msg589, + ]); + + var part32 = tagval("MESSAGE#589:309:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup9, + dup2, + dup3, + ])); + + var msg590 = msg("309:01", part32); + + var part33 = match("MESSAGE#590:309", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup9, + dup2, + ])); + + var msg591 = msg("309", part33); + + var select296 = linear_select([ + msg590, + msg591, + ]); + + var msg592 = msg("317:01", dup195); + + var msg593 = msg("317", dup196); + + var select297 = linear_select([ + msg592, + msg593, + ]); + + var msg594 = msg("316:01", dup195); + + var msg595 = msg("316", dup196); + + var select298 = linear_select([ + msg594, + msg595, + ]); + + var msg596 = msg("355:01", dup197); + + var msg597 = msg("355", dup198); + + var select299 = linear_select([ + msg596, + msg597, + ]); + + var msg598 = msg("356:01", dup197); + + var msg599 = msg("356", dup198); + + var select300 = linear_select([ + msg598, + msg599, + ]); + + var msg600 = msg("357:01", dup199); + + var msg601 = msg("357", dup200); + + var select301 = linear_select([ + msg600, + msg601, + ]); + + var msg602 = msg("358:01", dup199); + + var msg603 = msg("358", dup200); + + var select302 = linear_select([ + msg602, + msg603, + ]); + + var part34 = tagval("MESSAGE#603:190:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup84, + dup2, + dup3, + ])); + + var msg604 = msg("190:01", part34); + + var part35 = match("MESSAGE#604:190", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup84, + dup2, + ])); + + var msg605 = msg("190", part35); + + var select303 = linear_select([ + msg604, + msg605, + ]); + + var msg606 = msg("5:01", dup161); + + var msg607 = msg("5", dup162); + + var select304 = linear_select([ + msg606, + msg607, + ]); + + var msg608 = msg("310:01", dup153); + + var msg609 = msg("310", dup154); + + var select305 = linear_select([ + msg608, + msg609, + ]); + + var msg610 = msg("311:01", dup153); + + var msg611 = msg("311", dup154); + + var select306 = linear_select([ + msg610, + msg611, + ]); + + var msg612 = msg("312:01", dup153); + + var msg613 = msg("312", dup154); + + var select307 = linear_select([ + msg612, + msg613, + ]); + + var msg614 = msg("313:01", dup153); + + var msg615 = msg("313", dup154); + + var select308 = linear_select([ + msg614, + msg615, + ]); + + var msg616 = msg("359:01", dup153); + + var msg617 = msg("359", dup154); + + var select309 = linear_select([ + msg616, + msg617, + ]); + + var msg618 = msg("372", dup201); + + var msg619 = msg("374", dup201); + + var msg620 = msg("376", dup201); + + var part36 = match("MESSAGE#620:411:01/17_0", "nwparser.p0", "\"%{fld89}\";LogonDomain=%{p0}"); + + var part37 = match("MESSAGE#620:411:01/17_1", "nwparser.p0", "%{fld89};LogonDomain=%{p0}"); + + var select310 = linear_select([ + part36, + part37, + ]); + + var part38 = match("MESSAGE#620:411:01/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"Command=%{p0}"); + + var part39 = match("MESSAGE#620:411:01/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"Command=%{p0}"); + + var select311 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#620:411:01/24", "nwparser.p0", "%{param};ConnectionComponentId=%{fld67};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld11};RDPOffset=%{fld12};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};VIDOffset=%{fld13};"); + + var all4 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + select310, + dup189, + dup190, + dup191, + dup192, + dup193, + select311, + part40, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + dup24, + ]), + }); + + var msg621 = msg("411:01", all4); + + var part41 = match("MESSAGE#621:411/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};ProcessId=%{process_id};ProcessName=%{process};Protocol=%{protocol};PSMID=%{fld3};RDPOffset=%{fld4};SessionID=%{sessionid};SrcHost=%{shost};User=%{fld5};VIDOffset=%{fld6};\""); + + var select312 = linear_select([ + part41, + dup150, + ]); + + var all5 = all_match({ + processors: [ + dup31, + dup202, + dup87, + dup203, + dup90, + dup204, + dup93, + dup205, + dup96, + dup206, + dup99, + dup207, + dup102, + dup208, + dup105, + dup209, + dup108, + dup210, + dup111, + dup211, + dup114, + dup212, + dup119, + dup213, + dup122, + dup214, + dup125, + dup215, + dup128, + dup216, + dup131, + dup217, + dup134, + dup218, + dup137, + dup219, + dup140, + dup220, + dup143, + dup221, + dup146, + dup222, + dup149, + select312, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), + }); + + var msg622 = msg("411", all5); + + var select313 = linear_select([ + msg621, + msg622, + ]); + + var part42 = match("MESSAGE#622:385", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=\"%{directory}\";Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg623 = msg("385", part42); + + var part43 = match("MESSAGE#623:361/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};SSHOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); + + var select314 = linear_select([ + part43, + dup150, + ]); + + var all6 = all_match({ + processors: [ + dup31, + dup202, + dup87, + dup203, + dup90, + dup204, + dup93, + dup205, + dup96, + dup206, + dup99, + dup207, + dup102, + dup208, + dup105, + dup209, + dup108, + dup210, + dup111, + dup211, + dup114, + dup212, + dup119, + dup213, + dup122, + dup214, + dup125, + dup215, + dup128, + dup216, + dup131, + dup217, + dup134, + dup218, + dup137, + dup219, + dup140, + dup220, + dup143, + dup221, + dup146, + dup222, + dup149, + select314, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), + }); + + var msg624 = msg("361", all6); + + var part44 = match("MESSAGE#624:412/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};TXTOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); + + var select315 = linear_select([ + part44, + dup150, + ]); + + var all7 = all_match({ + processors: [ + dup31, + dup202, + dup87, + dup203, + dup90, + dup204, + dup93, + dup205, + dup96, + dup206, + dup99, + dup207, + dup102, + dup208, + dup105, + dup209, + dup108, + dup210, + dup111, + dup211, + dup114, + dup212, + dup119, + dup213, + dup122, + dup214, + dup125, + dup215, + dup128, + dup216, + dup131, + dup217, + dup134, + dup218, + dup137, + dup219, + dup140, + dup220, + dup143, + dup221, + dup146, + dup222, + dup149, + select315, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), + }); + + var msg625 = msg("412", all7); + + var msg626 = msg("378", dup153); + + var msg627 = msg("321", dup153); + + var msg628 = msg("322", dup153); + + var msg629 = msg("323", dup153); + + var msg630 = msg("318", dup153); + + var msg631 = msg("380", dup153); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "1": select2, + "10": select9, + "100": select99, + "101": select100, + "102": select101, + "103": select102, + "104": select103, + "105": select104, + "106": select105, + "107": select106, + "108": select107, + "109": select108, + "11": select10, + "110": select109, + "111": select110, + "112": select111, + "114": select112, + "115": select113, + "116": select114, + "117": select115, + "118": select116, + "119": select117, + "12": select11, + "120": select118, + "121": select119, + "122": select120, + "123": select121, + "124": select122, + "125": select123, + "126": select124, + "127": select125, + "128": select126, + "129": select127, + "13": select12, + "130": select128, + "131": select129, + "132": select130, + "133": select131, + "134": select132, + "135": select133, + "136": select134, + "137": select135, + "138": select136, + "139": select137, + "14": select13, + "140": select138, + "141": select139, + "142": select140, + "143": select141, + "144": select142, + "145": select143, + "146": select144, + "147": select145, + "148": select146, + "149": select147, + "15": select14, + "150": select148, + "152": select149, + "153": select150, + "154": select151, + "155": select152, + "156": select153, + "157": select154, + "158": select155, + "159": select156, + "16": select15, + "160": select157, + "161": select158, + "162": select159, + "163": select160, + "164": select161, + "165": select162, + "166": select163, + "167": select164, + "168": select165, + "169": select166, + "17": select16, + "170": select167, + "171": select168, + "172": select169, + "173": select170, + "174": select171, + "175": select172, + "176": select173, + "177": select174, + "178": select175, + "179": select176, + "18": select17, + "180": select177, + "181": select178, + "182": select179, + "183": select180, + "184": select181, + "185": select182, + "186": select183, + "187": select184, + "188": select185, + "189": select186, + "19": select18, + "190": select303, + "191": select187, + "192": select188, + "193": select189, + "194": select190, + "195": select191, + "196": select192, + "197": select193, + "198": select194, + "199": select195, + "2": select3, + "20": select19, + "200": select196, + "201": select197, + "202": select198, + "203": select199, + "204": select200, + "205": select201, + "206": select202, + "207": select203, + "208": select204, + "209": select205, + "21": select20, + "211": select206, + "212": select207, + "213": select208, + "214": select209, + "215": select210, + "216": select211, + "217": select212, + "218": select213, + "219": select214, + "22": select21, + "220": select215, + "221": select216, + "222": select217, + "223": select218, + "224": select219, + "229": select220, + "23": select22, + "230": select221, + "231": select222, + "232": select223, + "233": select224, + "236": select225, + "237": select226, + "238": select227, + "239": select228, + "24": select23, + "240": select229, + "241": select230, + "243": select231, + "244": select232, + "246": select233, + "247": select234, + "248": select235, + "249": select236, + "25": select24, + "250": select237, + "251": select238, + "252": select239, + "253": select240, + "254": select241, + "255": select242, + "256": select243, + "257": select244, + "259": select245, + "26": select25, + "260": select246, + "261": select247, + "262": select248, + "263": select249, + "264": select250, + "265": select251, + "266": select252, + "267": select253, + "268": select254, + "269": select255, + "27": select26, + "270": select256, + "271": select257, + "272": select258, + "273": select259, + "274": select260, + "275": select261, + "276": select262, + "277": select263, + "278": select264, + "279": select265, + "28": select27, + "280": select266, + "281": select267, + "282": select268, + "283": select269, + "284": select270, + "285": select271, + "286": select272, + "287": select273, + "288": select274, + "289": select275, + "29": select28, + "290": select276, + "291": select277, + "292": select278, + "293": select279, + "294": select280, + "295": select281, + "296": select282, + "297": select283, + "298": select284, + "299": select285, + "3": select4, + "30": select29, + "300": select286, + "301": select287, + "302": select288, + "303": select289, + "304": select291, + "305": select292, + "306": select293, + "307": select294, + "308": select295, + "309": select296, + "31": select30, + "310": select305, + "311": select306, + "312": select307, + "313": select308, + "316": select298, + "317": select297, + "318": msg630, + "32": select31, + "321": msg627, + "322": msg628, + "323": msg629, + "33": select32, + "34": select33, + "35": select34, + "355": select299, + "356": select300, + "357": select301, + "358": select302, + "359": select309, + "36": select35, + "361": msg624, + "37": select36, + "372": msg618, + "374": msg619, + "376": msg620, + "378": msg626, + "38": select37, + "380": msg631, + "385": msg623, + "39": select38, + "4": select5, + "40": select39, + "41": select40, + "411": select313, + "412": msg625, + "42": select41, + "43": select42, + "44": select43, + "45": select44, + "46": select45, + "47": select46, + "48": select47, + "49": select48, + "5": select304, + "50": select49, + "51": select50, + "52": select51, + "53": select52, + "54": select53, + "55": select54, + "56": select55, + "57": select56, + "58": select57, + "59": select58, + "60": select59, + "61": select60, + "62": select61, + "63": select62, + "64": select63, + "65": select64, + "66": select65, + "67": select66, + "68": select67, + "69": select68, + "7": select6, + "70": select69, + "71": select70, + "72": select71, + "73": select72, + "74": select73, + "75": select74, + "76": select75, + "77": select76, + "78": select77, + "79": select78, + "8": select7, + "80": select79, + "81": select80, + "82": select81, + "83": select82, + "84": select83, + "85": select84, + "86": select85, + "87": select86, + "88": select87, + "89": select88, + "9": select8, + "90": select89, + "91": select90, + "92": select91, + "93": select92, + "94": select93, + "95": select94, + "96": select95, + "97": select96, + "98": select97, + "99": select98, + }), + ]); + + var part45 = match("MESSAGE#568:300:02/0", "nwparser.payload", "Version=%{p0}"); + + var part46 = match("MESSAGE#568:300:02/1_0", "nwparser.p0", "\"%{version}\";Message=%{p0}"); + + var part47 = match("MESSAGE#568:300:02/1_1", "nwparser.p0", "%{version};Message=%{p0}"); + + var part48 = match("MESSAGE#568:300:02/2_0", "nwparser.p0", "\"%{action}\";Issuer=%{p0}"); + + var part49 = match("MESSAGE#568:300:02/2_1", "nwparser.p0", "%{action};Issuer=%{p0}"); + + var part50 = match("MESSAGE#568:300:02/3_0", "nwparser.p0", "\"%{username}\";Station=%{p0}"); + + var part51 = match("MESSAGE#568:300:02/3_1", "nwparser.p0", "%{username};Station=%{p0}"); + + var part52 = match("MESSAGE#568:300:02/4_0", "nwparser.p0", "\"%{hostip}\";File=%{p0}"); + + var part53 = match("MESSAGE#568:300:02/4_1", "nwparser.p0", "%{hostip};File=%{p0}"); + + var part54 = match("MESSAGE#568:300:02/5_0", "nwparser.p0", "\"%{filename}\";Safe=%{p0}"); + + var part55 = match("MESSAGE#568:300:02/5_1", "nwparser.p0", "%{filename};Safe=%{p0}"); + + var part56 = match("MESSAGE#568:300:02/6_0", "nwparser.p0", "\"%{group_object}\";Location=%{p0}"); + + var part57 = match("MESSAGE#568:300:02/6_1", "nwparser.p0", "%{group_object};Location=%{p0}"); + + var part58 = match("MESSAGE#568:300:02/7_0", "nwparser.p0", "\"%{directory}\";Category=%{p0}"); + + var part59 = match("MESSAGE#568:300:02/7_1", "nwparser.p0", "%{directory};Category=%{p0}"); + + var part60 = match("MESSAGE#568:300:02/8_0", "nwparser.p0", "\"%{category}\";RequestId=%{p0}"); + + var part61 = match("MESSAGE#568:300:02/8_1", "nwparser.p0", "%{category};RequestId=%{p0}"); + + var part62 = match("MESSAGE#568:300:02/9_0", "nwparser.p0", "\"%{id1}\";Reason=%{p0}"); + + var part63 = match("MESSAGE#568:300:02/9_1", "nwparser.p0", "%{id1};Reason=%{p0}"); + + var part64 = match("MESSAGE#568:300:02/10_0", "nwparser.p0", "\"%{event_description}\";Severity=%{p0}"); + + var part65 = match("MESSAGE#568:300:02/10_1", "nwparser.p0", "%{event_description};Severity=%{p0}"); + + var part66 = match("MESSAGE#568:300:02/11_0", "nwparser.p0", "\"%{severity}\";SourceUser=%{p0}"); + + var part67 = match("MESSAGE#568:300:02/11_1", "nwparser.p0", "%{severity};SourceUser=%{p0}"); + + var part68 = match("MESSAGE#568:300:02/12_0", "nwparser.p0", "\"%{group}\";TargetUser=%{p0}"); + + var part69 = match("MESSAGE#568:300:02/12_1", "nwparser.p0", "%{group};TargetUser=%{p0}"); + + var part70 = match("MESSAGE#568:300:02/13_0", "nwparser.p0", "\"%{uid}\";GatewayStation=%{p0}"); + + var part71 = match("MESSAGE#568:300:02/13_1", "nwparser.p0", "%{uid};GatewayStation=%{p0}"); + + var part72 = match("MESSAGE#568:300:02/14_0", "nwparser.p0", "\"%{saddr}\";TicketID=%{p0}"); + + var part73 = match("MESSAGE#568:300:02/14_1", "nwparser.p0", "%{saddr};TicketID=%{p0}"); + + var part74 = match("MESSAGE#568:300:02/15_0", "nwparser.p0", "\"%{operation_id}\";PolicyID=%{p0}"); + + var part75 = match("MESSAGE#568:300:02/15_1", "nwparser.p0", "%{operation_id};PolicyID=%{p0}"); + + var part76 = match("MESSAGE#568:300:02/16_0", "nwparser.p0", "\"%{policyname}\";UserName=%{p0}"); + + var part77 = match("MESSAGE#568:300:02/16_1", "nwparser.p0", "%{policyname};UserName=%{p0}"); + + var part78 = match("MESSAGE#568:300:02/17_0", "nwparser.p0", "\"%{fld11}\";LogonDomain=%{p0}"); + + var part79 = match("MESSAGE#568:300:02/17_1", "nwparser.p0", "%{fld11};LogonDomain=%{p0}"); + + var part80 = match("MESSAGE#568:300:02/18_0", "nwparser.p0", "\"%{domain}\";Address=%{p0}"); + + var part81 = match("MESSAGE#568:300:02/18_1", "nwparser.p0", "%{domain};Address=%{p0}"); + + var part82 = match("MESSAGE#568:300:02/19_0", "nwparser.p0", "\"%{fld14}\";CPMStatus=%{p0}"); + + var part83 = match("MESSAGE#568:300:02/19_1", "nwparser.p0", "%{fld14};CPMStatus=%{p0}"); + + var part84 = match("MESSAGE#568:300:02/20_0", "nwparser.p0", "\"%{disposition}\";Port=%{p0}"); + + var part85 = match("MESSAGE#568:300:02/20_1", "nwparser.p0", "%{disposition};Port=%{p0}"); + + var part86 = match("MESSAGE#568:300:02/21_0", "nwparser.p0", "\"%{dport}\";Database=%{p0}"); + + var part87 = match("MESSAGE#568:300:02/21_1", "nwparser.p0", "%{dport};Database=%{p0}"); + + var part88 = match("MESSAGE#568:300:02/22_0", "nwparser.p0", "\"%{db_name}\";DeviceType=%{p0}"); + + var part89 = match("MESSAGE#568:300:02/22_1", "nwparser.p0", "%{db_name};DeviceType=%{p0}"); + + var part90 = match("MESSAGE#568:300:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"ApplicationType=%{p0}"); + + var part91 = match("MESSAGE#568:300:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"ApplicationType=%{p0}"); + + var part92 = match("MESSAGE#621:411/1_0", "nwparser.p0", "\"%{version}\";%{p0}"); + + var part93 = match("MESSAGE#621:411/1_1", "nwparser.p0", "%{version};%{p0}"); + + var part94 = match("MESSAGE#621:411/2", "nwparser.p0", "Message=%{p0}"); + + var part95 = match("MESSAGE#621:411/3_0", "nwparser.p0", "\"%{action}\";%{p0}"); + + var part96 = match("MESSAGE#621:411/3_1", "nwparser.p0", "%{action};%{p0}"); + + var part97 = match("MESSAGE#621:411/4", "nwparser.p0", "Issuer=%{p0}"); + + var part98 = match("MESSAGE#621:411/5_0", "nwparser.p0", "\"%{username}\";%{p0}"); + + var part99 = match("MESSAGE#621:411/5_1", "nwparser.p0", "%{username};%{p0}"); + + var part100 = match("MESSAGE#621:411/6", "nwparser.p0", "Station=%{p0}"); + + var part101 = match("MESSAGE#621:411/7_0", "nwparser.p0", "\"%{hostip}\";%{p0}"); + + var part102 = match("MESSAGE#621:411/7_1", "nwparser.p0", "%{hostip};%{p0}"); + + var part103 = match("MESSAGE#621:411/8", "nwparser.p0", "File=%{p0}"); + + var part104 = match("MESSAGE#621:411/9_0", "nwparser.p0", "\"%{filename}\";%{p0}"); + + var part105 = match("MESSAGE#621:411/9_1", "nwparser.p0", "%{filename};%{p0}"); + + var part106 = match("MESSAGE#621:411/10", "nwparser.p0", "Safe=%{p0}"); + + var part107 = match("MESSAGE#621:411/11_0", "nwparser.p0", "\"%{group_object}\";%{p0}"); + + var part108 = match("MESSAGE#621:411/11_1", "nwparser.p0", "%{group_object};%{p0}"); + + var part109 = match("MESSAGE#621:411/12", "nwparser.p0", "Location=%{p0}"); + + var part110 = match("MESSAGE#621:411/13_0", "nwparser.p0", "\"%{directory}\";%{p0}"); + + var part111 = match("MESSAGE#621:411/13_1", "nwparser.p0", "%{directory};%{p0}"); + + var part112 = match("MESSAGE#621:411/14", "nwparser.p0", "Category=%{p0}"); + + var part113 = match("MESSAGE#621:411/15_0", "nwparser.p0", "\"%{category}\";%{p0}"); + + var part114 = match("MESSAGE#621:411/15_1", "nwparser.p0", "%{category};%{p0}"); + + var part115 = match("MESSAGE#621:411/16", "nwparser.p0", "RequestId=%{p0}"); + + var part116 = match("MESSAGE#621:411/17_0", "nwparser.p0", "\"%{id1}\";%{p0}"); + + var part117 = match("MESSAGE#621:411/17_1", "nwparser.p0", "%{id1};%{p0}"); + + var part118 = match("MESSAGE#621:411/18", "nwparser.p0", "Reason=%{p0}"); + + var part119 = match("MESSAGE#621:411/19_0", "nwparser.p0", "\"%{event_description}\";%{p0}"); + + var part120 = match("MESSAGE#621:411/19_1", "nwparser.p0", "%{event_description};%{p0}"); + + var part121 = match("MESSAGE#621:411/20", "nwparser.p0", "Severity=%{p0}"); + + var part122 = match("MESSAGE#621:411/21_0", "nwparser.p0", "\"%{severity}\";SourceUser=\"%{group}\";TargetUser=\"%{uid}\";%{p0}"); + + var part123 = match("MESSAGE#621:411/21_1", "nwparser.p0", "%{severity};SourceUser=%{group};TargetUser=%{uid};%{p0}"); + + var part124 = match("MESSAGE#621:411/21_2", "nwparser.p0", "\"%{severity}\";%{p0}"); + + var part125 = match("MESSAGE#621:411/21_3", "nwparser.p0", "%{severity};%{p0}"); + + var part126 = match("MESSAGE#621:411/22", "nwparser.p0", "GatewayStation=%{p0}"); + + var part127 = match("MESSAGE#621:411/23_0", "nwparser.p0", "\"%{saddr}\";%{p0}"); + + var part128 = match("MESSAGE#621:411/23_1", "nwparser.p0", "%{saddr};%{p0}"); + + var part129 = match("MESSAGE#621:411/24", "nwparser.p0", "TicketID=%{p0}"); + + var part130 = match("MESSAGE#621:411/25_0", "nwparser.p0", "\"%{operation_id}\";%{p0}"); + + var part131 = match("MESSAGE#621:411/25_1", "nwparser.p0", "%{operation_id};%{p0}"); + + var part132 = match("MESSAGE#621:411/26", "nwparser.p0", "PolicyID=%{p0}"); + + var part133 = match("MESSAGE#621:411/27_0", "nwparser.p0", "\"%{policyname}\";%{p0}"); + + var part134 = match("MESSAGE#621:411/27_1", "nwparser.p0", "%{policyname};%{p0}"); + + var part135 = match("MESSAGE#621:411/28", "nwparser.p0", "UserName=%{p0}"); + + var part136 = match("MESSAGE#621:411/29_0", "nwparser.p0", "\"%{c_username}\";%{p0}"); + + var part137 = match("MESSAGE#621:411/29_1", "nwparser.p0", "%{c_username};%{p0}"); + + var part138 = match("MESSAGE#621:411/30", "nwparser.p0", "LogonDomain=%{p0}"); + + var part139 = match("MESSAGE#621:411/31_0", "nwparser.p0", "\"%{domain}\";%{p0}"); + + var part140 = match("MESSAGE#621:411/31_1", "nwparser.p0", "%{domain};%{p0}"); + + var part141 = match("MESSAGE#621:411/32", "nwparser.p0", "Address=%{p0}"); + + var part142 = match("MESSAGE#621:411/33_0", "nwparser.p0", "\"%{dhost}\";%{p0}"); + + var part143 = match("MESSAGE#621:411/33_1", "nwparser.p0", "%{dhost};%{p0}"); + + var part144 = match("MESSAGE#621:411/34", "nwparser.p0", "CPMStatus=%{p0}"); + + var part145 = match("MESSAGE#621:411/35_0", "nwparser.p0", "\"%{disposition}\";%{p0}"); + + var part146 = match("MESSAGE#621:411/35_1", "nwparser.p0", "%{disposition};%{p0}"); + + var part147 = match("MESSAGE#621:411/36", "nwparser.p0", "Port=%{p0}"); + + var part148 = match("MESSAGE#621:411/37_0", "nwparser.p0", "\"%{dport}\";%{p0}"); + + var part149 = match("MESSAGE#621:411/37_1", "nwparser.p0", "%{dport};%{p0}"); + + var part150 = match("MESSAGE#621:411/38", "nwparser.p0", "Database=%{p0}"); + + var part151 = match("MESSAGE#621:411/39_0", "nwparser.p0", "\"%{db_name}\";%{p0}"); + + var part152 = match("MESSAGE#621:411/39_1", "nwparser.p0", "%{db_name};%{p0}"); + + var part153 = match("MESSAGE#621:411/40", "nwparser.p0", "DeviceType=%{p0}"); + + var part154 = match("MESSAGE#621:411/41_0", "nwparser.p0", "\"%{obj_type}\";%{p0}"); + + var part155 = match("MESSAGE#621:411/41_1", "nwparser.p0", "%{obj_type};%{p0}"); + + var part156 = match("MESSAGE#621:411/42", "nwparser.p0", "ExtraDetails=%{p0}"); + + var part157 = match("MESSAGE#621:411/43_1", "nwparser.p0", "%{info};"); + + var part158 = tagval("MESSAGE#0:1:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup1, + dup2, + dup3, + ])); + + var part159 = match("MESSAGE#1:1", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup1, + dup2, + ])); + + var part160 = tagval("MESSAGE#2:2:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup4, + dup2, + dup3, + ])); + + var part161 = match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup4, + dup2, + ])); + + var part162 = tagval("MESSAGE#6:4:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, + dup3, + ])); + + var part163 = match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, + ])); + + var part164 = tagval("MESSAGE#20:13:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, + dup3, + ])); + + var part165 = match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, + ])); + + var part166 = tagval("MESSAGE#26:16:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup19, + dup2, + dup3, + ])); + + var part167 = match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup19, + dup2, + ])); + + var part168 = tagval("MESSAGE#30:18:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup15, + dup2, + dup3, + ])); + + var part169 = match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup2, + ])); + + var part170 = tagval("MESSAGE#38:22:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup21, + dup2, + dup3, + ])); + + var part171 = match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup21, + dup2, + ])); + + var part172 = tagval("MESSAGE#70:38:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup23, + dup2, + dup3, + ])); + + var part173 = match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup23, + dup2, + ])); + + var part174 = tagval("MESSAGE#116:61:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup20, + dup2, + dup3, + ])); + + var part175 = match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup20, + dup2, + ])); + + var part176 = tagval("MESSAGE#126:66:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup26, + dup2, + dup3, + ])); + + var part177 = match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup26, + dup2, + ])); + + var part178 = tagval("MESSAGE#190:98:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup26, + dup2, + dup3, + dup24, + dup25, + ])); + + var select316 = linear_select([ + dup32, + dup33, + ]); + + var select317 = linear_select([ + dup34, + dup35, + ]); + + var select318 = linear_select([ + dup36, + dup37, + ]); + + var select319 = linear_select([ + dup38, + dup39, + ]); + + var select320 = linear_select([ + dup40, + dup41, + ]); + + var select321 = linear_select([ + dup42, + dup43, + ]); + + var select322 = linear_select([ + dup44, + dup45, + ]); + + var select323 = linear_select([ + dup46, + dup47, + ]); + + var select324 = linear_select([ + dup48, + dup49, + ]); + + var select325 = linear_select([ + dup50, + dup51, + ]); + + var select326 = linear_select([ + dup52, + dup53, + ]); + + var select327 = linear_select([ + dup54, + dup55, + ]); + + var select328 = linear_select([ + dup56, + dup57, + ]); + + var select329 = linear_select([ + dup58, + dup59, + ]); + + var select330 = linear_select([ + dup60, + dup61, + ]); + + var select331 = linear_select([ + dup62, + dup63, + ]); + + var select332 = linear_select([ + dup64, + dup65, + ]); + + var select333 = linear_select([ + dup66, + dup67, + ]); + + var select334 = linear_select([ + dup68, + dup69, + ]); + + var select335 = linear_select([ + dup70, + dup71, + ]); + + var select336 = linear_select([ + dup72, + dup73, + ]); + + var select337 = linear_select([ + dup74, + dup75, + ]); + + var select338 = linear_select([ + dup76, + dup77, + ]); + + var part179 = tagval("MESSAGE#591:317:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup79, + dup80, + dup81, + dup2, + dup3, + ])); + + var part180 = match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup79, + dup80, + dup81, + dup2, + ])); + + var part181 = tagval("MESSAGE#595:355:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup82, + dup2, + dup3, + ])); + + var part182 = match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup82, + dup2, + ])); + + var part183 = tagval("MESSAGE#599:357:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", + }, processor_chain([ + dup83, + dup2, + dup3, + ])); + + var part184 = match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup83, + dup2, + ])); + + var part185 = match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var select339 = linear_select([ + dup85, + dup86, + ]); + + var select340 = linear_select([ + dup88, + dup89, + ]); + + var select341 = linear_select([ + dup91, + dup92, + ]); + + var select342 = linear_select([ + dup94, + dup95, + ]); + + var select343 = linear_select([ + dup97, + dup98, + ]); + + var select344 = linear_select([ + dup100, + dup101, + ]); + + var select345 = linear_select([ + dup103, + dup104, + ]); + + var select346 = linear_select([ + dup106, + dup107, + ]); + + var select347 = linear_select([ + dup109, + dup110, + ]); + + var select348 = linear_select([ + dup112, + dup113, + ]); + + var select349 = linear_select([ + dup115, + dup116, + dup117, + dup118, + ]); + + var select350 = linear_select([ + dup120, + dup121, + ]); + + var select351 = linear_select([ + dup123, + dup124, + ]); + + var select352 = linear_select([ + dup126, + dup127, + ]); + + var select353 = linear_select([ + dup129, + dup130, + ]); + + var select354 = linear_select([ + dup132, + dup133, + ]); + + var select355 = linear_select([ + dup135, + dup136, + ]); + + var select356 = linear_select([ + dup138, + dup139, + ]); + + var select357 = linear_select([ + dup141, + dup142, + ]); + + var select358 = linear_select([ + dup144, + dup145, + ]); + + var select359 = linear_select([ + dup147, + dup148, + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/cyberark/0.5.1/data_stream/corepas/elasticsearch/ingest_pipeline/default.yml b/packages/cyberark/0.5.1/data_stream/corepas/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..603abbe60f --- /dev/null +++ b/packages/cyberark/0.5.1/data_stream/corepas/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,72 @@ +--- +description: Pipeline for CyberArk. + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: ecs.version + value: '8.0.0' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cyberark/0.5.1/data_stream/corepas/fields/base-fields.yml b/packages/cyberark/0.5.1/data_stream/corepas/fields/base-fields.yml new file mode 100755 index 0000000000..21c3c25647 --- /dev/null +++ b/packages/cyberark/0.5.1/data_stream/corepas/fields/base-fields.yml @@ -0,0 +1,46 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cyberark +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cyberark.corepas +- name: '@timestamp' + type: date + description: Event timestamp. +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/cyberark/0.5.1/data_stream/corepas/fields/ecs.yml b/packages/cyberark/0.5.1/data_stream/corepas/fields/ecs.yml new file mode 100755 index 0000000000..78ddffacce --- /dev/null +++ b/packages/cyberark/0.5.1/data_stream/corepas/fields/ecs.yml @@ -0,0 +1,541 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/cyberark/0.5.1/data_stream/corepas/fields/fields.yml b/packages/cyberark/0.5.1/data_stream/corepas/fields/fields.yml new file mode 100755 index 0000000000..489a873293 --- /dev/null +++ b/packages/cyberark/0.5.1/data_stream/corepas/fields/fields.yml @@ -0,0 +1,1753 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + description: Server domain. +- name: network.interface.name + type: keyword diff --git a/packages/cyberark/0.5.1/data_stream/corepas/manifest.yml b/packages/cyberark/0.5.1/data_stream/corepas/manifest.yml new file mode 100755 index 0000000000..252028d3b9 --- /dev/null +++ b/packages/cyberark/0.5.1/data_stream/corepas/manifest.yml @@ -0,0 +1,205 @@ +title: CyberArk logs +release: experimental +type: logs +streams: + - input: udp + title: CyberArk logs + description: Collect CyberArk logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cyberark-corepas + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9543 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: CyberArk logs + description: Collect CyberArk logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cyberark-corepas + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9543 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: CyberArk logs + description: Collect CyberArk logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/cyberark-corepas.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cyberark-corepas + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/cyberark/0.5.1/data_stream/corepas/sample_event.json b/packages/cyberark/0.5.1/data_stream/corepas/sample_event.json new file mode 100755 index 0000000000..61965f7044 --- /dev/null +++ b/packages/cyberark/0.5.1/data_stream/corepas/sample_event.json @@ -0,0 +1,94 @@ +{ + "@timestamp": "2021-02-10T12:23:41.000Z", + "agent": { + "ephemeral_id": "0acb65df-fc3b-4b32-80ff-9c6c6cf8464a", + "hostname": "docker-fleet-agent", + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.2" + }, + "data_stream": { + "dataset": "cyberark.corepas", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "1.12.0" + }, + "elastic_agent": { + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "snapshot": false, + "version": "7.16.2" + }, + "event": { + "action": "accept", + "agent_id_status": "verified", + "code": "scivel", + "dataset": "cyberark.corepas", + "ingested": "2022-01-25T09:13:27Z", + "timezone": "+00:00" + }, + "file": { + "directory": "riatu", + "name": "orroquis" + }, + "host": { + "ip": "10.141.200.133" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "low", + "source": { + "address": "172.19.0.4:34447" + } + }, + "observer": { + "product": "eiusmod", + "type": "Access", + "vendor": "CyberArk", + "version": "1.7546" + }, + "related": { + "ip": [ + "10.141.200.133" + ], + "user": [ + "ess", + "enim", + "iame" + ] + }, + "rsa": { + "db": { + "index": "nofdeFi" + }, + "internal": { + "event_desc": "isnostru", + "messageid": "285" + }, + "misc": { + "action": [ + "accept" + ], + "category": "loinve", + "group_object": "aquio", + "reference_id": "scivel", + "reference_id1": "tanimid", + "severity": "low", + "version": "1.7546" + }, + "time": { + "event_time": "2021-02-10T12:23:41.000Z" + } + }, + "tags": [ + "cyberark-corepas", + "forwarded" + ], + "user": { + "name": "enim" + } +} \ No newline at end of file diff --git a/packages/cyberark/0.5.1/docs/README.md b/packages/cyberark/0.5.1/docs/README.md new file mode 100755 index 0000000000..22d68531ab --- /dev/null +++ b/packages/cyberark/0.5.1/docs/README.md @@ -0,0 +1,796 @@ +# CyberArk integration + +This integration is for [CyberArk](https://docs.cyberark.com/Product-Doc/OnlineHelp/Portal/Content/Resources/_TopNav/cc_Portal.htm) device logs. It includes the following datasets for receiving logs over syslog or reading from a file: + +- `corepas` dataset: supports CyberArk logs. + +### Corepas + +The `corepas` dataset supports ingesting logs from CyberArk [Privileged Access Manager](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/Resources/_TopNav/cc_Home.htm). + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| container.id | Unique container id. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | Destination domain. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location.lat | | double | +| destination.geo.location.lon | | double | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| error.message | Error message. | text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | +| event.original | Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | +| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.pid | Process id. | long | +| process.ppid | Parent process' pid. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names seen on your event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | This key is used to capture the directory of the target process or file | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | Server domain. | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | Source domain. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location.lat | | double | +| source.geo.location.lon | | double | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword | +| url.path | Path of the request, such as "/search". | keyword | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | + diff --git a/packages/cyberark/0.5.1/img/logo.svg b/packages/cyberark/0.5.1/img/logo.svg new file mode 100755 index 0000000000..04930adfd8 --- /dev/null +++ b/packages/cyberark/0.5.1/img/logo.svg @@ -0,0 +1 @@ +Asset 25 diff --git a/packages/cyberark/0.5.1/manifest.yml b/packages/cyberark/0.5.1/manifest.yml new file mode 100755 index 0000000000..85f3952ae7 --- /dev/null +++ b/packages/cyberark/0.5.1/manifest.yml @@ -0,0 +1,32 @@ +format_version: 1.0.0 +name: cyberark +title: CyberArk +version: 0.5.1 +description: Deprecated. Use CyberArk Privileged Access Security instead. +categories: ["security"] +release: experimental +license: basic +type: integration +conditions: + kibana.version: "^7.14.1" +policy_templates: + - name: cyberark + title: CyberArk logs + description: Collect CyberArk logs from syslog or a file. + inputs: + - type: udp + title: Collect logs from CyberArk via UDP + description: Collecting syslog from CyberArk via UDP + - type: tcp + title: Collect logs from CyberArk via TCP + description: Collecting syslog from CyberArk via TCP + - type: logfile + title: Collect logs from CyberArk via file + description: Collecting syslog from CyberArk via file. +icons: + - src: /img/logo.svg + title: CyberArk logo + size: 32x32 + type: image/svg+xml +owner: + github: elastic/security-external-integrations diff --git a/packages/infoblox/0.8.1/changelog.yml b/packages/infoblox/0.8.1/changelog.yml new file mode 100755 index 0000000000..65c9b154a5 --- /dev/null +++ b/packages/infoblox/0.8.1/changelog.yml @@ -0,0 +1,91 @@ +# newer versions go on top +- version: "0.8.1" + changes: + - description: Mark package as deprecated. Please migrate to the infoblox_nios package. + type: enhancement + link: https://github.com/elastic/integrations/pull/3286 +- version: "0.8.0" + changes: + - description: Update to ECS 8.2.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2779 +- version: "0.7.0" + changes: + - description: Update to ECS 8.0.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2587 +- version: "0.6.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.6.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2262 +- version: "0.5.4" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2102 +- version: "0.5.3" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1969 +- version: "0.5.2" + changes: + - description: Fixed a bug that prevents the package from working in 7.16. + type: bugfix + link: https://github.com/elastic/integrations/pull/1882 +- version: "0.5.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1824 +- version: "0.5.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1664 +- version: "0.4.3" + changes: + - description: Requires version 7.14.1 of the stack + type: bugfix + link: https://github.com/elastic/integrations/pull/1541 +- version: "0.4.2" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1483 +- version: '0.4.1' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1390 +- version: "0.4.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.3.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1265 +- version: "0.2.0" + changes: + - description: update to ECS 1.10.0 and adding event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1056 +- version: "0.1.4" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/851 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/package-storage/pull/181 diff --git a/packages/infoblox/0.8.1/data_stream/nios/agent/stream/stream.yml.hbs b/packages/infoblox/0.8.1/data_stream/nios/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..f13c1384e8 --- /dev/null +++ b/packages/infoblox/0.8.1/data_stream/nios/agent/stream/stream.yml.hbs @@ -0,0 +1,6291 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Infoblox" + product: "Network" + type: "IPAM" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{day->} %{time->} %{hhostname->} %{p0}"); + + var dup2 = setc("eventcategory","1401070000"); + + var dup3 = setc("ec_theme","Authentication"); + + var dup4 = setc("ec_subject","User"); + + var dup5 = setc("ec_activity","Logoff"); + + var dup6 = setc("ec_outcome","Success"); + + var dup7 = setf("msg","$MSG"); + + var dup8 = date_time({ + dest: "event_time", + args: ["fld1","fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup9 = setf("event_source","hhostname"); + + var dup10 = setc("eventcategory","1401060000"); + + var dup11 = setc("ec_activity","Logon"); + + var dup12 = setc("eventcategory","1609000000"); + + var dup13 = setc("eventcategory","1605000000"); + + var dup14 = setc("eventcategory","1401030000"); + + var dup15 = setc("ec_outcome","Failure"); + + var dup16 = setc("eventcategory","1603000000"); + + var dup17 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}"); + + var dup18 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}"); + + var dup19 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}"); + + var dup20 = setc("action","DHCPDECLINE"); + + var dup21 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "(%{dhost}) via %{p0}"); + + var dup22 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "via %{p0}"); + + var dup23 = setc("action","DHCPRELEASE"); + + var dup24 = setc("action","DHCPDISCOVER"); + + var dup25 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{smacaddr->} %{p0}"); + + var dup26 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "(%{shost}) via %{p0}"); + + var dup27 = setc("action","DHCPREQUEST"); + + var dup28 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{interface}"); + + var dup29 = setc("event_description","unknown network segment"); + + var dup30 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dF,dZ], + ], + }); + + var dup31 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{interface->} relay %{fld1->} lease-duration %{duration}"); + + var dup32 = setc("action","DHCPACK"); + + var dup33 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved%{}"); + + var dup34 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", "denied%{}"); + + var dup35 = setf("domain","zone"); + + var dup36 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}"); + + var dup37 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}"); + + var dup38 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}"); + + var dup39 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}"); + + var dup40 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}"); + + var dup41 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}"); + + var dup42 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\""); + + var dup43 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); + + var dup44 = match_copy("MESSAGE#57:named:17/5_2", "nwparser.p0", "dns_querytype"); + + var dup45 = setc("event_description","updating zone"); + + var dup46 = match_copy("MESSAGE#60:named:19/2", "nwparser.p0", "event_description"); + + var dup47 = setf("domain","hostname"); + + var dup48 = match_copy("MESSAGE#66:named:25/1_1", "nwparser.p0", "result"); + + var dup49 = setc("eventcategory","1801010000"); + + var dup50 = setc("ec_activity","Request"); + + var dup51 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); + + var dup52 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{p0}"); + + var dup53 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", "%{p0}"); + + var dup54 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); + + var dup55 = setc("action","Refused"); + + var dup56 = setf("dns_querytype","event_description"); + + var dup57 = setc("eventcategory","1901000000"); + + var dup58 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): %{p0}"); + + var dup59 = setc("eventcategory","1801000000"); + + var dup60 = setf("zone","domain"); + + var dup61 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dD,dZ], + ], + }); + + var dup62 = setf("info","hdata"); + + var dup63 = setc("eventcategory","1301000000"); + + var dup64 = setc("eventcategory","1303000000"); + + var dup65 = match_copy("MESSAGE#7:httpd:06", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var dup66 = linear_select([ + dup18, + dup19, + ]); + + var dup67 = linear_select([ + dup21, + dup22, + ]); + + var dup68 = linear_select([ + dup26, + dup22, + ]); + + var dup69 = match_copy("MESSAGE#204:dhcpd:37", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var dup70 = linear_select([ + dup33, + dup34, + ]); + + var dup71 = linear_select([ + dup37, + dup38, + dup39, + ]); + + var dup72 = linear_select([ + dup42, + dup43, + dup44, + ]); + + var dup73 = linear_select([ + dup52, + dup53, + ]); + + var dup74 = match_copy("MESSAGE#118:validate_dhcpd", "nwparser.payload", "event_description", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var dup75 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var dup76 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var dup77 = match_copy("MESSAGE#225:syslog", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + dup62, + ])); + + var hdr1 = match("HEADER#0:001", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{messageid}[%{data}]: %{payload}", processor_chain([ + setc("header_id","001"), + ])); + + var part1 = match("HEADER#1:006/1_0", "nwparser.p0", "%{hhostip} %{messageid}[%{data}]: %{p0}"); + + var part2 = match("HEADER#1:006/1_1", "nwparser.p0", "%{hhostip} %{messageid}: %{p0}"); + + var select1 = linear_select([ + part1, + part2, + ]); + + var part3 = match_copy("HEADER#1:006/2", "nwparser.p0", "payload"); + + var all1 = all_match({ + processors: [ + dup1, + select1, + part3, + ], + on_success: processor_chain([ + setc("header_id","006"), + ]), + }); + + var hdr2 = match("HEADER#2:005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{hdata}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","005"), + ])); + + var part4 = match("HEADER#3:002/1_0", "nwparser.p0", "-%{p0}"); + + var part5 = match_copy("HEADER#3:002/1_1", "nwparser.p0", "p0"); + + var select2 = linear_select([ + part4, + part5, + ]); + + var part6 = match("HEADER#3:002/2", "nwparser.p0", ":%{messageid->} %{payload}"); + + var all2 = all_match({ + processors: [ + dup1, + select2, + part6, + ], + on_success: processor_chain([ + setc("header_id","002"), + ]), + }); + + var hdr3 = match("HEADER#4:0003", "message", "%{messageid}[%{data}]: %{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr4 = match("HEADER#5:0004", "message", "%{messageid}: %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var hdr5 = match("HEADER#6:0005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{fld1->} |%{messageid->} |%{payload}", processor_chain([ + setc("header_id","0005"), + ])); + + var select3 = linear_select([ + hdr1, + all1, + hdr2, + all2, + hdr3, + hdr4, + hdr5, + ]); + + var part7 = match("MESSAGE#0:httpd", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Logout - - ip=%{saddr->} group=%{group->} trigger_event=%{event_description}", processor_chain([ + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + ])); + + var msg1 = msg("httpd", part7); + + var part8 = match("MESSAGE#1:httpd:01", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{fld4->} ip=%{saddr->} auth=%{authmethod->} group=%{group->} apparently_via=%{info}", processor_chain([ + dup10, + dup3, + dup4, + dup11, + dup6, + dup7, + dup8, + dup9, + ])); + + var msg2 = msg("httpd:01", part8); + + var part9 = match("MESSAGE#2:httpd:02", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{action->} message=%{info}", processor_chain([ + dup12, + dup7, + dup8, + dup9, + ])); + + var msg3 = msg("httpd:02", part9); + + var part10 = match("MESSAGE#3:httpd:03", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Created HostAddress %{hostip}: Set address=\"%{saddr}\",configure_for_dhcp=%{fld10},match_option=\"%{info}\",parent=%{context}", processor_chain([ + dup12, + dup7, + dup8, + dup9, + ])); + + var msg4 = msg("httpd:03", part10); + + var part11 = match("MESSAGE#4:httpd:04", "nwparser.payload", "%{shost}: %{fld1->} authentication for user %{username->} failed", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg5 = msg("httpd:04", part11); + + var part12 = match("MESSAGE#5:httpd:05", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{event_description}", processor_chain([ + dup13, + dup7, + dup8, + dup9, + ])); + + var msg6 = msg("httpd:05", part12); + + var part13 = match("MESSAGE#6:httpd:07", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Denied - - to=%{terminal->} ip=%{saddr->} info=%{info}", processor_chain([ + dup14, + dup3, + dup4, + dup11, + dup15, + dup7, + dup8, + dup9, + ])); + + var msg7 = msg("httpd:07", part13); + + var msg8 = msg("httpd:06", dup65); + + var select4 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + ]); + + var part14 = match("MESSAGE#8:in.tftpd:01", "nwparser.payload", "RRQ from %{saddr->} filename %{filename}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","RRQ from remote host"), + ])); + + var msg9 = msg("in.tftpd:01", part14); + + var part15 = match("MESSAGE#9:in.tftpd:02", "nwparser.payload", "sending NAK (%{resultcode}, %{result}) to %{daddr}", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","sending NAK to remote host"), + ])); + + var msg10 = msg("in.tftpd:02", part15); + + var part16 = match("MESSAGE#10:in.tftpd", "nwparser.payload", "connection refused from %{saddr}", processor_chain([ + setc("eventcategory","1801030000"), + dup7, + dup9, + ])); + + var msg11 = msg("in.tftpd", part16); + + var select5 = linear_select([ + msg9, + msg10, + msg11, + ]); + + var part17 = match("MESSAGE#11:dhcpd:12/0", "nwparser.payload", "%{event_type}: received a REQUEST DHCP packet from relay-agent %{interface->} with a circuit-id of \"%{id}\" and remote-id of \"%{smacaddr}\" for %{hostip->} (%{dmacaddr}) lease time is %{p0}"); + + var part18 = match("MESSAGE#11:dhcpd:12/1_0", "nwparser.p0", "undefined %{p0}"); + + var part19 = match("MESSAGE#11:dhcpd:12/1_1", "nwparser.p0", "%{duration->} %{p0}"); + + var select6 = linear_select([ + part18, + part19, + ]); + + var part20 = match("MESSAGE#11:dhcpd:12/2", "nwparser.p0", "seconds%{}"); + + var all3 = all_match({ + processors: [ + part17, + select6, + part20, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","received a REQUEST DHCP packet from relay-agent"), + ]), + }); + + var msg12 = msg("dhcpd:12", all3); + + var part21 = match("MESSAGE#12:dhcpd:21", "nwparser.payload", "bind update on %{hostip->} from %{hostname}(%{fld1}) rejected: %{result}", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","bind update rejected"), + ])); + + var msg13 = msg("dhcpd:21", part21); + + var part22 = match("MESSAGE#13:dhcpd:10", "nwparser.payload", "Unable to add forward map from %{shost->} %{fld1}to %{daddr}: %{result}", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","Unable to add forward map"), + ])); + + var msg14 = msg("dhcpd:10", part22); + + var part23 = match("MESSAGE#14:dhcpd:13", "nwparser.payload", "Average %{fld1->} dynamic DNS update latency: %{result->} micro seconds", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Average dynamic DNS update latency"), + ])); + + var msg15 = msg("dhcpd:13", part23); + + var part24 = match("MESSAGE#15:dhcpd:15", "nwparser.payload", "Dynamic DNS update timeout count in last %{info->} minutes: %{result}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Dynamic DNS update timeout count"), + ])); + + var msg16 = msg("dhcpd:15", part24); + + var part25 = match("MESSAGE#16:dhcpd:22", "nwparser.payload", "Removed forward map from %{shost->} %{fld1}to %{daddr}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Removed forward map"), + ])); + + var msg17 = msg("dhcpd:22", part25); + + var part26 = match("MESSAGE#17:dhcpd:25", "nwparser.payload", "Removed reverse map on %{hostname}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Removed reverse map"), + ])); + + var msg18 = msg("dhcpd:25", part26); + + var part27 = match("MESSAGE#18:dhcpd:06", "nwparser.payload", "received shutdown -/-/ %{result}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","received shutdown"), + ])); + + var msg19 = msg("dhcpd:06", part27); + + var part28 = match("MESSAGE#19:dhcpd:18/2", "nwparser.p0", "new forward map from %{hostname->} %{space->} %{daddr}"); + + var all4 = all_match({ + processors: [ + dup17, + dup66, + part28, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Added new forward map"), + ]), + }); + + var msg20 = msg("dhcpd:18", all4); + + var part29 = match("MESSAGE#20:dhcpd:19/2", "nwparser.p0", "reverse map from %{hostname->} %{space->} %{daddr}"); + + var all5 = all_match({ + processors: [ + dup17, + dup66, + part29, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","added reverse map"), + ]), + }); + + var msg21 = msg("dhcpd:19", all5); + + var part30 = match("MESSAGE#21:dhcpd", "nwparser.payload", "Abandoning IP address %{hostip}: declined", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","Abandoning IP declined"), + ])); + + var msg22 = msg("dhcpd", part30); + + var part31 = match("MESSAGE#22:dhcpd:30", "nwparser.payload", "Abandoning IP address %{hostip}: pinged before offer", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","Abandoning IP pinged before offer"), + ])); + + var msg23 = msg("dhcpd:30", part31); + + var part32 = match("MESSAGE#23:dhcpd:01", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} (%{shost}) via %{interface}: %{info}", processor_chain([ + dup16, + dup7, + dup9, + dup20, + ])); + + var msg24 = msg("dhcpd:01", part32); + + var part33 = match("MESSAGE#24:dhcpd:02", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} via %{interface}: %{info}", processor_chain([ + dup16, + dup7, + dup9, + dup20, + ])); + + var msg25 = msg("dhcpd:02", part33); + + var part34 = match("MESSAGE#25:dhcpd:03/0", "nwparser.payload", "DHCPRELEASE of %{saddr->} from %{dmacaddr->} %{p0}"); + + var part35 = match("MESSAGE#25:dhcpd:03/2", "nwparser.p0", "%{interface->} (%{info})"); + + var all6 = all_match({ + processors: [ + part34, + dup67, + part35, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup23, + ]), + }); + + var msg26 = msg("dhcpd:03", all6); + + var part36 = match("MESSAGE#26:dhcpd:04", "nwparser.payload", "DHCPDISCOVER from %{smacaddr->} via %{interface}: network %{mask}: %{info}", processor_chain([ + dup13, + dup7, + dup9, + dup24, + ])); + + var msg27 = msg("dhcpd:04", part36); + + var part37 = match("MESSAGE#27:dhcpd:07/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} %{p0}"); + + var part38 = match("MESSAGE#27:dhcpd:07/1_0", "nwparser.p0", "(%{shost}) from %{p0}"); + + var part39 = match("MESSAGE#27:dhcpd:07/1_1", "nwparser.p0", "from %{p0}"); + + var select7 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#27:dhcpd:07/2", "nwparser.p0", "%{smacaddr->} (%{hostname}) via %{interface}: ignored (%{result})"); + + var all7 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + setc("action","DHCPREQUEST ignored"), + ]), + }); + + var msg28 = msg("dhcpd:07", all7); + + var part41 = match("MESSAGE#28:dhcpd:09/2", "nwparser.p0", "%{interface}: wrong network"); + + var all8 = all_match({ + processors: [ + dup25, + dup68, + part41, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup27, + setc("result","wrong network"), + ]), + }); + + var msg29 = msg("dhcpd:09", all8); + + var part42 = match("MESSAGE#29:dhcpd:26/2", "nwparser.p0", "%{interface}: lease %{hostip->} unavailable"); + + var all9 = all_match({ + processors: [ + dup25, + dup68, + part42, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + dup27, + setc("result","lease unavailable"), + ]), + }); + + var msg30 = msg("dhcpd:26", all9); + + var part43 = match("MESSAGE#30:dhcpd:08", "nwparser.payload", "DHCPREQUEST for %{saddr->} (%{shost}) from %{smacaddr->} (%{hostname}) via %{interface}", processor_chain([ + dup13, + dup7, + dup9, + dup27, + ])); + + var msg31 = msg("dhcpd:08", part43); + + var all10 = all_match({ + processors: [ + dup25, + dup68, + dup28, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup27, + ]), + }); + + var msg32 = msg("dhcpd:11", all10); + + var part44 = match("MESSAGE#32:dhcpd:31", "nwparser.payload", "DHCPRELEASE from %{smacaddr->} via %{saddr}: unknown network segment", processor_chain([ + dup13, + dup7, + dup9, + dup23, + dup29, + ])); + + var msg33 = msg("dhcpd:31", part44); + + var part45 = match("MESSAGE#33:dhcpd:32", "nwparser.payload", "BOOTREQUEST from %{smacaddr->} via %{saddr}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + setc("action","BOOTREQUEST"), + dup30, + ])); + + var msg34 = msg("dhcpd:32", part45); + + var part46 = match("MESSAGE#34:dhcpd:33", "nwparser.payload", "Reclaiming abandoned lease %{saddr}.", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Reclaiming abandoned lease"), + ])); + + var msg35 = msg("dhcpd:33", part46); + + var part47 = match("MESSAGE#35:dhcpd:34/0", "nwparser.payload", "balanc%{p0}"); + + var part48 = match("MESSAGE#35:dhcpd:34/1_0", "nwparser.p0", "ed%{p0}"); + + var part49 = match("MESSAGE#35:dhcpd:34/1_1", "nwparser.p0", "ing%{p0}"); + + var select8 = linear_select([ + part48, + part49, + ]); + + var part50 = match("MESSAGE#35:dhcpd:34/2", "nwparser.p0", "%{}pool %{fld1->} %{saddr}/%{sport->} total %{fld2->} free %{fld3->} backup %{fld4->} lts %{fld5->} max-%{fld6->} %{p0}"); + + var part51 = match("MESSAGE#35:dhcpd:34/3_0", "nwparser.p0", "(+/-)%{fld7}(%{info})"); + + var part52 = match("MESSAGE#35:dhcpd:34/3_1", "nwparser.p0", "(+/-)%{fld7}"); + + var part53 = match_copy("MESSAGE#35:dhcpd:34/3_2", "nwparser.p0", "fld7"); + + var select9 = linear_select([ + part51, + part52, + part53, + ]); + + var all11 = all_match({ + processors: [ + part47, + select8, + part50, + select9, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg36 = msg("dhcpd:34", all11); + + var part54 = match("MESSAGE#36:dhcpd:35", "nwparser.payload", "Unable to add reverse map from %{shost->} to %{dhost}: REFUSED", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description"," Unable to add reverse map"), + ])); + + var msg37 = msg("dhcpd:35", part54); + + var part55 = match("MESSAGE#37:dhcpd:36", "nwparser.payload", "Forward map from %{shost->} %{fld2}to %{daddr->} FAILED: %{fld1}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description"," Forward map failed"), + ])); + + var msg38 = msg("dhcpd:36", part55); + + var part56 = match("MESSAGE#38:dhcpd:14/0", "nwparser.payload", "DHCPACK on %{saddr->} to %{dmacaddr->} %{p0}"); + + var all12 = all_match({ + processors: [ + part56, + dup67, + dup31, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup32, + ]), + }); + + var msg39 = msg("dhcpd:14", all12); + + var part57 = match("MESSAGE#39:dhcpd:24/0", "nwparser.payload", "DHCPOFFER on %{saddr->} to %{p0}"); + + var part58 = match("MESSAGE#39:dhcpd:24/1_0", "nwparser.p0", "\"%{dmacaddr}\" (%{dhost}) via %{p0}"); + + var part59 = match("MESSAGE#39:dhcpd:24/1_1", "nwparser.p0", "%{dmacaddr->} (%{dhost}) via %{p0}"); + + var part60 = match("MESSAGE#39:dhcpd:24/1_2", "nwparser.p0", "%{dmacaddr->} via %{p0}"); + + var select10 = linear_select([ + part58, + part59, + part60, + ]); + + var all13 = all_match({ + processors: [ + part57, + select10, + dup31, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + setc("action","DHCPOFFER"), + ]), + }); + + var msg40 = msg("dhcpd:24", all13); + + var part61 = match("MESSAGE#40:dhcpd:17", "nwparser.payload", "DHCPNAK on %{saddr->} to %{dmacaddr->} via %{interface}", processor_chain([ + dup13, + dup7, + dup9, + setc("action","DHCPNAK"), + ])); + + var msg41 = msg("dhcpd:17", part61); + + var part62 = match("MESSAGE#41:dhcpd:05/0", "nwparser.payload", "DHCPDISCOVER from %{smacaddr->} %{p0}"); + + var all14 = all_match({ + processors: [ + part62, + dup68, + dup28, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup24, + ]), + }); + + var msg42 = msg("dhcpd:05", all14); + + var part63 = match("MESSAGE#42:dhcpd:16", "nwparser.payload", "DHCPACK to %{daddr->} (%{dmacaddr}) via %{interface}", processor_chain([ + dup13, + dup7, + dup9, + dup32, + ])); + + var msg43 = msg("dhcpd:16", part63); + + var part64 = match("MESSAGE#43:dhcpd:20", "nwparser.payload", "DHCPINFORM from %{saddr->} via %{interface}", processor_chain([ + dup13, + dup7, + dup9, + setc("action","DHCPINFORM"), + ])); + + var msg44 = msg("dhcpd:20", part64); + + var part65 = match("MESSAGE#44:dhcpd:23", "nwparser.payload", "DHCPEXPIRE on %{saddr->} to %{dmacaddr}", processor_chain([ + dup13, + dup7, + dup9, + setc("action","DHCPEXPIRE"), + ])); + + var msg45 = msg("dhcpd:23", part65); + + var part66 = match("MESSAGE#45:dhcpd:28", "nwparser.payload", "uid lease %{hostip->} for client %{smacaddr->} is duplicate on %{mask}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg46 = msg("dhcpd:28", part66); + + var part67 = match("MESSAGE#46:dhcpd:29", "nwparser.payload", "Attempt to add forward map \"%{shost}\" (and reverse map \"%{dhost}\") for %{saddr->} abandoned because of non-retryable failure: %{result}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg47 = msg("dhcpd:29", part67); + + var part68 = match("MESSAGE#191:dhcpd:39", "nwparser.payload", "NOT FREE/BACKUP lease%{hostip}End Time%{fld1->} Bind-State %{change_old->} Next-Bind-State %{change_new}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg48 = msg("dhcpd:39", part68); + + var part69 = match("MESSAGE#192:dhcpd:41", "nwparser.payload", "RELEASE on%{saddr}to%{dmacaddr}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg49 = msg("dhcpd:41", part69); + + var part70 = match("MESSAGE#193:dhcpd:42", "nwparser.payload", "r-l-e:%{hostip},%{result},%{fld1},%{macaddr},%{fld3},%{fld4},%{fld5},%{info}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg50 = msg("dhcpd:42", part70); + + var part71 = match("MESSAGE#194:dhcpd:43", "nwparser.payload", "failover peer%{fld1}:%{dclass_counter1}leases added to send queue from pool%{fld3->} %{hostip}/%{network_port}", processor_chain([ + dup13, + dup7, + dup9, + setc("dclass_counter1_string","count of leases"), + dup30, + ])); + + var msg51 = msg("dhcpd:43", part71); + + var part72 = match("MESSAGE#195:dhcpd:44", "nwparser.payload", "DHCPDECLINE from%{macaddr}via%{hostip}: unknown network segment", processor_chain([ + dup13, + dup7, + dup9, + dup30, + dup29, + ])); + + var msg52 = msg("dhcpd:44", part72); + + var part73 = match("MESSAGE#196:dhcpd:45", "nwparser.payload", "Reverse map update for%{hostip}abandoned because of non-retryable failure:%{disposition}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg53 = msg("dhcpd:45", part73); + + var part74 = match("MESSAGE#197:dhcpd:46", "nwparser.payload", "Reclaiming REQUESTed abandoned IP address%{saddr}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Reclaiming REQUESTed abandoned IP address"), + ])); + + var msg54 = msg("dhcpd:46", part74); + + var part75 = match("MESSAGE#198:dhcpd:47/0", "nwparser.payload", "%{hostip}: removing client association (%{action})%{p0}"); + + var part76 = match("MESSAGE#198:dhcpd:47/1_0", "nwparser.p0", "uid=%{fld1}hw=%{p0}"); + + var part77 = match("MESSAGE#198:dhcpd:47/1_1", "nwparser.p0", "hw=%{p0}"); + + var select11 = linear_select([ + part76, + part77, + ]); + + var part78 = match_copy("MESSAGE#198:dhcpd:47/2", "nwparser.p0", "macaddr"); + + var all15 = all_match({ + processors: [ + part75, + select11, + part78, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg55 = msg("dhcpd:47", all15); + + var part79 = match("MESSAGE#199:dhcpd:48", "nwparser.payload", "Lease conflict at %{hostip}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg56 = msg("dhcpd:48", part79); + + var part80 = match("MESSAGE#200:dhcpd:49", "nwparser.payload", "ICMP Echo reply while lease %{hostip->} valid.", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("protocol","ICMP"), + ])); + + var msg57 = msg("dhcpd:49", part80); + + var part81 = match("MESSAGE#201:dhcpd:50", "nwparser.payload", "Lease state %{result}. Not abandoning %{hostip}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg58 = msg("dhcpd:50", part81); + + var part82 = match("MESSAGE#202:dhcpd:51/0_0", "nwparser.payload", "Addition%{p0}"); + + var part83 = match("MESSAGE#202:dhcpd:51/0_1", "nwparser.payload", "Removal%{p0}"); + + var select12 = linear_select([ + part82, + part83, + ]); + + var part84 = match("MESSAGE#202:dhcpd:51/1", "nwparser.p0", "%{}of %{p0}"); + + var part85 = match("MESSAGE#202:dhcpd:51/2_0", "nwparser.p0", "forward%{p0}"); + + var part86 = match("MESSAGE#202:dhcpd:51/2_1", "nwparser.p0", "reverse%{p0}"); + + var select13 = linear_select([ + part85, + part86, + ]); + + var part87 = match("MESSAGE#202:dhcpd:51/3", "nwparser.p0", "%{}map for %{hostip->} deferred"); + + var all16 = all_match({ + processors: [ + select12, + part84, + select13, + part87, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("disposition","deferred"), + ]), + }); + + var msg59 = msg("dhcpd:51", all16); + + var part88 = match("MESSAGE#203:dhcpd:52", "nwparser.payload", "Hostname%{change_old}replaced by%{hostname}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg60 = msg("dhcpd:52", part88); + + var msg61 = msg("dhcpd:37", dup69); + + var select14 = linear_select([ + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, + msg58, + msg59, + msg60, + msg61, + ]); + + var part89 = match("MESSAGE#47:ntpd:05", "nwparser.payload", "system event '%{event_type}' (%{fld1}) status '%{result}' (%{fld2})", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","system event status"), + ])); + + var msg62 = msg("ntpd:05", part89); + + var part90 = match("MESSAGE#48:ntpd:04", "nwparser.payload", "frequency initialized %{result->} from %{filename}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","frequency initialized from file"), + ])); + + var msg63 = msg("ntpd:04", part90); + + var part91 = match("MESSAGE#49:ntpd:03", "nwparser.payload", "ntpd exiting on signal %{dclass_counter1}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","ntpd exiting on signal"), + ])); + + var msg64 = msg("ntpd:03", part91); + + var part92 = match("MESSAGE#50:ntpd", "nwparser.payload", "time slew %{result}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","time slew duraion"), + ])); + + var msg65 = msg("ntpd", part92); + + var part93 = match("MESSAGE#51:ntpd:01", "nwparser.payload", "%{process}: signal %{dclass_counter1->} had flags %{result}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","signal had flags"), + ])); + + var msg66 = msg("ntpd:01", part93); + + var msg67 = msg("ntpd:02", dup65); + + var select15 = linear_select([ + msg62, + msg63, + msg64, + msg65, + msg66, + msg67, + ]); + + var part94 = match("MESSAGE#53:named:16/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: update '%{zone}' %{p0}"); + + var all17 = all_match({ + processors: [ + part94, + dup70, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + ]), + }); + + var msg68 = msg("named:16", all17); + + var part95 = match("MESSAGE#54:named/0", "nwparser.payload", "client %{saddr}#%{sport}: update '%{zone}/IN' %{p0}"); + + var all18 = all_match({ + processors: [ + part95, + dup70, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + dup35, + ]), + }); + + var msg69 = msg("named", all18); + + var part96 = match("MESSAGE#55:named:12/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: signer \"%{owner}\" %{p0}"); + + var all19 = all_match({ + processors: [ + part96, + dup70, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + ]), + }); + + var msg70 = msg("named:12", all19); + + var part97 = match("MESSAGE#56:named:01/1_0", "nwparser.p0", "%{sport}/%{fld1}: signer \"%{p0}"); + + var part98 = match("MESSAGE#56:named:01/1_1", "nwparser.p0", "%{sport}: signer \"%{p0}"); + + var select16 = linear_select([ + part97, + part98, + ]); + + var part99 = match("MESSAGE#56:named:01/2", "nwparser.p0", "%{owner}\" %{p0}"); + + var all20 = all_match({ + processors: [ + dup36, + select16, + part99, + dup70, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + ]), + }); + + var msg71 = msg("named:01", all20); + + var part100 = match("MESSAGE#57:named:17/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}/%{p0}"); + + var part101 = match("MESSAGE#57:named:17/2", "nwparser.p0", "': %{p0}"); + + var part102 = match("MESSAGE#57:named:17/3_0", "nwparser.p0", "%{fld2}: %{action->} at '%{p0}"); + + var select17 = linear_select([ + part102, + dup40, + ]); + + var part103 = match("MESSAGE#57:named:17/4_1", "nwparser.p0", "%{hostname}' %{p0}"); + + var select18 = linear_select([ + dup41, + part103, + ]); + + var all21 = all_match({ + processors: [ + part100, + dup71, + part101, + select17, + select18, + dup72, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup45, + dup35, + ]), + }); + + var msg72 = msg("named:17", all21); + + var part104 = match("MESSAGE#58:named:18/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: updating zone '%{zone}': %{p0}"); + + var part105 = match("MESSAGE#58:named:18/1_0", "nwparser.p0", "adding %{p0}"); + + var part106 = match("MESSAGE#58:named:18/1_1", "nwparser.p0", "deleting%{p0}"); + + var select19 = linear_select([ + part105, + part106, + ]); + + var part107 = match("MESSAGE#58:named:18/2", "nwparser.p0", "%{} %{info->} at '%{hostname}'"); + + var all22 = all_match({ + processors: [ + part104, + select19, + part107, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg73 = msg("named:18", all22); + + var part108 = match("MESSAGE#59:named:02/0", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}/%{p0}"); + + var part109 = match("MESSAGE#59:named:02/2", "nwparser.p0", "':%{p0}"); + + var part110 = match("MESSAGE#59:named:02/3_0", "nwparser.p0", "%{fld1}: %{action->} at '%{p0}"); + + var select20 = linear_select([ + part110, + dup40, + ]); + + var part111 = match("MESSAGE#59:named:02/4_1", "nwparser.p0", "%{hostip}' %{p0}"); + + var select21 = linear_select([ + dup41, + part111, + ]); + + var all23 = all_match({ + processors: [ + part108, + dup71, + part109, + select20, + select21, + dup72, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup45, + dup35, + ]), + }); + + var msg74 = msg("named:02", all23); + + var part112 = match("MESSAGE#60:named:19/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': update %{disposition}: %{p0}"); + + var part113 = match("MESSAGE#60:named:19/1_0", "nwparser.p0", "%{hostname}/%{dns_querytype}: %{p0}"); + + var part114 = match("MESSAGE#60:named:19/1_1", "nwparser.p0", "%{hostname}: %{p0}"); + + var select22 = linear_select([ + part113, + part114, + ]); + + var all24 = all_match({ + processors: [ + part112, + select22, + dup46, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup47, + ]), + }); + + var msg75 = msg("named:19", all24); + + var part115 = match("MESSAGE#61:named:03", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{hostname}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg76 = msg("named:03", part115); + + var part116 = match("MESSAGE#62:named:11", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: zone is up to date", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","notify zone is up to date"), + ])); + + var msg77 = msg("named:11", part116); + + var part117 = match("MESSAGE#63:named:13", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: %{action}, %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg78 = msg("named:13", part117); + + var part118 = match("MESSAGE#64:named:14", "nwparser.payload", "zone %{zone}: refresh: retry limit for master %{saddr}#%{sport->} exceeded (%{action})", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg79 = msg("named:14", part118); + + var part119 = match("MESSAGE#65:named:15", "nwparser.payload", "zone %{zone}: refresh: failure trying master %{saddr}#%{sport->} (source ::#0): %{action}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg80 = msg("named:15", part119); + + var part120 = match("MESSAGE#66:named:25/0", "nwparser.payload", "DNS format error from %{saddr}#%{sport->} resolving %{domain}/%{dns_querytype->} for client %{daddr}#%{dport}: %{p0}"); + + var part121 = match("MESSAGE#66:named:25/1_0", "nwparser.p0", "%{error}--%{result}"); + + var select23 = linear_select([ + part121, + dup48, + ]); + + var all25 = all_match({ + processors: [ + part120, + select23, + ], + on_success: processor_chain([ + dup49, + dup50, + dup15, + dup7, + dup9, + setc("event_description","DNS format error"), + dup30, + ]), + }); + + var msg81 = msg("named:25", all25); + + var part122 = match("MESSAGE#67:named:63/2", "nwparser.p0", "#%{saddr->} %{sport->} (#%{fld5}): query: %{domain->} %{fld4->} (%{daddr})"); + + var all26 = all_match({ + processors: [ + dup51, + dup73, + part122, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg82 = msg("named:63", all26); + + var part123 = match("MESSAGE#68:named:72/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{fld1}): %{p0}"); + + var part124 = match("MESSAGE#68:named:72/1_0", "nwparser.p0", "view%{fld3}: query:%{p0}"); + + var part125 = match("MESSAGE#68:named:72/1_1", "nwparser.p0", "query:%{p0}"); + + var select24 = linear_select([ + part124, + part125, + ]); + + var part126 = match("MESSAGE#68:named:72/2", "nwparser.p0", "%{} %{domain->} %{fld2->} %{dns_querytype->} %{context->} (%{daddr})"); + + var all27 = all_match({ + processors: [ + part123, + select24, + part126, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg83 = msg("named:72", all27); + + var part127 = match("MESSAGE#69:named:28", "nwparser.payload", "%{action->} (%{saddr}#%{sport}) %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg84 = msg("named:28", part127); + + var part128 = match("MESSAGE#70:named:71/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: failed %{p0}"); + + var part129 = match("MESSAGE#70:named:71/1_0", "nwparser.p0", "to connect: %{p0}"); + + var part130 = match("MESSAGE#70:named:71/1_1", "nwparser.p0", "while receiving responses: %{p0}"); + + var select25 = linear_select([ + part129, + part130, + ]); + + var all28 = all_match({ + processors: [ + part128, + select25, + dup48, + ], + on_success: processor_chain([ + dup49, + dup7, + dup9, + dup30, + setc("event_description","failed"), + ]), + }); + + var msg85 = msg("named:71", all28); + + var part131 = match("MESSAGE#71:named:70/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: %{p0}"); + + var part132 = match("MESSAGE#71:named:70/1_0", "nwparser.p0", "connected using %{daddr}#%{dport}"); + + var select26 = linear_select([ + part132, + dup46, + ]); + + var all29 = all_match({ + processors: [ + part131, + select26, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg86 = msg("named:70", all29); + + var part133 = match("MESSAGE#72:named:40/0", "nwparser.payload", "%{fld1->} client %{saddr}#%{sport}: %{p0}"); + + var part134 = match("MESSAGE#72:named:40/1_0", "nwparser.p0", "view %{fld2}: %{protocol}: query: %{p0}"); + + var part135 = match("MESSAGE#72:named:40/1_1", "nwparser.p0", "%{protocol}: query: %{p0}"); + + var select27 = linear_select([ + part134, + part135, + ]); + + var part136 = match("MESSAGE#72:named:40/2", "nwparser.p0", "%{domain->} %{fld3->} %{dns_querytype->} response:%{result->} %{p0}"); + + var part137 = match("MESSAGE#72:named:40/3_0", "nwparser.p0", "%{context->} %{dns.resptext}"); + + var part138 = match_copy("MESSAGE#72:named:40/3_1", "nwparser.p0", "context"); + + var select28 = linear_select([ + part137, + part138, + ]); + + var all30 = all_match({ + processors: [ + part133, + select27, + part136, + select28, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg87 = msg("named:40", all30); + + var part139 = match("MESSAGE#73:named:05", "nwparser.payload", "zone '%{zone}' %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg88 = msg("named:05", part139); + + var part140 = match("MESSAGE#74:named:10/1_0", "nwparser.p0", "%{sport->} %{fld22}/%{fld21}:%{p0}"); + + var part141 = match("MESSAGE#74:named:10/1_1", "nwparser.p0", "%{sport}/%{fld21}:%{p0}"); + + var part142 = match("MESSAGE#74:named:10/1_2", "nwparser.p0", "%{sport->} (%{fld21}): %{p0}"); + + var select29 = linear_select([ + part140, + part141, + part142, + dup54, + ]); + + var part143 = match("MESSAGE#74:named:10/2", "nwparser.p0", "%{}query: %{domain->} %{info->} (%{daddr})"); + + var all31 = all_match({ + processors: [ + dup36, + select29, + part143, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","dns query"), + ]), + }); + + var msg89 = msg("named:10", all31); + + var part144 = match("MESSAGE#75:named:29", "nwparser.payload", "client %{saddr}#%{sport}: %{fld1}: received notify for zone '%{zone}'", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","received notify for zone"), + ])); + + var msg90 = msg("named:29", part144); + + var part145 = match("MESSAGE#76:named:08", "nwparser.payload", "client %{saddr}#%{sport}: received notify for zone '%{zone}'", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","client received notify for zone"), + ])); + + var msg91 = msg("named:08", part145); + + var part146 = match("MESSAGE#77:named:09", "nwparser.payload", "client %{saddr}#%{sport}: update forwarding '%{zone}' denied", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","client update forwarding for zone denied"), + ])); + + var msg92 = msg("named:09", part146); + + var part147 = match("MESSAGE#78:named:76/0", "nwparser.payload", "zone %{zone}: ZRQ appl%{p0}"); + + var part148 = match("MESSAGE#78:named:76/1_0", "nwparser.p0", "ied%{p0}"); + + var part149 = match("MESSAGE#78:named:76/1_1", "nwparser.p0", "ying%{p0}"); + + var select30 = linear_select([ + part148, + part149, + ]); + + var part150 = match("MESSAGE#78:named:76/2", "nwparser.p0", "%{}transaction %{p0}"); + + var part151 = match("MESSAGE#78:named:76/3_0", "nwparser.p0", "%{operation_id->} with SOA serial %{serial_number}. Zone version is now %{version}."); + + var part152 = match("MESSAGE#78:named:76/3_1", "nwparser.p0", "%{fld1}."); + + var select31 = linear_select([ + part151, + part152, + ]); + + var all32 = all_match({ + processors: [ + part147, + select30, + part150, + select31, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg93 = msg("named:76", all32); + + var part153 = match("MESSAGE#79:named:75", "nwparser.payload", "zone %{zone}: ZRQ applied %{action->} for '%{fld1}': %{fld2->} %{fld3->} %{dns_querytype->} %{info}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg94 = msg("named:75", part153); + + var part154 = match("MESSAGE#80:named:06/0", "nwparser.payload", "zone%{p0}"); + + var part155 = match("MESSAGE#80:named:06/1_0", "nwparser.p0", "_%{fld1}: %{p0}"); + + var part156 = match("MESSAGE#80:named:06/1_1", "nwparser.p0", " %{zone}: %{p0}"); + + var select32 = linear_select([ + part155, + part156, + ]); + + var all33 = all_match({ + processors: [ + part154, + select32, + dup46, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg95 = msg("named:06", all33); + + var part157 = match("MESSAGE#81:named:20", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup13, + dup50, + dup15, + dup7, + dup9, + dup55, + dup30, + dup56, + ])); + + var msg96 = msg("named:20", part157); + + var part158 = match("MESSAGE#82:named:49/0", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{zone}/%{dns_querytype}/IN': %{p0}"); + + var part159 = match("MESSAGE#82:named:49/1_0", "nwparser.p0", "%{daddr}#%{dport}"); + + var part160 = match_copy("MESSAGE#82:named:49/1_1", "nwparser.p0", "fld1"); + + var select33 = linear_select([ + part159, + part160, + ]); + + var all34 = all_match({ + processors: [ + part158, + select33, + ], + on_success: processor_chain([ + dup57, + dup50, + dup15, + dup7, + dup9, + dup55, + dup30, + dup35, + ]), + }); + + var msg97 = msg("named:49", all34); + + var part161 = match("MESSAGE#83:named:24/1_0", "nwparser.p0", "%{fld2}: zone transfer%{p0}"); + + var part162 = match("MESSAGE#83:named:24/1_1", "nwparser.p0", "zone transfer%{p0}"); + + var select34 = linear_select([ + part161, + part162, + ]); + + var part163 = match("MESSAGE#83:named:24/2", "nwparser.p0", "%{}'%{zone}' %{action}"); + + var all35 = all_match({ + processors: [ + dup58, + select34, + part163, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg98 = msg("named:24", all35); + + var part164 = match("MESSAGE#84:named:26/1_0", "nwparser.p0", "%{fld2}: no more recursive clients %{p0}"); + + var part165 = match("MESSAGE#84:named:26/1_1", "nwparser.p0", "no more recursive clients%{p0}"); + + var select35 = linear_select([ + part164, + part165, + ]); + + var part166 = match("MESSAGE#84:named:26/2", "nwparser.p0", "%{}(%{fld3}) %{info}"); + + var all36 = all_match({ + processors: [ + dup58, + select35, + part166, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg99 = msg("named:26", all36); + + var part167 = match("MESSAGE#85:named:27/1_0", "nwparser.p0", "%{fld2->} : %{fld3->} response from Internet for %{p0}"); + + var part168 = match("MESSAGE#85:named:27/1_1", "nwparser.p0", "%{fld3->} response from Internet for %{p0}"); + + var select36 = linear_select([ + part167, + part168, + ]); + + var part169 = match_copy("MESSAGE#85:named:27/2", "nwparser.p0", "fld4"); + + var all37 = all_match({ + processors: [ + dup58, + select36, + part169, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg100 = msg("named:27", all37); + + var part170 = match("MESSAGE#86:named:38/2", "nwparser.p0", "#%{saddr->} %{p0}"); + + var part171 = match("MESSAGE#86:named:38/3_0", "nwparser.p0", "%{sport}#%{fld5->} (%{fld6}):%{p0}"); + + var part172 = match("MESSAGE#86:named:38/3_1", "nwparser.p0", "%{sport->} (%{fld5}):%{p0}"); + + var select37 = linear_select([ + part171, + part172, + dup54, + ]); + + var part173 = match("MESSAGE#86:named:38/4", "nwparser.p0", "%{}query%{p0}"); + + var part174 = match("MESSAGE#86:named:38/5_0", "nwparser.p0", " (%{fld7}) '%{domain}/%{fld4}' %{result}"); + + var part175 = match("MESSAGE#86:named:38/5_1", "nwparser.p0", ": %{domain->} %{fld4->} (%{daddr})"); + + var select38 = linear_select([ + part174, + part175, + ]); + + var all38 = all_match({ + processors: [ + dup51, + dup73, + part170, + select37, + part173, + select38, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg101 = msg("named:38", all38); + + var part176 = match("MESSAGE#87:named:39", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: error (%{result}) resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup13, + dup50, + dup15, + dup7, + dup9, + dup55, + ])); + + var msg102 = msg("named:39", part176); + + var part177 = match("MESSAGE#88:named:46", "nwparser.payload", "%{event_description}: Authorization denied for the operation (%{fld4}): %{fld5->} (data=\"%{hostip}\", source=\"%{hostname}\")", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg103 = msg("named:46", part177); + + var part178 = match("MESSAGE#89:named:64", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg104 = msg("named:64", part178); + + var part179 = match("MESSAGE#90:named:45", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ + dup13, + dup7, + dup9, + dup47, + ])); + + var msg105 = msg("named:45", part179); + + var part180 = match("MESSAGE#91:named:44/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: updating zone '%{p0}"); + + var part181 = match("MESSAGE#91:named:44/1_0", "nwparser.p0", "%{domain}/IN'%{p0}"); + + var part182 = match("MESSAGE#91:named:44/1_1", "nwparser.p0", "%{domain}'%{p0}"); + + var select39 = linear_select([ + part181, + part182, + ]); + + var part183 = match("MESSAGE#91:named:44/2", "nwparser.p0", ": %{p0}"); + + var part184 = match("MESSAGE#91:named:44/3_0", "nwparser.p0", "deleting an RR at %{daddr}.in-addr.arpa"); + + var part185 = match("MESSAGE#91:named:44/3_1", "nwparser.p0", "deleting an RR at %{daddr}.%{fld6}"); + + var part186 = match_copy("MESSAGE#91:named:44/3_2", "nwparser.p0", "fld5"); + + var select40 = linear_select([ + part184, + part185, + part186, + ]); + + var all39 = all_match({ + processors: [ + part180, + select39, + part183, + select40, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg106 = msg("named:44", all39); + + var part187 = match("MESSAGE#92:named:43", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query (%{fld3}) '%{fld4}/%{dns_querytype}/IN' %{result}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg107 = msg("named:43", part187); + + var part188 = match("MESSAGE#93:named:42", "nwparser.payload", "%{result->} resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup13, + dup7, + dup9, + dup56, + ])); + + var msg108 = msg("named:42", part188); + + var part189 = match("MESSAGE#94:named:41", "nwparser.payload", "%{fld1}: unable to find root NS '%{domain}'", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg109 = msg("named:41", part189); + + var part190 = match("MESSAGE#95:named:47", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{event_description}", processor_chain([ + setc("eventcategory","1502000000"), + dup7, + dup9, + ])); + + var msg110 = msg("named:47", part190); + + var part191 = match("MESSAGE#96:named:48", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): query '%{zone}' %{result}", processor_chain([ + dup57, + dup7, + dup9, + dup30, + ])); + + var msg111 = msg("named:48", part191); + + var part192 = match("MESSAGE#97:named:62", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg112 = msg("named:62", part192); + + var part193 = match("MESSAGE#98:named:53", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg113 = msg("named:53", part193); + + var part194 = match("MESSAGE#99:named:77", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query failed (%{error}) for %{fld1}/IN/%{dns_querytype->} at %{filename}:%{fld2}", processor_chain([ + dup49, + dup7, + dup9, + setc("event_description"," query failed"), + ])); + + var msg114 = msg("named:77", part194); + + var part195 = match("MESSAGE#100:named:52", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): %{info}", processor_chain([ + dup59, + dup7, + dup9, + dup47, + ])); + + var msg115 = msg("named:52", part195); + + var part196 = match("MESSAGE#101:named:50", "nwparser.payload", "%{fld1}: %{domain}/%{dns_querytype->} (%{saddr}) %{info}", processor_chain([ + dup59, + dup7, + dup9, + ])); + + var msg116 = msg("named:50", part196); + + var part197 = match("MESSAGE#102:named:51", "nwparser.payload", "%{fld1}: %{fld2}: REFUSED", processor_chain([ + dup57, + dup7, + dup9, + dup50, + dup15, + dup55, + ])); + + var msg117 = msg("named:51", part197); + + var part198 = match("MESSAGE#103:named:54", "nwparser.payload", "%{hostip}#%{network_port}: GSS-TSIG authentication failed:%{event_description}", processor_chain([ + dup59, + dup7, + dup9, + dup3, + dup15, + dup30, + ])); + + var msg118 = msg("named:54", part198); + + var part199 = match("MESSAGE#104:named:55/0", "nwparser.payload", "success resolving '%{domain}/%{dns_querytype}' (in '%{fld1}'?) %{p0}"); + + var part200 = match("MESSAGE#104:named:55/1_0", "nwparser.p0", "after disabling EDNS%{}"); + + var part201 = match_copy("MESSAGE#104:named:55/1_1", "nwparser.p0", "fld2"); + + var select41 = linear_select([ + part200, + part201, + ]); + + var all40 = all_match({ + processors: [ + part199, + select41, + ], + on_success: processor_chain([ + dup59, + dup7, + dup9, + dup6, + dup30, + dup60, + ]), + }); + + var msg119 = msg("named:55", all40); + + var part202 = match("MESSAGE#105:named:56", "nwparser.payload", "SERVFAIL unexpected RCODE resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ + dup59, + dup7, + dup9, + dup50, + dup15, + dup30, + dup60, + ])); + + var msg120 = msg("named:56", part202); + + var part203 = match("MESSAGE#106:named:57", "nwparser.payload", "FORMERR resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ + dup59, + dup7, + dup9, + setc("ec_outcome","Error"), + dup30, + dup60, + ])); + + var msg121 = msg("named:57", part203); + + var part204 = match("MESSAGE#107:named:04/0", "nwparser.payload", "%{action->} on %{p0}"); + + var part205 = match("MESSAGE#107:named:04/1_0", "nwparser.p0", "IPv4 interface %{sinterface}, %{saddr}#%{p0}"); + + var part206 = match("MESSAGE#107:named:04/1_1", "nwparser.p0", "%{saddr}#%{p0}"); + + var select42 = linear_select([ + part205, + part206, + ]); + + var part207 = match_copy("MESSAGE#107:named:04/2", "nwparser.p0", "sport"); + + var all41 = all_match({ + processors: [ + part204, + select42, + part207, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg122 = msg("named:04", all41); + + var part208 = match("MESSAGE#108:named:58", "nwparser.payload", "lame server resolving '%{domain}' (in '%{fld2}'?):%{hostip}#%{network_port}", processor_chain([ + dup59, + dup7, + dup9, + dup30, + dup60, + ])); + + var msg123 = msg("named:58", part208); + + var part209 = match("MESSAGE#109:named:59", "nwparser.payload", "exceeded max queries resolving '%{domain}/%{dns_querytype}'", processor_chain([ + dup13, + dup7, + dup9, + dup30, + dup60, + ])); + + var msg124 = msg("named:59", part209); + + var part210 = match("MESSAGE#110:named:60", "nwparser.payload", "skipping nameserver '%{hostname}' because it is a CNAME, while resolving '%{domain}/%{dns_querytype}'", processor_chain([ + dup13, + dup7, + dup9, + dup30, + dup60, + setc("event_description","skipping nameserver because it is a CNAME"), + ])); + + var msg125 = msg("named:60", part210); + + var part211 = match("MESSAGE#111:named:61", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg126 = msg("named:61", part211); + + var part212 = match("MESSAGE#112:named:73", "nwparser.payload", "fetch: %{zone}/%{dns_querytype}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + dup35, + ])); + + var msg127 = msg("named:73", part212); + + var part213 = match("MESSAGE#113:named:74", "nwparser.payload", "decrement_reference: delete from rbt: %{fld1->} %{domain}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg128 = msg("named:74", part213); + + var part214 = match("MESSAGE#114:named:07/0_0", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): view %{fld2}: query: %{web_query}"); + + var part215 = match_copy("MESSAGE#114:named:07/0_1", "nwparser.payload", "event_description"); + + var select43 = linear_select([ + part214, + part215, + ]); + + var all42 = all_match({ + processors: [ + select43, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg129 = msg("named:07", all42); + + var select44 = linear_select([ + msg68, + msg69, + msg70, + msg71, + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, + msg89, + msg90, + msg91, + msg92, + msg93, + msg94, + msg95, + msg96, + msg97, + msg98, + msg99, + msg100, + msg101, + msg102, + msg103, + msg104, + msg105, + msg106, + msg107, + msg108, + msg109, + msg110, + msg111, + msg112, + msg113, + msg114, + msg115, + msg116, + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, + msg123, + msg124, + msg125, + msg126, + msg127, + msg128, + msg129, + ]); + + var part216 = match("MESSAGE#115:pidof:01", "nwparser.payload", "can't read sid from %{agent}", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","can't read sid"), + ])); + + var msg130 = msg("pidof:01", part216); + + var part217 = match("MESSAGE#116:pidof", "nwparser.payload", "can't get program name from %{agent}", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg131 = msg("pidof", part217); + + var select45 = linear_select([ + msg130, + msg131, + ]); + + var part218 = match("MESSAGE#117:validate_dhcpd:01", "nwparser.payload", "Configured local-address not available as source address for DNS updates. %{result}", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","Configured local-address not available as source address for DNS updates"), + ])); + + var msg132 = msg("validate_dhcpd:01", part218); + + var msg133 = msg("validate_dhcpd", dup74); + + var select46 = linear_select([ + msg132, + msg133, + ]); + + var msg134 = msg("syslog-ng", dup65); + + var part219 = match("MESSAGE#120:kernel", "nwparser.payload", "Linux version %{version->} (%{from}) (%{fld1}) %{fld2}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg135 = msg("kernel", part219); + + var msg136 = msg("kernel:01", dup65); + + var select47 = linear_select([ + msg135, + msg136, + ]); + + var msg137 = msg("radiusd", dup65); + + var part220 = match("MESSAGE#123:rc", "nwparser.payload", "executing %{agent->} start", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg138 = msg("rc", part220); + + var msg139 = msg("rc3", dup65); + + var part221 = match("MESSAGE#125:rcsysinit", "nwparser.payload", "fsck from %{version}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg140 = msg("rcsysinit", part221); + + var msg141 = msg("rcsysinit:01", dup65); + + var select48 = linear_select([ + msg140, + msg141, + ]); + + var part222 = match("MESSAGE#126:watchdog", "nwparser.payload", "opened %{filename}, with timeout = %{duration->} secs", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg142 = msg("watchdog", part222); + + var part223 = match("MESSAGE#127:watchdog:01", "nwparser.payload", "%{action}, pid = %{process_id}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg143 = msg("watchdog:01", part223); + + var part224 = match("MESSAGE#128:watchdog:02", "nwparser.payload", "received %{fld1}, cancelling softdog and exiting...", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg144 = msg("watchdog:02", part224); + + var part225 = match("MESSAGE#129:watchdog:03", "nwparser.payload", "%{filename->} could not be opened, errno = %{resultcode}", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg145 = msg("watchdog:03", part225); + + var msg146 = msg("watchdog:04", dup65); + + var select49 = linear_select([ + msg142, + msg143, + msg144, + msg145, + msg146, + ]); + + var msg147 = msg("init", dup65); + + var part226 = match("MESSAGE#131:logger", "nwparser.payload", "%{action}: %{saddr}/%{mask->} to %{interface}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg148 = msg("logger", part226); + + var msg149 = msg("logger:01", dup65); + + var select50 = linear_select([ + msg148, + msg149, + ]); + + var part227 = match("MESSAGE#133:openvpn-member", "nwparser.payload", "read %{protocol->} [%{info}] %{event_description->} (code=%{resultcode})", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg150 = msg("openvpn-member", part227); + + var msg151 = msg("openvpn-member:01", dup75); + + var part228 = match("MESSAGE#135:openvpn-member:02", "nwparser.payload", "Options error: %{event_description}", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg152 = msg("openvpn-member:02", part228); + + var part229 = match("MESSAGE#136:openvpn-member:03", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld2}] %{info}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg153 = msg("openvpn-member:03", part229); + + var msg154 = msg("openvpn-member:04", dup76); + + var msg155 = msg("openvpn-member:05", dup65); + + var select51 = linear_select([ + msg150, + msg151, + msg152, + msg153, + msg154, + msg155, + ]); + + var part230 = match("MESSAGE#139:sshd", "nwparser.payload", "Server listening on %{hostip->} port %{network_port}.", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg156 = msg("sshd", part230); + + var part231 = match("MESSAGE#140:sshd:01/0", "nwparser.payload", "Accepted password for %{p0}"); + + var part232 = match("MESSAGE#140:sshd:01/1_0", "nwparser.p0", "root from %{p0}"); + + var part233 = match("MESSAGE#140:sshd:01/1_1", "nwparser.p0", "%{username->} from %{p0}"); + + var select52 = linear_select([ + part232, + part233, + ]); + + var part234 = match("MESSAGE#140:sshd:01/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol}"); + + var all43 = all_match({ + processors: [ + part231, + select52, + part234, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg157 = msg("sshd:01", all43); + + var part235 = match("MESSAGE#141:sshd:02", "nwparser.payload", "Connection closed by %{hostip}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg158 = msg("sshd:02", part235); + + var part236 = match("MESSAGE#142:sshd:03", "nwparser.payload", "%{severity}: Bind to port %{network_port->} on %{hostip->} %{result}: %{event_description}", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg159 = msg("sshd:03", part236); + + var part237 = match("MESSAGE#143:sshd:04", "nwparser.payload", "%{severity}: Cannot bind any address.", processor_chain([ + setc("eventcategory","1601000000"), + dup7, + dup9, + ])); + + var msg160 = msg("sshd:04", part237); + + var part238 = match("MESSAGE#144:sshd:05", "nwparser.payload", "%{action}: logout() %{result}", processor_chain([ + dup2, + dup3, + dup5, + dup15, + dup7, + dup9, + setc("event_description","logout"), + ])); + + var msg161 = msg("sshd:05", part238); + + var part239 = match("MESSAGE#145:sshd:06", "nwparser.payload", "Did not receive identification string from %{saddr}", processor_chain([ + dup16, + dup7, + setc("result","no identification string"), + setc("event_description","Did not receive identification string from peer"), + ])); + + var msg162 = msg("sshd:06", part239); + + var part240 = match("MESSAGE#146:sshd:07", "nwparser.payload", "Sleep 60 seconds for slowing down ssh login%{}", processor_chain([ + dup13, + dup7, + setc("result","slowing down ssh login"), + setc("event_description","Sleep 60 seconds"), + ])); + + var msg163 = msg("sshd:07", part240); + + var part241 = match("MESSAGE#147:sshd:08", "nwparser.payload", "%{authmethod->} authentication succeeded for user %{username}", processor_chain([ + setc("eventcategory","1302010300"), + dup7, + setc("event_description","authentication succeeded"), + dup9, + dup61, + ])); + + var msg164 = msg("sshd:08", part241); + + var part242 = match("MESSAGE#148:sshd:09", "nwparser.payload", "User group = %{group}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","User group"), + dup61, + ])); + + var msg165 = msg("sshd:09", part242); + + var part243 = match("MESSAGE#149:sshd:10", "nwparser.payload", "Bad protocol version identification '%{protocol_detail}' from %{saddr}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Bad protocol version identification"), + dup61, + ])); + + var msg166 = msg("sshd:10", part243); + + var select53 = linear_select([ + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, + ]); + + var part244 = match("MESSAGE#150:openvpn-master", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld1}] %{info}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg167 = msg("openvpn-master", part244); + + var part245 = match("MESSAGE#151:openvpn-master:01", "nwparser.payload", "read %{protocol->} [%{info}]: %{event_description->} (code=%{resultcode})", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg168 = msg("openvpn-master:01", part245); + + var msg169 = msg("openvpn-master:02", dup75); + + var part246 = match("MESSAGE#153:openvpn-master:03", "nwparser.payload", "%{saddr}:%{sport->} TLS Error: TLS handshake failed", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg170 = msg("openvpn-master:03", part246); + + var part247 = match("MESSAGE#154:openvpn-master:04", "nwparser.payload", "%{fld1}/%{saddr}:%{sport->} [%{fld2}] %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg171 = msg("openvpn-master:04", part247); + + var part248 = match("MESSAGE#155:openvpn-master:05", "nwparser.payload", "%{saddr}:%{sport->} [%{fld1}] %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg172 = msg("openvpn-master:05", part248); + + var msg173 = msg("openvpn-master:06", dup76); + + var msg174 = msg("openvpn-master:07", dup65); + + var select54 = linear_select([ + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, + ]); + + var part249 = match("MESSAGE#158:INFOBLOX-Grid", "nwparser.payload", "Grid member at %{saddr->} %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg175 = msg("INFOBLOX-Grid", part249); + + var part250 = match("MESSAGE#159:INFOBLOX-Grid:02/0_0", "nwparser.payload", "Started%{p0}"); + + var part251 = match("MESSAGE#159:INFOBLOX-Grid:02/0_1", "nwparser.payload", "Completed%{p0}"); + + var select55 = linear_select([ + part250, + part251, + ]); + + var part252 = match("MESSAGE#159:INFOBLOX-Grid:02/1", "nwparser.p0", "%{}distribution on member with IP address %{saddr}"); + + var all44 = all_match({ + processors: [ + select55, + part252, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg176 = msg("INFOBLOX-Grid:02", all44); + + var part253 = match("MESSAGE#160:INFOBLOX-Grid:03", "nwparser.payload", "Upgrade Complete%{}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Upgrade Complete"), + ])); + + var msg177 = msg("INFOBLOX-Grid:03", part253); + + var part254 = match("MESSAGE#161:INFOBLOX-Grid:04", "nwparser.payload", "Upgrade to %{fld1}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg178 = msg("INFOBLOX-Grid:04", part254); + + var select56 = linear_select([ + msg175, + msg176, + msg177, + msg178, + ]); + + var part255 = match("MESSAGE#162:db_jnld", "nwparser.payload", "Grid member at %{saddr->} is online.", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg179 = msg("db_jnld", part255); + + var part256 = match("MESSAGE#219:db_jnld:01/0", "nwparser.payload", "Resolved conflict for replicated delete of %{p0}"); + + var part257 = match("MESSAGE#219:db_jnld:01/1_0", "nwparser.p0", "PTR %{p0}"); + + var part258 = match("MESSAGE#219:db_jnld:01/1_1", "nwparser.p0", "TXT %{p0}"); + + var part259 = match("MESSAGE#219:db_jnld:01/1_2", "nwparser.p0", "A %{p0}"); + + var part260 = match("MESSAGE#219:db_jnld:01/1_3", "nwparser.p0", "CNAME %{p0}"); + + var part261 = match("MESSAGE#219:db_jnld:01/1_4", "nwparser.p0", "SRV %{p0}"); + + var select57 = linear_select([ + part257, + part258, + part259, + part260, + part261, + ]); + + var part262 = match("MESSAGE#219:db_jnld:01/2", "nwparser.p0", "\"%{fld1}\" in zone \"%{zone}\""); + + var all45 = all_match({ + processors: [ + part256, + select57, + part262, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg180 = msg("db_jnld:01", all45); + + var select58 = linear_select([ + msg179, + msg180, + ]); + + var part263 = match("MESSAGE#163:sSMTP/0", "nwparser.payload", "Sent mail for %{to->} (%{fld1}) %{p0}"); + + var part264 = match("MESSAGE#163:sSMTP/1_0", "nwparser.p0", "uid=%{uid->} username=%{username->} outbytes=%{sbytes}"); + + var part265 = match_copy("MESSAGE#163:sSMTP/1_1", "nwparser.p0", "space"); + + var select59 = linear_select([ + part264, + part265, + ]); + + var all46 = all_match({ + processors: [ + part263, + select59, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg181 = msg("sSMTP", all46); + + var part266 = match("MESSAGE#164:sSMTP:02", "nwparser.payload", "Cannot open %{hostname}:%{network_port}", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg182 = msg("sSMTP:02", part266); + + var part267 = match("MESSAGE#165:sSMTP:03", "nwparser.payload", "Unable to locate %{hostname}.", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg183 = msg("sSMTP:03", part267); + + var msg184 = msg("sSMTP:04", dup74); + + var select60 = linear_select([ + msg181, + msg182, + msg183, + msg184, + ]); + + var part268 = match("MESSAGE#167:scheduled_backups", "nwparser.payload", "Backup to %{device->} was successful - Backup file %{filename}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg185 = msg("scheduled_backups", part268); + + var part269 = match("MESSAGE#168:scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Scheduled backup to the FTP server was successful"), + ])); + + var msg186 = msg("scheduled_ftp_backups", part269); + + var part270 = match("MESSAGE#169:failed_scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} failed - %{result}.", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","Scheduled backup to the FTP server failed"), + ])); + + var msg187 = msg("failed_scheduled_ftp_backups", part270); + + var select61 = linear_select([ + msg186, + msg187, + ]); + + var part271 = match("MESSAGE#170:scheduled_scp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Scheduled backup to the SCP server was successful"), + ])); + + var msg188 = msg("scheduled_scp_backups", part271); + + var part272 = match("MESSAGE#171:python", "nwparser.payload", "%{action->} even though zone '%{zone}' in view '%{fld1}' is locked.", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg189 = msg("python", part272); + + var part273 = match("MESSAGE#172:python:01", "nwparser.payload", "%{action->} (algorithm=%{fld1}, key tag=%{fld2}, key size=%{fld3}): '%{hostname}' in view '%{fld4}'.", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg190 = msg("python:01", part273); + + var part274 = match("MESSAGE#173:python:02", "nwparser.payload", "%{action}: '%{hostname}' in view '%{fld1}'.", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg191 = msg("python:02", part274); + + var part275 = match("MESSAGE#174:python:03", "nwparser.payload", "%{action}: FQDN='%{domain}', ADDRESS='%{saddr}', View='%{fld1}'", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg192 = msg("python:03", part275); + + var part276 = match("MESSAGE#175:python:04", "nwparser.payload", "%{action}: FQDN='%{domain}', View='%{fld1}'", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg193 = msg("python:04", part276); + + var part277 = match("MESSAGE#176:python:05", "nwparser.payload", "%{fld1}: %{fld2}.%{fld3->} [%{username}]: Populated %{zone->} %{hostname->} DnsView=%{fld4}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg194 = msg("python:05", part277); + + var msg195 = msg("python:06", dup65); + + var select62 = linear_select([ + msg189, + msg190, + msg191, + msg192, + msg193, + msg194, + msg195, + ]); + + var part278 = match("MESSAGE#178:monitor", "nwparser.payload", "Type: %{protocol}, State: %{event_state}, Event: %{event_description}.", processor_chain([ + dup12, + dup7, + dup9, + ])); + + var msg196 = msg("monitor", part278); + + var part279 = match("MESSAGE#179:snmptrapd", "nwparser.payload", "NET-SNMP version %{version->} %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg197 = msg("snmptrapd", part279); + + var part280 = match("MESSAGE#180:snmptrapd:01", "nwparser.payload", "lock in %{fld1->} sleeps more than %{duration->} milliseconds in %{fld2}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg198 = msg("snmptrapd:01", part280); + + var msg199 = msg("snmptrapd:02", dup65); + + var select63 = linear_select([ + msg197, + msg198, + msg199, + ]); + + var part281 = match("MESSAGE#182:ntpdate", "nwparser.payload", "adjust time server %{saddr->} offset %{duration->} sec", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg200 = msg("ntpdate", part281); + + var msg201 = msg("ntpdate:01", dup74); + + var select64 = linear_select([ + msg200, + msg201, + ]); + + var msg202 = msg("phonehome", dup65); + + var part282 = match("MESSAGE#185:purge_scheduled_tasks", "nwparser.payload", "Scheduled tasks have been purged%{}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg203 = msg("purge_scheduled_tasks", part282); + + var part283 = match("MESSAGE#186:serial_console:04", "nwparser.payload", "%{fld20->} %{fld21}.%{fld22->} [%{domain}]: Login_Denied - - to=%{terminal->} apparently_via=%{info->} ip=%{saddr->} error=%{result}", processor_chain([ + dup14, + dup3, + dup4, + dup11, + dup15, + dup7, + date_time({ + dest: "event_time", + args: ["fld20","fld21"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }), + dup9, + setc("event_description","Login Denied"), + ])); + + var msg204 = msg("serial_console:04", part283); + + var part284 = match("MESSAGE#187:serial_console:03", "nwparser.payload", "No authentication methods succeeded for user %{username}", processor_chain([ + dup14, + dup3, + dup4, + dup11, + dup15, + dup7, + dup9, + setc("event_description","No authentication methods succeeded for user"), + ])); + + var msg205 = msg("serial_console:03", part284); + + var part285 = match("MESSAGE#188:serial_console", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{terminal->} apparently_via=%{info->} auth=%{authmethod->} group=%{group}", processor_chain([ + dup10, + dup3, + dup4, + dup11, + dup6, + dup7, + dup8, + dup9, + ])); + + var msg206 = msg("serial_console", part285); + + var part286 = match("MESSAGE#189:serial_console:01", "nwparser.payload", "RADIUS authentication succeeded for user %{username}", processor_chain([ + setc("eventcategory","1302010100"), + dup3, + dup4, + dup11, + dup6, + dup7, + dup9, + setc("event_description","RADIUS authentication succeeded for user"), + ])); + + var msg207 = msg("serial_console:01", part286); + + var part287 = match("MESSAGE#190:serial_console:02", "nwparser.payload", "User group = %{group}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","User group identification"), + ])); + + var msg208 = msg("serial_console:02", part287); + + var part288 = match("MESSAGE#205:serial_console:05", "nwparser.payload", "%{fld1->} [%{username}]: rebooted the system", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","system reboot"), + ])); + + var msg209 = msg("serial_console:05", part288); + + var part289 = match("MESSAGE#214:serial_console:06", "nwparser.payload", "Local authentication succeeded for user %{username}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Local authentication succeeded for user"), + ])); + + var msg210 = msg("serial_console:06", part289); + + var select65 = linear_select([ + msg204, + msg205, + msg206, + msg207, + msg208, + msg209, + msg210, + ]); + + var msg211 = msg("rc6", dup65); + + var msg212 = msg("acpid", dup65); + + var msg213 = msg("diskcheck", dup65); + + var part290 = match("MESSAGE#210:debug_mount", "nwparser.payload", "mount %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg214 = msg("debug_mount", part290); + + var msg215 = msg("smart_check_io", dup65); + + var msg216 = msg("speedstep_control", dup65); + + var part291 = match("MESSAGE#215:controld", "nwparser.payload", "Distribution Started%{}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Distribution Started"), + ])); + + var msg217 = msg("controld", part291); + + var part292 = match("MESSAGE#216:controld:02", "nwparser.payload", "Distribution Complete%{}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Distribution Complete"), + ])); + + var msg218 = msg("controld:02", part292); + + var select66 = linear_select([ + msg217, + msg218, + ]); + + var part293 = match("MESSAGE#217:shutdown", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","shutting down for system reboot"), + ])); + + var msg219 = msg("shutdown", part293); + + var part294 = match("MESSAGE#218:ntpd_initres", "nwparser.payload", "ntpd exiting on signal 15%{}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","ntpd exiting"), + ])); + + var msg220 = msg("ntpd_initres", part294); + + var part295 = match("MESSAGE#220:rsyncd", "nwparser.payload", "name lookup failed for %{saddr}: %{info}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg221 = msg("rsyncd", part295); + + var part296 = match("MESSAGE#221:rsyncd:01", "nwparser.payload", "connect from %{shost->} (%{saddr})", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg222 = msg("rsyncd:01", part296); + + var part297 = match("MESSAGE#222:rsyncd:02", "nwparser.payload", "rsync on %{filename->} from %{shost->} (%{saddr})", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg223 = msg("rsyncd:02", part297); + + var part298 = match("MESSAGE#223:rsyncd:03", "nwparser.payload", "sent %{sbytes->} bytes received %{rbytes->} bytes total size %{fld1}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg224 = msg("rsyncd:03", part298); + + var part299 = match("MESSAGE#224:rsyncd:04", "nwparser.payload", "building file list%{}", processor_chain([ + dup13, + dup7, + setc("event_description","building file list"), + dup9, + ])); + + var msg225 = msg("rsyncd:04", part299); + + var select67 = linear_select([ + msg221, + msg222, + msg223, + msg224, + msg225, + ]); + + var msg226 = msg("syslog", dup77); + + var msg227 = msg("restarting", dup77); + + var part300 = match_copy("MESSAGE#227:ipmievd", "nwparser.payload", "fld1", processor_chain([ + dup13, + dup7, + dup9, + dup62, + ])); + + var msg228 = msg("ipmievd", part300); + + var part301 = match("MESSAGE#228:netauto_discovery", "nwparser.payload", "%{agent}: Processing path%{fld1}, vnid [%{fld2}]", processor_chain([ + dup59, + dup7, + dup9, + dup61, + ])); + + var msg229 = msg("netauto_discovery", part301); + + var part302 = match("MESSAGE#229:netauto_discovery:01", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}:%{product}ver%{version->} device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll", processor_chain([ + dup59, + dup7, + dup9, + dup61, + setc("event_description","device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll"), + ])); + + var msg230 = msg("netauto_discovery:01", part302); + + var part303 = match("MESSAGE#230:netauto_discovery:02", "nwparser.payload", "%{agent}:%{space}Static address already set with IP:%{hostip}, Processing%{fld1}", processor_chain([ + dup59, + dup7, + dup9, + dup61, + ])); + + var msg231 = msg("netauto_discovery:02", part303); + + var part304 = match("MESSAGE#231:netauto_discovery:03", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}: SNMP Credentials: Failed to authenticate", processor_chain([ + dup63, + dup7, + dup9, + dup61, + dup15, + ])); + + var msg232 = msg("netauto_discovery:03", part304); + + var select68 = linear_select([ + msg229, + msg230, + msg231, + msg232, + ]); + + var part305 = match("MESSAGE#232:netauto_core:01", "nwparser.payload", "%{agent}: Attempting CLI on device%{device}with interface not in table, ip%{hostip}", processor_chain([ + dup59, + dup7, + dup9, + dup61, + ])); + + var msg233 = msg("netauto_core:01", part305); + + var part306 = match("MESSAGE#233:netauto_core", "nwparser.payload", "netautoctl:%{event_description}", processor_chain([ + dup59, + dup7, + dup9, + dup61, + ])); + + var msg234 = msg("netauto_core", part306); + + var select69 = linear_select([ + msg233, + msg234, + ]); + + var part307 = match_copy("MESSAGE#234:captured_dns_uploader", "nwparser.payload", "event_description", processor_chain([ + dup49, + dup7, + dup9, + dup61, + dup15, + ])); + + var msg235 = msg("captured_dns_uploader", part307); + + var part308 = match("MESSAGE#235:DIS", "nwparser.payload", "%{fld1}:%{fld2}: Device%{device}/%{hostip}login failure%{result}", processor_chain([ + dup63, + dup7, + dup9, + dup61, + dup11, + dup15, + ])); + + var msg236 = msg("DIS", part308); + + var part309 = match("MESSAGE#236:DIS:01", "nwparser.payload", "%{fld2}: %{fld3}: Attempting discover-now for %{hostip->} on %{fld4}, using session ID", processor_chain([ + dup59, + dup7, + dup9, + dup61, + ])); + + var msg237 = msg("DIS:01", part309); + + var select70 = linear_select([ + msg236, + msg237, + ]); + + var part310 = match_copy("MESSAGE#237:ErrorMsg", "nwparser.payload", "result", processor_chain([ + dup64, + dup7, + dup9, + dup61, + ])); + + var msg238 = msg("ErrorMsg", part310); + + var part311 = match("MESSAGE#238:tacacs_acct", "nwparser.payload", "%{fld1}: Server %{daddr->} port %{dport}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + dup61, + ])); + + var msg239 = msg("tacacs_acct", part311); + + var part312 = match("MESSAGE#239:tacacs_acct:01", "nwparser.payload", "%{fld1}: Accounting request failed. %{fld2}Server is %{daddr}, port is %{dport}.", processor_chain([ + dup64, + dup7, + dup9, + dup61, + setc("event_description","Accounting request failed."), + ])); + + var msg240 = msg("tacacs_acct:01", part312); + + var part313 = match("MESSAGE#240:tacacs_acct:02", "nwparser.payload", "%{fld1}: Read %{fld2->} bytes from server %{daddr->} port %{dport}, expecting %{fld3}", processor_chain([ + dup13, + dup7, + dup9, + dup61, + ])); + + var msg241 = msg("tacacs_acct:02", part313); + + var select71 = linear_select([ + msg239, + msg240, + msg241, + ]); + + var part314 = match("MESSAGE#241:dhcpdv6", "nwparser.payload", "Relay-forward message from %{saddr_v6->} port %{sport}, link address %{fld1}, peer address %{daddr_v6}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Relay-forward message"), + ])); + + var msg242 = msg("dhcpdv6", part314); + + var part315 = match("MESSAGE#242:dhcpdv6:01", "nwparser.payload", "Encapsulated Solicit message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Encapsulated Solicit message"), + ])); + + var msg243 = msg("dhcpdv6:01", part315); + + var part316 = match("MESSAGE#243:dhcpdv6:02", "nwparser.payload", "Client %{fld1}, IP '%{fld2}': No addresses available for this interface", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","IP unknown - No addresses available for this interface"), + ])); + + var msg244 = msg("dhcpdv6:02", part316); + + var part317 = match("MESSAGE#244:dhcpdv6:03", "nwparser.payload", "Encapsulating Advertise message to send to %{saddr_v6->} port %{sport}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Encapsulating Advertise message"), + ])); + + var msg245 = msg("dhcpdv6:03", part317); + + var part318 = match("MESSAGE#245:dhcpdv6:04", "nwparser.payload", "Sending Relay-reply message to %{saddr_v6->} port %{sport}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Sending Relay-reply message"), + ])); + + var msg246 = msg("dhcpdv6:04", part318); + + var part319 = match("MESSAGE#246:dhcpdv6:05", "nwparser.payload", "Encapsulated Information-request message from %{saddr_v6->} port %{sport}, transaction ID %{id}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Encapsulated Information-request message"), + ])); + + var msg247 = msg("dhcpdv6:05", part319); + + var part320 = match("MESSAGE#247:dhcpdv6:06", "nwparser.payload", "Encapsulating Reply message to send to %{saddr_v6->} port %{sport}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Encapsulating Reply message"), + ])); + + var msg248 = msg("dhcpdv6:06", part320); + + var part321 = match("MESSAGE#248:dhcpdv6:07", "nwparser.payload", "Encapsulated Renew message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Encapsulated Renew message"), + ])); + + var msg249 = msg("dhcpdv6:07", part321); + + var part322 = match("MESSAGE#249:dhcpdv6:08", "nwparser.payload", "Reply NA: address %{saddr_v6->} to client with duid %{fld1->} iaid = %{fld2->} static", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg250 = msg("dhcpdv6:08", part322); + + var msg251 = msg("dhcpdv6:09", dup69); + + var select72 = linear_select([ + msg242, + msg243, + msg244, + msg245, + msg246, + msg247, + msg248, + msg249, + msg250, + msg251, + ]); + + var msg252 = msg("debug", dup69); + + var part323 = match("MESSAGE#252:cloud_api", "nwparser.payload", "proxying request to %{hostname}(%{hostip}) %{web_method->} %{url->} %{protocol->} %{info}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","proxying request"), + ])); + + var msg253 = msg("cloud_api", part323); + + var chain1 = processor_chain([ + select3, + msgid_select({ + "DIS": select70, + "ErrorMsg": msg238, + "INFOBLOX-Grid": select56, + "acpid": msg212, + "captured_dns_uploader": msg235, + "cloud_api": msg253, + "controld": select66, + "db_jnld": select58, + "debug": msg252, + "debug_mount": msg214, + "dhcpd": select14, + "dhcpdv6": select72, + "diskcheck": msg213, + "httpd": select4, + "in.tftpd": select5, + "init": msg147, + "ipmievd": msg228, + "kernel": select47, + "logger": select50, + "monitor": msg196, + "named": select44, + "netauto_core": select69, + "netauto_discovery": select68, + "ntpd": select15, + "ntpd_initres": msg220, + "ntpdate": select64, + "openvpn-master": select54, + "openvpn-member": select51, + "phonehome": msg202, + "pidof": select45, + "purge_scheduled_tasks": msg203, + "python": select62, + "radiusd": msg137, + "rc": msg138, + "rc3": msg139, + "rc6": msg211, + "rcsysinit": select48, + "restarting": msg227, + "rsyncd": select67, + "sSMTP": select60, + "scheduled_backups": msg185, + "scheduled_ftp_backups": select61, + "scheduled_scp_backups": msg188, + "serial_console": select65, + "shutdown": msg219, + "smart_check_io": msg215, + "snmptrapd": select63, + "speedstep_control": msg216, + "sshd": select53, + "syslog": msg226, + "syslog-ng": msg134, + "tacacs_acct": select71, + "validate_dhcpd": select46, + "watchdog": select49, + }), + ]); + + var hdr6 = match("HEADER#1:006/0", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{p0}"); + + var part324 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}"); + + var part325 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}"); + + var part326 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}"); + + var part327 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "(%{dhost}) via %{p0}"); + + var part328 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "via %{p0}"); + + var part329 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{smacaddr->} %{p0}"); + + var part330 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "(%{shost}) via %{p0}"); + + var part331 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{interface}"); + + var part332 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{interface->} relay %{fld1->} lease-duration %{duration}"); + + var part333 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved%{}"); + + var part334 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", "denied%{}"); + + var part335 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}"); + + var part336 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}"); + + var part337 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}"); + + var part338 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}"); + + var part339 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}"); + + var part340 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}"); + + var part341 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\""); + + var part342 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); + + var part343 = match_copy("MESSAGE#57:named:17/5_2", "nwparser.p0", "dns_querytype"); + + var part344 = match_copy("MESSAGE#60:named:19/2", "nwparser.p0", "event_description"); + + var part345 = match_copy("MESSAGE#66:named:25/1_1", "nwparser.p0", "result"); + + var part346 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); + + var part347 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{p0}"); + + var part348 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", "%{p0}"); + + var part349 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); + + var part350 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): %{p0}"); + + var part351 = match_copy("MESSAGE#7:httpd:06", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var select73 = linear_select([ + dup18, + dup19, + ]); + + var select74 = linear_select([ + dup21, + dup22, + ]); + + var select75 = linear_select([ + dup26, + dup22, + ]); + + var part352 = match_copy("MESSAGE#204:dhcpd:37", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var select76 = linear_select([ + dup33, + dup34, + ]); + + var select77 = linear_select([ + dup37, + dup38, + dup39, + ]); + + var select78 = linear_select([ + dup42, + dup43, + dup44, + ]); + + var select79 = linear_select([ + dup52, + dup53, + ]); + + var part353 = match_copy("MESSAGE#118:validate_dhcpd", "nwparser.payload", "event_description", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var part354 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var part355 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var part356 = match_copy("MESSAGE#225:syslog", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + dup62, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/infoblox/0.8.1/data_stream/nios/agent/stream/tcp.yml.hbs b/packages/infoblox/0.8.1/data_stream/nios/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..f7d50e8691 --- /dev/null +++ b/packages/infoblox/0.8.1/data_stream/nios/agent/stream/tcp.yml.hbs @@ -0,0 +1,6288 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Infoblox" + product: "Network" + type: "IPAM" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{day->} %{time->} %{hhostname->} %{p0}"); + + var dup2 = setc("eventcategory","1401070000"); + + var dup3 = setc("ec_theme","Authentication"); + + var dup4 = setc("ec_subject","User"); + + var dup5 = setc("ec_activity","Logoff"); + + var dup6 = setc("ec_outcome","Success"); + + var dup7 = setf("msg","$MSG"); + + var dup8 = date_time({ + dest: "event_time", + args: ["fld1","fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup9 = setf("event_source","hhostname"); + + var dup10 = setc("eventcategory","1401060000"); + + var dup11 = setc("ec_activity","Logon"); + + var dup12 = setc("eventcategory","1609000000"); + + var dup13 = setc("eventcategory","1605000000"); + + var dup14 = setc("eventcategory","1401030000"); + + var dup15 = setc("ec_outcome","Failure"); + + var dup16 = setc("eventcategory","1603000000"); + + var dup17 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}"); + + var dup18 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}"); + + var dup19 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}"); + + var dup20 = setc("action","DHCPDECLINE"); + + var dup21 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "(%{dhost}) via %{p0}"); + + var dup22 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "via %{p0}"); + + var dup23 = setc("action","DHCPRELEASE"); + + var dup24 = setc("action","DHCPDISCOVER"); + + var dup25 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{smacaddr->} %{p0}"); + + var dup26 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "(%{shost}) via %{p0}"); + + var dup27 = setc("action","DHCPREQUEST"); + + var dup28 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{interface}"); + + var dup29 = setc("event_description","unknown network segment"); + + var dup30 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dF,dZ], + ], + }); + + var dup31 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{interface->} relay %{fld1->} lease-duration %{duration}"); + + var dup32 = setc("action","DHCPACK"); + + var dup33 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved%{}"); + + var dup34 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", "denied%{}"); + + var dup35 = setf("domain","zone"); + + var dup36 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}"); + + var dup37 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}"); + + var dup38 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}"); + + var dup39 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}"); + + var dup40 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}"); + + var dup41 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}"); + + var dup42 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\""); + + var dup43 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); + + var dup44 = match_copy("MESSAGE#57:named:17/5_2", "nwparser.p0", "dns_querytype"); + + var dup45 = setc("event_description","updating zone"); + + var dup46 = match_copy("MESSAGE#60:named:19/2", "nwparser.p0", "event_description"); + + var dup47 = setf("domain","hostname"); + + var dup48 = match_copy("MESSAGE#66:named:25/1_1", "nwparser.p0", "result"); + + var dup49 = setc("eventcategory","1801010000"); + + var dup50 = setc("ec_activity","Request"); + + var dup51 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); + + var dup52 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{p0}"); + + var dup53 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", "%{p0}"); + + var dup54 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); + + var dup55 = setc("action","Refused"); + + var dup56 = setf("dns_querytype","event_description"); + + var dup57 = setc("eventcategory","1901000000"); + + var dup58 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): %{p0}"); + + var dup59 = setc("eventcategory","1801000000"); + + var dup60 = setf("zone","domain"); + + var dup61 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dD,dZ], + ], + }); + + var dup62 = setf("info","hdata"); + + var dup63 = setc("eventcategory","1301000000"); + + var dup64 = setc("eventcategory","1303000000"); + + var dup65 = match_copy("MESSAGE#7:httpd:06", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var dup66 = linear_select([ + dup18, + dup19, + ]); + + var dup67 = linear_select([ + dup21, + dup22, + ]); + + var dup68 = linear_select([ + dup26, + dup22, + ]); + + var dup69 = match_copy("MESSAGE#204:dhcpd:37", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var dup70 = linear_select([ + dup33, + dup34, + ]); + + var dup71 = linear_select([ + dup37, + dup38, + dup39, + ]); + + var dup72 = linear_select([ + dup42, + dup43, + dup44, + ]); + + var dup73 = linear_select([ + dup52, + dup53, + ]); + + var dup74 = match_copy("MESSAGE#118:validate_dhcpd", "nwparser.payload", "event_description", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var dup75 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var dup76 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var dup77 = match_copy("MESSAGE#225:syslog", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + dup62, + ])); + + var hdr1 = match("HEADER#0:001", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{messageid}[%{data}]: %{payload}", processor_chain([ + setc("header_id","001"), + ])); + + var part1 = match("HEADER#1:006/1_0", "nwparser.p0", "%{hhostip} %{messageid}[%{data}]: %{p0}"); + + var part2 = match("HEADER#1:006/1_1", "nwparser.p0", "%{hhostip} %{messageid}: %{p0}"); + + var select1 = linear_select([ + part1, + part2, + ]); + + var part3 = match_copy("HEADER#1:006/2", "nwparser.p0", "payload"); + + var all1 = all_match({ + processors: [ + dup1, + select1, + part3, + ], + on_success: processor_chain([ + setc("header_id","006"), + ]), + }); + + var hdr2 = match("HEADER#2:005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{hdata}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","005"), + ])); + + var part4 = match("HEADER#3:002/1_0", "nwparser.p0", "-%{p0}"); + + var part5 = match_copy("HEADER#3:002/1_1", "nwparser.p0", "p0"); + + var select2 = linear_select([ + part4, + part5, + ]); + + var part6 = match("HEADER#3:002/2", "nwparser.p0", ":%{messageid->} %{payload}"); + + var all2 = all_match({ + processors: [ + dup1, + select2, + part6, + ], + on_success: processor_chain([ + setc("header_id","002"), + ]), + }); + + var hdr3 = match("HEADER#4:0003", "message", "%{messageid}[%{data}]: %{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr4 = match("HEADER#5:0004", "message", "%{messageid}: %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var hdr5 = match("HEADER#6:0005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{fld1->} |%{messageid->} |%{payload}", processor_chain([ + setc("header_id","0005"), + ])); + + var select3 = linear_select([ + hdr1, + all1, + hdr2, + all2, + hdr3, + hdr4, + hdr5, + ]); + + var part7 = match("MESSAGE#0:httpd", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Logout - - ip=%{saddr->} group=%{group->} trigger_event=%{event_description}", processor_chain([ + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + ])); + + var msg1 = msg("httpd", part7); + + var part8 = match("MESSAGE#1:httpd:01", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{fld4->} ip=%{saddr->} auth=%{authmethod->} group=%{group->} apparently_via=%{info}", processor_chain([ + dup10, + dup3, + dup4, + dup11, + dup6, + dup7, + dup8, + dup9, + ])); + + var msg2 = msg("httpd:01", part8); + + var part9 = match("MESSAGE#2:httpd:02", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{action->} message=%{info}", processor_chain([ + dup12, + dup7, + dup8, + dup9, + ])); + + var msg3 = msg("httpd:02", part9); + + var part10 = match("MESSAGE#3:httpd:03", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Created HostAddress %{hostip}: Set address=\"%{saddr}\",configure_for_dhcp=%{fld10},match_option=\"%{info}\",parent=%{context}", processor_chain([ + dup12, + dup7, + dup8, + dup9, + ])); + + var msg4 = msg("httpd:03", part10); + + var part11 = match("MESSAGE#4:httpd:04", "nwparser.payload", "%{shost}: %{fld1->} authentication for user %{username->} failed", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg5 = msg("httpd:04", part11); + + var part12 = match("MESSAGE#5:httpd:05", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{event_description}", processor_chain([ + dup13, + dup7, + dup8, + dup9, + ])); + + var msg6 = msg("httpd:05", part12); + + var part13 = match("MESSAGE#6:httpd:07", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Denied - - to=%{terminal->} ip=%{saddr->} info=%{info}", processor_chain([ + dup14, + dup3, + dup4, + dup11, + dup15, + dup7, + dup8, + dup9, + ])); + + var msg7 = msg("httpd:07", part13); + + var msg8 = msg("httpd:06", dup65); + + var select4 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + ]); + + var part14 = match("MESSAGE#8:in.tftpd:01", "nwparser.payload", "RRQ from %{saddr->} filename %{filename}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","RRQ from remote host"), + ])); + + var msg9 = msg("in.tftpd:01", part14); + + var part15 = match("MESSAGE#9:in.tftpd:02", "nwparser.payload", "sending NAK (%{resultcode}, %{result}) to %{daddr}", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","sending NAK to remote host"), + ])); + + var msg10 = msg("in.tftpd:02", part15); + + var part16 = match("MESSAGE#10:in.tftpd", "nwparser.payload", "connection refused from %{saddr}", processor_chain([ + setc("eventcategory","1801030000"), + dup7, + dup9, + ])); + + var msg11 = msg("in.tftpd", part16); + + var select5 = linear_select([ + msg9, + msg10, + msg11, + ]); + + var part17 = match("MESSAGE#11:dhcpd:12/0", "nwparser.payload", "%{event_type}: received a REQUEST DHCP packet from relay-agent %{interface->} with a circuit-id of \"%{id}\" and remote-id of \"%{smacaddr}\" for %{hostip->} (%{dmacaddr}) lease time is %{p0}"); + + var part18 = match("MESSAGE#11:dhcpd:12/1_0", "nwparser.p0", "undefined %{p0}"); + + var part19 = match("MESSAGE#11:dhcpd:12/1_1", "nwparser.p0", "%{duration->} %{p0}"); + + var select6 = linear_select([ + part18, + part19, + ]); + + var part20 = match("MESSAGE#11:dhcpd:12/2", "nwparser.p0", "seconds%{}"); + + var all3 = all_match({ + processors: [ + part17, + select6, + part20, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","received a REQUEST DHCP packet from relay-agent"), + ]), + }); + + var msg12 = msg("dhcpd:12", all3); + + var part21 = match("MESSAGE#12:dhcpd:21", "nwparser.payload", "bind update on %{hostip->} from %{hostname}(%{fld1}) rejected: %{result}", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","bind update rejected"), + ])); + + var msg13 = msg("dhcpd:21", part21); + + var part22 = match("MESSAGE#13:dhcpd:10", "nwparser.payload", "Unable to add forward map from %{shost->} %{fld1}to %{daddr}: %{result}", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","Unable to add forward map"), + ])); + + var msg14 = msg("dhcpd:10", part22); + + var part23 = match("MESSAGE#14:dhcpd:13", "nwparser.payload", "Average %{fld1->} dynamic DNS update latency: %{result->} micro seconds", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Average dynamic DNS update latency"), + ])); + + var msg15 = msg("dhcpd:13", part23); + + var part24 = match("MESSAGE#15:dhcpd:15", "nwparser.payload", "Dynamic DNS update timeout count in last %{info->} minutes: %{result}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Dynamic DNS update timeout count"), + ])); + + var msg16 = msg("dhcpd:15", part24); + + var part25 = match("MESSAGE#16:dhcpd:22", "nwparser.payload", "Removed forward map from %{shost->} %{fld1}to %{daddr}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Removed forward map"), + ])); + + var msg17 = msg("dhcpd:22", part25); + + var part26 = match("MESSAGE#17:dhcpd:25", "nwparser.payload", "Removed reverse map on %{hostname}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Removed reverse map"), + ])); + + var msg18 = msg("dhcpd:25", part26); + + var part27 = match("MESSAGE#18:dhcpd:06", "nwparser.payload", "received shutdown -/-/ %{result}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","received shutdown"), + ])); + + var msg19 = msg("dhcpd:06", part27); + + var part28 = match("MESSAGE#19:dhcpd:18/2", "nwparser.p0", "new forward map from %{hostname->} %{space->} %{daddr}"); + + var all4 = all_match({ + processors: [ + dup17, + dup66, + part28, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Added new forward map"), + ]), + }); + + var msg20 = msg("dhcpd:18", all4); + + var part29 = match("MESSAGE#20:dhcpd:19/2", "nwparser.p0", "reverse map from %{hostname->} %{space->} %{daddr}"); + + var all5 = all_match({ + processors: [ + dup17, + dup66, + part29, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","added reverse map"), + ]), + }); + + var msg21 = msg("dhcpd:19", all5); + + var part30 = match("MESSAGE#21:dhcpd", "nwparser.payload", "Abandoning IP address %{hostip}: declined", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","Abandoning IP declined"), + ])); + + var msg22 = msg("dhcpd", part30); + + var part31 = match("MESSAGE#22:dhcpd:30", "nwparser.payload", "Abandoning IP address %{hostip}: pinged before offer", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","Abandoning IP pinged before offer"), + ])); + + var msg23 = msg("dhcpd:30", part31); + + var part32 = match("MESSAGE#23:dhcpd:01", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} (%{shost}) via %{interface}: %{info}", processor_chain([ + dup16, + dup7, + dup9, + dup20, + ])); + + var msg24 = msg("dhcpd:01", part32); + + var part33 = match("MESSAGE#24:dhcpd:02", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} via %{interface}: %{info}", processor_chain([ + dup16, + dup7, + dup9, + dup20, + ])); + + var msg25 = msg("dhcpd:02", part33); + + var part34 = match("MESSAGE#25:dhcpd:03/0", "nwparser.payload", "DHCPRELEASE of %{saddr->} from %{dmacaddr->} %{p0}"); + + var part35 = match("MESSAGE#25:dhcpd:03/2", "nwparser.p0", "%{interface->} (%{info})"); + + var all6 = all_match({ + processors: [ + part34, + dup67, + part35, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup23, + ]), + }); + + var msg26 = msg("dhcpd:03", all6); + + var part36 = match("MESSAGE#26:dhcpd:04", "nwparser.payload", "DHCPDISCOVER from %{smacaddr->} via %{interface}: network %{mask}: %{info}", processor_chain([ + dup13, + dup7, + dup9, + dup24, + ])); + + var msg27 = msg("dhcpd:04", part36); + + var part37 = match("MESSAGE#27:dhcpd:07/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} %{p0}"); + + var part38 = match("MESSAGE#27:dhcpd:07/1_0", "nwparser.p0", "(%{shost}) from %{p0}"); + + var part39 = match("MESSAGE#27:dhcpd:07/1_1", "nwparser.p0", "from %{p0}"); + + var select7 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#27:dhcpd:07/2", "nwparser.p0", "%{smacaddr->} (%{hostname}) via %{interface}: ignored (%{result})"); + + var all7 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + setc("action","DHCPREQUEST ignored"), + ]), + }); + + var msg28 = msg("dhcpd:07", all7); + + var part41 = match("MESSAGE#28:dhcpd:09/2", "nwparser.p0", "%{interface}: wrong network"); + + var all8 = all_match({ + processors: [ + dup25, + dup68, + part41, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup27, + setc("result","wrong network"), + ]), + }); + + var msg29 = msg("dhcpd:09", all8); + + var part42 = match("MESSAGE#29:dhcpd:26/2", "nwparser.p0", "%{interface}: lease %{hostip->} unavailable"); + + var all9 = all_match({ + processors: [ + dup25, + dup68, + part42, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + dup27, + setc("result","lease unavailable"), + ]), + }); + + var msg30 = msg("dhcpd:26", all9); + + var part43 = match("MESSAGE#30:dhcpd:08", "nwparser.payload", "DHCPREQUEST for %{saddr->} (%{shost}) from %{smacaddr->} (%{hostname}) via %{interface}", processor_chain([ + dup13, + dup7, + dup9, + dup27, + ])); + + var msg31 = msg("dhcpd:08", part43); + + var all10 = all_match({ + processors: [ + dup25, + dup68, + dup28, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup27, + ]), + }); + + var msg32 = msg("dhcpd:11", all10); + + var part44 = match("MESSAGE#32:dhcpd:31", "nwparser.payload", "DHCPRELEASE from %{smacaddr->} via %{saddr}: unknown network segment", processor_chain([ + dup13, + dup7, + dup9, + dup23, + dup29, + ])); + + var msg33 = msg("dhcpd:31", part44); + + var part45 = match("MESSAGE#33:dhcpd:32", "nwparser.payload", "BOOTREQUEST from %{smacaddr->} via %{saddr}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + setc("action","BOOTREQUEST"), + dup30, + ])); + + var msg34 = msg("dhcpd:32", part45); + + var part46 = match("MESSAGE#34:dhcpd:33", "nwparser.payload", "Reclaiming abandoned lease %{saddr}.", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Reclaiming abandoned lease"), + ])); + + var msg35 = msg("dhcpd:33", part46); + + var part47 = match("MESSAGE#35:dhcpd:34/0", "nwparser.payload", "balanc%{p0}"); + + var part48 = match("MESSAGE#35:dhcpd:34/1_0", "nwparser.p0", "ed%{p0}"); + + var part49 = match("MESSAGE#35:dhcpd:34/1_1", "nwparser.p0", "ing%{p0}"); + + var select8 = linear_select([ + part48, + part49, + ]); + + var part50 = match("MESSAGE#35:dhcpd:34/2", "nwparser.p0", "%{}pool %{fld1->} %{saddr}/%{sport->} total %{fld2->} free %{fld3->} backup %{fld4->} lts %{fld5->} max-%{fld6->} %{p0}"); + + var part51 = match("MESSAGE#35:dhcpd:34/3_0", "nwparser.p0", "(+/-)%{fld7}(%{info})"); + + var part52 = match("MESSAGE#35:dhcpd:34/3_1", "nwparser.p0", "(+/-)%{fld7}"); + + var part53 = match_copy("MESSAGE#35:dhcpd:34/3_2", "nwparser.p0", "fld7"); + + var select9 = linear_select([ + part51, + part52, + part53, + ]); + + var all11 = all_match({ + processors: [ + part47, + select8, + part50, + select9, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg36 = msg("dhcpd:34", all11); + + var part54 = match("MESSAGE#36:dhcpd:35", "nwparser.payload", "Unable to add reverse map from %{shost->} to %{dhost}: REFUSED", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description"," Unable to add reverse map"), + ])); + + var msg37 = msg("dhcpd:35", part54); + + var part55 = match("MESSAGE#37:dhcpd:36", "nwparser.payload", "Forward map from %{shost->} %{fld2}to %{daddr->} FAILED: %{fld1}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description"," Forward map failed"), + ])); + + var msg38 = msg("dhcpd:36", part55); + + var part56 = match("MESSAGE#38:dhcpd:14/0", "nwparser.payload", "DHCPACK on %{saddr->} to %{dmacaddr->} %{p0}"); + + var all12 = all_match({ + processors: [ + part56, + dup67, + dup31, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup32, + ]), + }); + + var msg39 = msg("dhcpd:14", all12); + + var part57 = match("MESSAGE#39:dhcpd:24/0", "nwparser.payload", "DHCPOFFER on %{saddr->} to %{p0}"); + + var part58 = match("MESSAGE#39:dhcpd:24/1_0", "nwparser.p0", "\"%{dmacaddr}\" (%{dhost}) via %{p0}"); + + var part59 = match("MESSAGE#39:dhcpd:24/1_1", "nwparser.p0", "%{dmacaddr->} (%{dhost}) via %{p0}"); + + var part60 = match("MESSAGE#39:dhcpd:24/1_2", "nwparser.p0", "%{dmacaddr->} via %{p0}"); + + var select10 = linear_select([ + part58, + part59, + part60, + ]); + + var all13 = all_match({ + processors: [ + part57, + select10, + dup31, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + setc("action","DHCPOFFER"), + ]), + }); + + var msg40 = msg("dhcpd:24", all13); + + var part61 = match("MESSAGE#40:dhcpd:17", "nwparser.payload", "DHCPNAK on %{saddr->} to %{dmacaddr->} via %{interface}", processor_chain([ + dup13, + dup7, + dup9, + setc("action","DHCPNAK"), + ])); + + var msg41 = msg("dhcpd:17", part61); + + var part62 = match("MESSAGE#41:dhcpd:05/0", "nwparser.payload", "DHCPDISCOVER from %{smacaddr->} %{p0}"); + + var all14 = all_match({ + processors: [ + part62, + dup68, + dup28, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup24, + ]), + }); + + var msg42 = msg("dhcpd:05", all14); + + var part63 = match("MESSAGE#42:dhcpd:16", "nwparser.payload", "DHCPACK to %{daddr->} (%{dmacaddr}) via %{interface}", processor_chain([ + dup13, + dup7, + dup9, + dup32, + ])); + + var msg43 = msg("dhcpd:16", part63); + + var part64 = match("MESSAGE#43:dhcpd:20", "nwparser.payload", "DHCPINFORM from %{saddr->} via %{interface}", processor_chain([ + dup13, + dup7, + dup9, + setc("action","DHCPINFORM"), + ])); + + var msg44 = msg("dhcpd:20", part64); + + var part65 = match("MESSAGE#44:dhcpd:23", "nwparser.payload", "DHCPEXPIRE on %{saddr->} to %{dmacaddr}", processor_chain([ + dup13, + dup7, + dup9, + setc("action","DHCPEXPIRE"), + ])); + + var msg45 = msg("dhcpd:23", part65); + + var part66 = match("MESSAGE#45:dhcpd:28", "nwparser.payload", "uid lease %{hostip->} for client %{smacaddr->} is duplicate on %{mask}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg46 = msg("dhcpd:28", part66); + + var part67 = match("MESSAGE#46:dhcpd:29", "nwparser.payload", "Attempt to add forward map \"%{shost}\" (and reverse map \"%{dhost}\") for %{saddr->} abandoned because of non-retryable failure: %{result}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg47 = msg("dhcpd:29", part67); + + var part68 = match("MESSAGE#191:dhcpd:39", "nwparser.payload", "NOT FREE/BACKUP lease%{hostip}End Time%{fld1->} Bind-State %{change_old->} Next-Bind-State %{change_new}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg48 = msg("dhcpd:39", part68); + + var part69 = match("MESSAGE#192:dhcpd:41", "nwparser.payload", "RELEASE on%{saddr}to%{dmacaddr}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg49 = msg("dhcpd:41", part69); + + var part70 = match("MESSAGE#193:dhcpd:42", "nwparser.payload", "r-l-e:%{hostip},%{result},%{fld1},%{macaddr},%{fld3},%{fld4},%{fld5},%{info}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg50 = msg("dhcpd:42", part70); + + var part71 = match("MESSAGE#194:dhcpd:43", "nwparser.payload", "failover peer%{fld1}:%{dclass_counter1}leases added to send queue from pool%{fld3->} %{hostip}/%{network_port}", processor_chain([ + dup13, + dup7, + dup9, + setc("dclass_counter1_string","count of leases"), + dup30, + ])); + + var msg51 = msg("dhcpd:43", part71); + + var part72 = match("MESSAGE#195:dhcpd:44", "nwparser.payload", "DHCPDECLINE from%{macaddr}via%{hostip}: unknown network segment", processor_chain([ + dup13, + dup7, + dup9, + dup30, + dup29, + ])); + + var msg52 = msg("dhcpd:44", part72); + + var part73 = match("MESSAGE#196:dhcpd:45", "nwparser.payload", "Reverse map update for%{hostip}abandoned because of non-retryable failure:%{disposition}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg53 = msg("dhcpd:45", part73); + + var part74 = match("MESSAGE#197:dhcpd:46", "nwparser.payload", "Reclaiming REQUESTed abandoned IP address%{saddr}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Reclaiming REQUESTed abandoned IP address"), + ])); + + var msg54 = msg("dhcpd:46", part74); + + var part75 = match("MESSAGE#198:dhcpd:47/0", "nwparser.payload", "%{hostip}: removing client association (%{action})%{p0}"); + + var part76 = match("MESSAGE#198:dhcpd:47/1_0", "nwparser.p0", "uid=%{fld1}hw=%{p0}"); + + var part77 = match("MESSAGE#198:dhcpd:47/1_1", "nwparser.p0", "hw=%{p0}"); + + var select11 = linear_select([ + part76, + part77, + ]); + + var part78 = match_copy("MESSAGE#198:dhcpd:47/2", "nwparser.p0", "macaddr"); + + var all15 = all_match({ + processors: [ + part75, + select11, + part78, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg55 = msg("dhcpd:47", all15); + + var part79 = match("MESSAGE#199:dhcpd:48", "nwparser.payload", "Lease conflict at %{hostip}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg56 = msg("dhcpd:48", part79); + + var part80 = match("MESSAGE#200:dhcpd:49", "nwparser.payload", "ICMP Echo reply while lease %{hostip->} valid.", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("protocol","ICMP"), + ])); + + var msg57 = msg("dhcpd:49", part80); + + var part81 = match("MESSAGE#201:dhcpd:50", "nwparser.payload", "Lease state %{result}. Not abandoning %{hostip}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg58 = msg("dhcpd:50", part81); + + var part82 = match("MESSAGE#202:dhcpd:51/0_0", "nwparser.payload", "Addition%{p0}"); + + var part83 = match("MESSAGE#202:dhcpd:51/0_1", "nwparser.payload", "Removal%{p0}"); + + var select12 = linear_select([ + part82, + part83, + ]); + + var part84 = match("MESSAGE#202:dhcpd:51/1", "nwparser.p0", "%{}of %{p0}"); + + var part85 = match("MESSAGE#202:dhcpd:51/2_0", "nwparser.p0", "forward%{p0}"); + + var part86 = match("MESSAGE#202:dhcpd:51/2_1", "nwparser.p0", "reverse%{p0}"); + + var select13 = linear_select([ + part85, + part86, + ]); + + var part87 = match("MESSAGE#202:dhcpd:51/3", "nwparser.p0", "%{}map for %{hostip->} deferred"); + + var all16 = all_match({ + processors: [ + select12, + part84, + select13, + part87, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("disposition","deferred"), + ]), + }); + + var msg59 = msg("dhcpd:51", all16); + + var part88 = match("MESSAGE#203:dhcpd:52", "nwparser.payload", "Hostname%{change_old}replaced by%{hostname}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg60 = msg("dhcpd:52", part88); + + var msg61 = msg("dhcpd:37", dup69); + + var select14 = linear_select([ + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, + msg58, + msg59, + msg60, + msg61, + ]); + + var part89 = match("MESSAGE#47:ntpd:05", "nwparser.payload", "system event '%{event_type}' (%{fld1}) status '%{result}' (%{fld2})", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","system event status"), + ])); + + var msg62 = msg("ntpd:05", part89); + + var part90 = match("MESSAGE#48:ntpd:04", "nwparser.payload", "frequency initialized %{result->} from %{filename}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","frequency initialized from file"), + ])); + + var msg63 = msg("ntpd:04", part90); + + var part91 = match("MESSAGE#49:ntpd:03", "nwparser.payload", "ntpd exiting on signal %{dclass_counter1}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","ntpd exiting on signal"), + ])); + + var msg64 = msg("ntpd:03", part91); + + var part92 = match("MESSAGE#50:ntpd", "nwparser.payload", "time slew %{result}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","time slew duraion"), + ])); + + var msg65 = msg("ntpd", part92); + + var part93 = match("MESSAGE#51:ntpd:01", "nwparser.payload", "%{process}: signal %{dclass_counter1->} had flags %{result}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","signal had flags"), + ])); + + var msg66 = msg("ntpd:01", part93); + + var msg67 = msg("ntpd:02", dup65); + + var select15 = linear_select([ + msg62, + msg63, + msg64, + msg65, + msg66, + msg67, + ]); + + var part94 = match("MESSAGE#53:named:16/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: update '%{zone}' %{p0}"); + + var all17 = all_match({ + processors: [ + part94, + dup70, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + ]), + }); + + var msg68 = msg("named:16", all17); + + var part95 = match("MESSAGE#54:named/0", "nwparser.payload", "client %{saddr}#%{sport}: update '%{zone}/IN' %{p0}"); + + var all18 = all_match({ + processors: [ + part95, + dup70, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + dup35, + ]), + }); + + var msg69 = msg("named", all18); + + var part96 = match("MESSAGE#55:named:12/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: signer \"%{owner}\" %{p0}"); + + var all19 = all_match({ + processors: [ + part96, + dup70, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + ]), + }); + + var msg70 = msg("named:12", all19); + + var part97 = match("MESSAGE#56:named:01/1_0", "nwparser.p0", "%{sport}/%{fld1}: signer \"%{p0}"); + + var part98 = match("MESSAGE#56:named:01/1_1", "nwparser.p0", "%{sport}: signer \"%{p0}"); + + var select16 = linear_select([ + part97, + part98, + ]); + + var part99 = match("MESSAGE#56:named:01/2", "nwparser.p0", "%{owner}\" %{p0}"); + + var all20 = all_match({ + processors: [ + dup36, + select16, + part99, + dup70, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + ]), + }); + + var msg71 = msg("named:01", all20); + + var part100 = match("MESSAGE#57:named:17/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}/%{p0}"); + + var part101 = match("MESSAGE#57:named:17/2", "nwparser.p0", "': %{p0}"); + + var part102 = match("MESSAGE#57:named:17/3_0", "nwparser.p0", "%{fld2}: %{action->} at '%{p0}"); + + var select17 = linear_select([ + part102, + dup40, + ]); + + var part103 = match("MESSAGE#57:named:17/4_1", "nwparser.p0", "%{hostname}' %{p0}"); + + var select18 = linear_select([ + dup41, + part103, + ]); + + var all21 = all_match({ + processors: [ + part100, + dup71, + part101, + select17, + select18, + dup72, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup45, + dup35, + ]), + }); + + var msg72 = msg("named:17", all21); + + var part104 = match("MESSAGE#58:named:18/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: updating zone '%{zone}': %{p0}"); + + var part105 = match("MESSAGE#58:named:18/1_0", "nwparser.p0", "adding %{p0}"); + + var part106 = match("MESSAGE#58:named:18/1_1", "nwparser.p0", "deleting%{p0}"); + + var select19 = linear_select([ + part105, + part106, + ]); + + var part107 = match("MESSAGE#58:named:18/2", "nwparser.p0", "%{} %{info->} at '%{hostname}'"); + + var all22 = all_match({ + processors: [ + part104, + select19, + part107, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg73 = msg("named:18", all22); + + var part108 = match("MESSAGE#59:named:02/0", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}/%{p0}"); + + var part109 = match("MESSAGE#59:named:02/2", "nwparser.p0", "':%{p0}"); + + var part110 = match("MESSAGE#59:named:02/3_0", "nwparser.p0", "%{fld1}: %{action->} at '%{p0}"); + + var select20 = linear_select([ + part110, + dup40, + ]); + + var part111 = match("MESSAGE#59:named:02/4_1", "nwparser.p0", "%{hostip}' %{p0}"); + + var select21 = linear_select([ + dup41, + part111, + ]); + + var all23 = all_match({ + processors: [ + part108, + dup71, + part109, + select20, + select21, + dup72, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup45, + dup35, + ]), + }); + + var msg74 = msg("named:02", all23); + + var part112 = match("MESSAGE#60:named:19/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': update %{disposition}: %{p0}"); + + var part113 = match("MESSAGE#60:named:19/1_0", "nwparser.p0", "%{hostname}/%{dns_querytype}: %{p0}"); + + var part114 = match("MESSAGE#60:named:19/1_1", "nwparser.p0", "%{hostname}: %{p0}"); + + var select22 = linear_select([ + part113, + part114, + ]); + + var all24 = all_match({ + processors: [ + part112, + select22, + dup46, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup47, + ]), + }); + + var msg75 = msg("named:19", all24); + + var part115 = match("MESSAGE#61:named:03", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{hostname}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg76 = msg("named:03", part115); + + var part116 = match("MESSAGE#62:named:11", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: zone is up to date", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","notify zone is up to date"), + ])); + + var msg77 = msg("named:11", part116); + + var part117 = match("MESSAGE#63:named:13", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: %{action}, %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg78 = msg("named:13", part117); + + var part118 = match("MESSAGE#64:named:14", "nwparser.payload", "zone %{zone}: refresh: retry limit for master %{saddr}#%{sport->} exceeded (%{action})", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg79 = msg("named:14", part118); + + var part119 = match("MESSAGE#65:named:15", "nwparser.payload", "zone %{zone}: refresh: failure trying master %{saddr}#%{sport->} (source ::#0): %{action}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg80 = msg("named:15", part119); + + var part120 = match("MESSAGE#66:named:25/0", "nwparser.payload", "DNS format error from %{saddr}#%{sport->} resolving %{domain}/%{dns_querytype->} for client %{daddr}#%{dport}: %{p0}"); + + var part121 = match("MESSAGE#66:named:25/1_0", "nwparser.p0", "%{error}--%{result}"); + + var select23 = linear_select([ + part121, + dup48, + ]); + + var all25 = all_match({ + processors: [ + part120, + select23, + ], + on_success: processor_chain([ + dup49, + dup50, + dup15, + dup7, + dup9, + setc("event_description","DNS format error"), + dup30, + ]), + }); + + var msg81 = msg("named:25", all25); + + var part122 = match("MESSAGE#67:named:63/2", "nwparser.p0", "#%{saddr->} %{sport->} (#%{fld5}): query: %{domain->} %{fld4->} (%{daddr})"); + + var all26 = all_match({ + processors: [ + dup51, + dup73, + part122, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg82 = msg("named:63", all26); + + var part123 = match("MESSAGE#68:named:72/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{fld1}): %{p0}"); + + var part124 = match("MESSAGE#68:named:72/1_0", "nwparser.p0", "view%{fld3}: query:%{p0}"); + + var part125 = match("MESSAGE#68:named:72/1_1", "nwparser.p0", "query:%{p0}"); + + var select24 = linear_select([ + part124, + part125, + ]); + + var part126 = match("MESSAGE#68:named:72/2", "nwparser.p0", "%{} %{domain->} %{fld2->} %{dns_querytype->} %{context->} (%{daddr})"); + + var all27 = all_match({ + processors: [ + part123, + select24, + part126, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg83 = msg("named:72", all27); + + var part127 = match("MESSAGE#69:named:28", "nwparser.payload", "%{action->} (%{saddr}#%{sport}) %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg84 = msg("named:28", part127); + + var part128 = match("MESSAGE#70:named:71/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: failed %{p0}"); + + var part129 = match("MESSAGE#70:named:71/1_0", "nwparser.p0", "to connect: %{p0}"); + + var part130 = match("MESSAGE#70:named:71/1_1", "nwparser.p0", "while receiving responses: %{p0}"); + + var select25 = linear_select([ + part129, + part130, + ]); + + var all28 = all_match({ + processors: [ + part128, + select25, + dup48, + ], + on_success: processor_chain([ + dup49, + dup7, + dup9, + dup30, + setc("event_description","failed"), + ]), + }); + + var msg85 = msg("named:71", all28); + + var part131 = match("MESSAGE#71:named:70/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: %{p0}"); + + var part132 = match("MESSAGE#71:named:70/1_0", "nwparser.p0", "connected using %{daddr}#%{dport}"); + + var select26 = linear_select([ + part132, + dup46, + ]); + + var all29 = all_match({ + processors: [ + part131, + select26, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg86 = msg("named:70", all29); + + var part133 = match("MESSAGE#72:named:40/0", "nwparser.payload", "%{fld1->} client %{saddr}#%{sport}: %{p0}"); + + var part134 = match("MESSAGE#72:named:40/1_0", "nwparser.p0", "view %{fld2}: %{protocol}: query: %{p0}"); + + var part135 = match("MESSAGE#72:named:40/1_1", "nwparser.p0", "%{protocol}: query: %{p0}"); + + var select27 = linear_select([ + part134, + part135, + ]); + + var part136 = match("MESSAGE#72:named:40/2", "nwparser.p0", "%{domain->} %{fld3->} %{dns_querytype->} response:%{result->} %{p0}"); + + var part137 = match("MESSAGE#72:named:40/3_0", "nwparser.p0", "%{context->} %{dns.resptext}"); + + var part138 = match_copy("MESSAGE#72:named:40/3_1", "nwparser.p0", "context"); + + var select28 = linear_select([ + part137, + part138, + ]); + + var all30 = all_match({ + processors: [ + part133, + select27, + part136, + select28, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg87 = msg("named:40", all30); + + var part139 = match("MESSAGE#73:named:05", "nwparser.payload", "zone '%{zone}' %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg88 = msg("named:05", part139); + + var part140 = match("MESSAGE#74:named:10/1_0", "nwparser.p0", "%{sport->} %{fld22}/%{fld21}:%{p0}"); + + var part141 = match("MESSAGE#74:named:10/1_1", "nwparser.p0", "%{sport}/%{fld21}:%{p0}"); + + var part142 = match("MESSAGE#74:named:10/1_2", "nwparser.p0", "%{sport->} (%{fld21}): %{p0}"); + + var select29 = linear_select([ + part140, + part141, + part142, + dup54, + ]); + + var part143 = match("MESSAGE#74:named:10/2", "nwparser.p0", "%{}query: %{domain->} %{info->} (%{daddr})"); + + var all31 = all_match({ + processors: [ + dup36, + select29, + part143, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","dns query"), + ]), + }); + + var msg89 = msg("named:10", all31); + + var part144 = match("MESSAGE#75:named:29", "nwparser.payload", "client %{saddr}#%{sport}: %{fld1}: received notify for zone '%{zone}'", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","received notify for zone"), + ])); + + var msg90 = msg("named:29", part144); + + var part145 = match("MESSAGE#76:named:08", "nwparser.payload", "client %{saddr}#%{sport}: received notify for zone '%{zone}'", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","client received notify for zone"), + ])); + + var msg91 = msg("named:08", part145); + + var part146 = match("MESSAGE#77:named:09", "nwparser.payload", "client %{saddr}#%{sport}: update forwarding '%{zone}' denied", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","client update forwarding for zone denied"), + ])); + + var msg92 = msg("named:09", part146); + + var part147 = match("MESSAGE#78:named:76/0", "nwparser.payload", "zone %{zone}: ZRQ appl%{p0}"); + + var part148 = match("MESSAGE#78:named:76/1_0", "nwparser.p0", "ied%{p0}"); + + var part149 = match("MESSAGE#78:named:76/1_1", "nwparser.p0", "ying%{p0}"); + + var select30 = linear_select([ + part148, + part149, + ]); + + var part150 = match("MESSAGE#78:named:76/2", "nwparser.p0", "%{}transaction %{p0}"); + + var part151 = match("MESSAGE#78:named:76/3_0", "nwparser.p0", "%{operation_id->} with SOA serial %{serial_number}. Zone version is now %{version}."); + + var part152 = match("MESSAGE#78:named:76/3_1", "nwparser.p0", "%{fld1}."); + + var select31 = linear_select([ + part151, + part152, + ]); + + var all32 = all_match({ + processors: [ + part147, + select30, + part150, + select31, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg93 = msg("named:76", all32); + + var part153 = match("MESSAGE#79:named:75", "nwparser.payload", "zone %{zone}: ZRQ applied %{action->} for '%{fld1}': %{fld2->} %{fld3->} %{dns_querytype->} %{info}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg94 = msg("named:75", part153); + + var part154 = match("MESSAGE#80:named:06/0", "nwparser.payload", "zone%{p0}"); + + var part155 = match("MESSAGE#80:named:06/1_0", "nwparser.p0", "_%{fld1}: %{p0}"); + + var part156 = match("MESSAGE#80:named:06/1_1", "nwparser.p0", " %{zone}: %{p0}"); + + var select32 = linear_select([ + part155, + part156, + ]); + + var all33 = all_match({ + processors: [ + part154, + select32, + dup46, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg95 = msg("named:06", all33); + + var part157 = match("MESSAGE#81:named:20", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup13, + dup50, + dup15, + dup7, + dup9, + dup55, + dup30, + dup56, + ])); + + var msg96 = msg("named:20", part157); + + var part158 = match("MESSAGE#82:named:49/0", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{zone}/%{dns_querytype}/IN': %{p0}"); + + var part159 = match("MESSAGE#82:named:49/1_0", "nwparser.p0", "%{daddr}#%{dport}"); + + var part160 = match_copy("MESSAGE#82:named:49/1_1", "nwparser.p0", "fld1"); + + var select33 = linear_select([ + part159, + part160, + ]); + + var all34 = all_match({ + processors: [ + part158, + select33, + ], + on_success: processor_chain([ + dup57, + dup50, + dup15, + dup7, + dup9, + dup55, + dup30, + dup35, + ]), + }); + + var msg97 = msg("named:49", all34); + + var part161 = match("MESSAGE#83:named:24/1_0", "nwparser.p0", "%{fld2}: zone transfer%{p0}"); + + var part162 = match("MESSAGE#83:named:24/1_1", "nwparser.p0", "zone transfer%{p0}"); + + var select34 = linear_select([ + part161, + part162, + ]); + + var part163 = match("MESSAGE#83:named:24/2", "nwparser.p0", "%{}'%{zone}' %{action}"); + + var all35 = all_match({ + processors: [ + dup58, + select34, + part163, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg98 = msg("named:24", all35); + + var part164 = match("MESSAGE#84:named:26/1_0", "nwparser.p0", "%{fld2}: no more recursive clients %{p0}"); + + var part165 = match("MESSAGE#84:named:26/1_1", "nwparser.p0", "no more recursive clients%{p0}"); + + var select35 = linear_select([ + part164, + part165, + ]); + + var part166 = match("MESSAGE#84:named:26/2", "nwparser.p0", "%{}(%{fld3}) %{info}"); + + var all36 = all_match({ + processors: [ + dup58, + select35, + part166, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg99 = msg("named:26", all36); + + var part167 = match("MESSAGE#85:named:27/1_0", "nwparser.p0", "%{fld2->} : %{fld3->} response from Internet for %{p0}"); + + var part168 = match("MESSAGE#85:named:27/1_1", "nwparser.p0", "%{fld3->} response from Internet for %{p0}"); + + var select36 = linear_select([ + part167, + part168, + ]); + + var part169 = match_copy("MESSAGE#85:named:27/2", "nwparser.p0", "fld4"); + + var all37 = all_match({ + processors: [ + dup58, + select36, + part169, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg100 = msg("named:27", all37); + + var part170 = match("MESSAGE#86:named:38/2", "nwparser.p0", "#%{saddr->} %{p0}"); + + var part171 = match("MESSAGE#86:named:38/3_0", "nwparser.p0", "%{sport}#%{fld5->} (%{fld6}):%{p0}"); + + var part172 = match("MESSAGE#86:named:38/3_1", "nwparser.p0", "%{sport->} (%{fld5}):%{p0}"); + + var select37 = linear_select([ + part171, + part172, + dup54, + ]); + + var part173 = match("MESSAGE#86:named:38/4", "nwparser.p0", "%{}query%{p0}"); + + var part174 = match("MESSAGE#86:named:38/5_0", "nwparser.p0", " (%{fld7}) '%{domain}/%{fld4}' %{result}"); + + var part175 = match("MESSAGE#86:named:38/5_1", "nwparser.p0", ": %{domain->} %{fld4->} (%{daddr})"); + + var select38 = linear_select([ + part174, + part175, + ]); + + var all38 = all_match({ + processors: [ + dup51, + dup73, + part170, + select37, + part173, + select38, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg101 = msg("named:38", all38); + + var part176 = match("MESSAGE#87:named:39", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: error (%{result}) resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup13, + dup50, + dup15, + dup7, + dup9, + dup55, + ])); + + var msg102 = msg("named:39", part176); + + var part177 = match("MESSAGE#88:named:46", "nwparser.payload", "%{event_description}: Authorization denied for the operation (%{fld4}): %{fld5->} (data=\"%{hostip}\", source=\"%{hostname}\")", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg103 = msg("named:46", part177); + + var part178 = match("MESSAGE#89:named:64", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg104 = msg("named:64", part178); + + var part179 = match("MESSAGE#90:named:45", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ + dup13, + dup7, + dup9, + dup47, + ])); + + var msg105 = msg("named:45", part179); + + var part180 = match("MESSAGE#91:named:44/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: updating zone '%{p0}"); + + var part181 = match("MESSAGE#91:named:44/1_0", "nwparser.p0", "%{domain}/IN'%{p0}"); + + var part182 = match("MESSAGE#91:named:44/1_1", "nwparser.p0", "%{domain}'%{p0}"); + + var select39 = linear_select([ + part181, + part182, + ]); + + var part183 = match("MESSAGE#91:named:44/2", "nwparser.p0", ": %{p0}"); + + var part184 = match("MESSAGE#91:named:44/3_0", "nwparser.p0", "deleting an RR at %{daddr}.in-addr.arpa"); + + var part185 = match("MESSAGE#91:named:44/3_1", "nwparser.p0", "deleting an RR at %{daddr}.%{fld6}"); + + var part186 = match_copy("MESSAGE#91:named:44/3_2", "nwparser.p0", "fld5"); + + var select40 = linear_select([ + part184, + part185, + part186, + ]); + + var all39 = all_match({ + processors: [ + part180, + select39, + part183, + select40, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg106 = msg("named:44", all39); + + var part187 = match("MESSAGE#92:named:43", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query (%{fld3}) '%{fld4}/%{dns_querytype}/IN' %{result}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg107 = msg("named:43", part187); + + var part188 = match("MESSAGE#93:named:42", "nwparser.payload", "%{result->} resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup13, + dup7, + dup9, + dup56, + ])); + + var msg108 = msg("named:42", part188); + + var part189 = match("MESSAGE#94:named:41", "nwparser.payload", "%{fld1}: unable to find root NS '%{domain}'", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg109 = msg("named:41", part189); + + var part190 = match("MESSAGE#95:named:47", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{event_description}", processor_chain([ + setc("eventcategory","1502000000"), + dup7, + dup9, + ])); + + var msg110 = msg("named:47", part190); + + var part191 = match("MESSAGE#96:named:48", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): query '%{zone}' %{result}", processor_chain([ + dup57, + dup7, + dup9, + dup30, + ])); + + var msg111 = msg("named:48", part191); + + var part192 = match("MESSAGE#97:named:62", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg112 = msg("named:62", part192); + + var part193 = match("MESSAGE#98:named:53", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg113 = msg("named:53", part193); + + var part194 = match("MESSAGE#99:named:77", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query failed (%{error}) for %{fld1}/IN/%{dns_querytype->} at %{filename}:%{fld2}", processor_chain([ + dup49, + dup7, + dup9, + setc("event_description"," query failed"), + ])); + + var msg114 = msg("named:77", part194); + + var part195 = match("MESSAGE#100:named:52", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): %{info}", processor_chain([ + dup59, + dup7, + dup9, + dup47, + ])); + + var msg115 = msg("named:52", part195); + + var part196 = match("MESSAGE#101:named:50", "nwparser.payload", "%{fld1}: %{domain}/%{dns_querytype->} (%{saddr}) %{info}", processor_chain([ + dup59, + dup7, + dup9, + ])); + + var msg116 = msg("named:50", part196); + + var part197 = match("MESSAGE#102:named:51", "nwparser.payload", "%{fld1}: %{fld2}: REFUSED", processor_chain([ + dup57, + dup7, + dup9, + dup50, + dup15, + dup55, + ])); + + var msg117 = msg("named:51", part197); + + var part198 = match("MESSAGE#103:named:54", "nwparser.payload", "%{hostip}#%{network_port}: GSS-TSIG authentication failed:%{event_description}", processor_chain([ + dup59, + dup7, + dup9, + dup3, + dup15, + dup30, + ])); + + var msg118 = msg("named:54", part198); + + var part199 = match("MESSAGE#104:named:55/0", "nwparser.payload", "success resolving '%{domain}/%{dns_querytype}' (in '%{fld1}'?) %{p0}"); + + var part200 = match("MESSAGE#104:named:55/1_0", "nwparser.p0", "after disabling EDNS%{}"); + + var part201 = match_copy("MESSAGE#104:named:55/1_1", "nwparser.p0", "fld2"); + + var select41 = linear_select([ + part200, + part201, + ]); + + var all40 = all_match({ + processors: [ + part199, + select41, + ], + on_success: processor_chain([ + dup59, + dup7, + dup9, + dup6, + dup30, + dup60, + ]), + }); + + var msg119 = msg("named:55", all40); + + var part202 = match("MESSAGE#105:named:56", "nwparser.payload", "SERVFAIL unexpected RCODE resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ + dup59, + dup7, + dup9, + dup50, + dup15, + dup30, + dup60, + ])); + + var msg120 = msg("named:56", part202); + + var part203 = match("MESSAGE#106:named:57", "nwparser.payload", "FORMERR resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ + dup59, + dup7, + dup9, + setc("ec_outcome","Error"), + dup30, + dup60, + ])); + + var msg121 = msg("named:57", part203); + + var part204 = match("MESSAGE#107:named:04/0", "nwparser.payload", "%{action->} on %{p0}"); + + var part205 = match("MESSAGE#107:named:04/1_0", "nwparser.p0", "IPv4 interface %{sinterface}, %{saddr}#%{p0}"); + + var part206 = match("MESSAGE#107:named:04/1_1", "nwparser.p0", "%{saddr}#%{p0}"); + + var select42 = linear_select([ + part205, + part206, + ]); + + var part207 = match_copy("MESSAGE#107:named:04/2", "nwparser.p0", "sport"); + + var all41 = all_match({ + processors: [ + part204, + select42, + part207, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg122 = msg("named:04", all41); + + var part208 = match("MESSAGE#108:named:58", "nwparser.payload", "lame server resolving '%{domain}' (in '%{fld2}'?):%{hostip}#%{network_port}", processor_chain([ + dup59, + dup7, + dup9, + dup30, + dup60, + ])); + + var msg123 = msg("named:58", part208); + + var part209 = match("MESSAGE#109:named:59", "nwparser.payload", "exceeded max queries resolving '%{domain}/%{dns_querytype}'", processor_chain([ + dup13, + dup7, + dup9, + dup30, + dup60, + ])); + + var msg124 = msg("named:59", part209); + + var part210 = match("MESSAGE#110:named:60", "nwparser.payload", "skipping nameserver '%{hostname}' because it is a CNAME, while resolving '%{domain}/%{dns_querytype}'", processor_chain([ + dup13, + dup7, + dup9, + dup30, + dup60, + setc("event_description","skipping nameserver because it is a CNAME"), + ])); + + var msg125 = msg("named:60", part210); + + var part211 = match("MESSAGE#111:named:61", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg126 = msg("named:61", part211); + + var part212 = match("MESSAGE#112:named:73", "nwparser.payload", "fetch: %{zone}/%{dns_querytype}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + dup35, + ])); + + var msg127 = msg("named:73", part212); + + var part213 = match("MESSAGE#113:named:74", "nwparser.payload", "decrement_reference: delete from rbt: %{fld1->} %{domain}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg128 = msg("named:74", part213); + + var part214 = match("MESSAGE#114:named:07/0_0", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): view %{fld2}: query: %{web_query}"); + + var part215 = match_copy("MESSAGE#114:named:07/0_1", "nwparser.payload", "event_description"); + + var select43 = linear_select([ + part214, + part215, + ]); + + var all42 = all_match({ + processors: [ + select43, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg129 = msg("named:07", all42); + + var select44 = linear_select([ + msg68, + msg69, + msg70, + msg71, + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, + msg89, + msg90, + msg91, + msg92, + msg93, + msg94, + msg95, + msg96, + msg97, + msg98, + msg99, + msg100, + msg101, + msg102, + msg103, + msg104, + msg105, + msg106, + msg107, + msg108, + msg109, + msg110, + msg111, + msg112, + msg113, + msg114, + msg115, + msg116, + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, + msg123, + msg124, + msg125, + msg126, + msg127, + msg128, + msg129, + ]); + + var part216 = match("MESSAGE#115:pidof:01", "nwparser.payload", "can't read sid from %{agent}", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","can't read sid"), + ])); + + var msg130 = msg("pidof:01", part216); + + var part217 = match("MESSAGE#116:pidof", "nwparser.payload", "can't get program name from %{agent}", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg131 = msg("pidof", part217); + + var select45 = linear_select([ + msg130, + msg131, + ]); + + var part218 = match("MESSAGE#117:validate_dhcpd:01", "nwparser.payload", "Configured local-address not available as source address for DNS updates. %{result}", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","Configured local-address not available as source address for DNS updates"), + ])); + + var msg132 = msg("validate_dhcpd:01", part218); + + var msg133 = msg("validate_dhcpd", dup74); + + var select46 = linear_select([ + msg132, + msg133, + ]); + + var msg134 = msg("syslog-ng", dup65); + + var part219 = match("MESSAGE#120:kernel", "nwparser.payload", "Linux version %{version->} (%{from}) (%{fld1}) %{fld2}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg135 = msg("kernel", part219); + + var msg136 = msg("kernel:01", dup65); + + var select47 = linear_select([ + msg135, + msg136, + ]); + + var msg137 = msg("radiusd", dup65); + + var part220 = match("MESSAGE#123:rc", "nwparser.payload", "executing %{agent->} start", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg138 = msg("rc", part220); + + var msg139 = msg("rc3", dup65); + + var part221 = match("MESSAGE#125:rcsysinit", "nwparser.payload", "fsck from %{version}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg140 = msg("rcsysinit", part221); + + var msg141 = msg("rcsysinit:01", dup65); + + var select48 = linear_select([ + msg140, + msg141, + ]); + + var part222 = match("MESSAGE#126:watchdog", "nwparser.payload", "opened %{filename}, with timeout = %{duration->} secs", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg142 = msg("watchdog", part222); + + var part223 = match("MESSAGE#127:watchdog:01", "nwparser.payload", "%{action}, pid = %{process_id}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg143 = msg("watchdog:01", part223); + + var part224 = match("MESSAGE#128:watchdog:02", "nwparser.payload", "received %{fld1}, cancelling softdog and exiting...", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg144 = msg("watchdog:02", part224); + + var part225 = match("MESSAGE#129:watchdog:03", "nwparser.payload", "%{filename->} could not be opened, errno = %{resultcode}", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg145 = msg("watchdog:03", part225); + + var msg146 = msg("watchdog:04", dup65); + + var select49 = linear_select([ + msg142, + msg143, + msg144, + msg145, + msg146, + ]); + + var msg147 = msg("init", dup65); + + var part226 = match("MESSAGE#131:logger", "nwparser.payload", "%{action}: %{saddr}/%{mask->} to %{interface}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg148 = msg("logger", part226); + + var msg149 = msg("logger:01", dup65); + + var select50 = linear_select([ + msg148, + msg149, + ]); + + var part227 = match("MESSAGE#133:openvpn-member", "nwparser.payload", "read %{protocol->} [%{info}] %{event_description->} (code=%{resultcode})", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg150 = msg("openvpn-member", part227); + + var msg151 = msg("openvpn-member:01", dup75); + + var part228 = match("MESSAGE#135:openvpn-member:02", "nwparser.payload", "Options error: %{event_description}", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg152 = msg("openvpn-member:02", part228); + + var part229 = match("MESSAGE#136:openvpn-member:03", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld2}] %{info}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg153 = msg("openvpn-member:03", part229); + + var msg154 = msg("openvpn-member:04", dup76); + + var msg155 = msg("openvpn-member:05", dup65); + + var select51 = linear_select([ + msg150, + msg151, + msg152, + msg153, + msg154, + msg155, + ]); + + var part230 = match("MESSAGE#139:sshd", "nwparser.payload", "Server listening on %{hostip->} port %{network_port}.", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg156 = msg("sshd", part230); + + var part231 = match("MESSAGE#140:sshd:01/0", "nwparser.payload", "Accepted password for %{p0}"); + + var part232 = match("MESSAGE#140:sshd:01/1_0", "nwparser.p0", "root from %{p0}"); + + var part233 = match("MESSAGE#140:sshd:01/1_1", "nwparser.p0", "%{username->} from %{p0}"); + + var select52 = linear_select([ + part232, + part233, + ]); + + var part234 = match("MESSAGE#140:sshd:01/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol}"); + + var all43 = all_match({ + processors: [ + part231, + select52, + part234, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg157 = msg("sshd:01", all43); + + var part235 = match("MESSAGE#141:sshd:02", "nwparser.payload", "Connection closed by %{hostip}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg158 = msg("sshd:02", part235); + + var part236 = match("MESSAGE#142:sshd:03", "nwparser.payload", "%{severity}: Bind to port %{network_port->} on %{hostip->} %{result}: %{event_description}", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg159 = msg("sshd:03", part236); + + var part237 = match("MESSAGE#143:sshd:04", "nwparser.payload", "%{severity}: Cannot bind any address.", processor_chain([ + setc("eventcategory","1601000000"), + dup7, + dup9, + ])); + + var msg160 = msg("sshd:04", part237); + + var part238 = match("MESSAGE#144:sshd:05", "nwparser.payload", "%{action}: logout() %{result}", processor_chain([ + dup2, + dup3, + dup5, + dup15, + dup7, + dup9, + setc("event_description","logout"), + ])); + + var msg161 = msg("sshd:05", part238); + + var part239 = match("MESSAGE#145:sshd:06", "nwparser.payload", "Did not receive identification string from %{saddr}", processor_chain([ + dup16, + dup7, + setc("result","no identification string"), + setc("event_description","Did not receive identification string from peer"), + ])); + + var msg162 = msg("sshd:06", part239); + + var part240 = match("MESSAGE#146:sshd:07", "nwparser.payload", "Sleep 60 seconds for slowing down ssh login%{}", processor_chain([ + dup13, + dup7, + setc("result","slowing down ssh login"), + setc("event_description","Sleep 60 seconds"), + ])); + + var msg163 = msg("sshd:07", part240); + + var part241 = match("MESSAGE#147:sshd:08", "nwparser.payload", "%{authmethod->} authentication succeeded for user %{username}", processor_chain([ + setc("eventcategory","1302010300"), + dup7, + setc("event_description","authentication succeeded"), + dup9, + dup61, + ])); + + var msg164 = msg("sshd:08", part241); + + var part242 = match("MESSAGE#148:sshd:09", "nwparser.payload", "User group = %{group}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","User group"), + dup61, + ])); + + var msg165 = msg("sshd:09", part242); + + var part243 = match("MESSAGE#149:sshd:10", "nwparser.payload", "Bad protocol version identification '%{protocol_detail}' from %{saddr}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Bad protocol version identification"), + dup61, + ])); + + var msg166 = msg("sshd:10", part243); + + var select53 = linear_select([ + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, + ]); + + var part244 = match("MESSAGE#150:openvpn-master", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld1}] %{info}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg167 = msg("openvpn-master", part244); + + var part245 = match("MESSAGE#151:openvpn-master:01", "nwparser.payload", "read %{protocol->} [%{info}]: %{event_description->} (code=%{resultcode})", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg168 = msg("openvpn-master:01", part245); + + var msg169 = msg("openvpn-master:02", dup75); + + var part246 = match("MESSAGE#153:openvpn-master:03", "nwparser.payload", "%{saddr}:%{sport->} TLS Error: TLS handshake failed", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg170 = msg("openvpn-master:03", part246); + + var part247 = match("MESSAGE#154:openvpn-master:04", "nwparser.payload", "%{fld1}/%{saddr}:%{sport->} [%{fld2}] %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg171 = msg("openvpn-master:04", part247); + + var part248 = match("MESSAGE#155:openvpn-master:05", "nwparser.payload", "%{saddr}:%{sport->} [%{fld1}] %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg172 = msg("openvpn-master:05", part248); + + var msg173 = msg("openvpn-master:06", dup76); + + var msg174 = msg("openvpn-master:07", dup65); + + var select54 = linear_select([ + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, + ]); + + var part249 = match("MESSAGE#158:INFOBLOX-Grid", "nwparser.payload", "Grid member at %{saddr->} %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg175 = msg("INFOBLOX-Grid", part249); + + var part250 = match("MESSAGE#159:INFOBLOX-Grid:02/0_0", "nwparser.payload", "Started%{p0}"); + + var part251 = match("MESSAGE#159:INFOBLOX-Grid:02/0_1", "nwparser.payload", "Completed%{p0}"); + + var select55 = linear_select([ + part250, + part251, + ]); + + var part252 = match("MESSAGE#159:INFOBLOX-Grid:02/1", "nwparser.p0", "%{}distribution on member with IP address %{saddr}"); + + var all44 = all_match({ + processors: [ + select55, + part252, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg176 = msg("INFOBLOX-Grid:02", all44); + + var part253 = match("MESSAGE#160:INFOBLOX-Grid:03", "nwparser.payload", "Upgrade Complete%{}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Upgrade Complete"), + ])); + + var msg177 = msg("INFOBLOX-Grid:03", part253); + + var part254 = match("MESSAGE#161:INFOBLOX-Grid:04", "nwparser.payload", "Upgrade to %{fld1}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg178 = msg("INFOBLOX-Grid:04", part254); + + var select56 = linear_select([ + msg175, + msg176, + msg177, + msg178, + ]); + + var part255 = match("MESSAGE#162:db_jnld", "nwparser.payload", "Grid member at %{saddr->} is online.", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg179 = msg("db_jnld", part255); + + var part256 = match("MESSAGE#219:db_jnld:01/0", "nwparser.payload", "Resolved conflict for replicated delete of %{p0}"); + + var part257 = match("MESSAGE#219:db_jnld:01/1_0", "nwparser.p0", "PTR %{p0}"); + + var part258 = match("MESSAGE#219:db_jnld:01/1_1", "nwparser.p0", "TXT %{p0}"); + + var part259 = match("MESSAGE#219:db_jnld:01/1_2", "nwparser.p0", "A %{p0}"); + + var part260 = match("MESSAGE#219:db_jnld:01/1_3", "nwparser.p0", "CNAME %{p0}"); + + var part261 = match("MESSAGE#219:db_jnld:01/1_4", "nwparser.p0", "SRV %{p0}"); + + var select57 = linear_select([ + part257, + part258, + part259, + part260, + part261, + ]); + + var part262 = match("MESSAGE#219:db_jnld:01/2", "nwparser.p0", "\"%{fld1}\" in zone \"%{zone}\""); + + var all45 = all_match({ + processors: [ + part256, + select57, + part262, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg180 = msg("db_jnld:01", all45); + + var select58 = linear_select([ + msg179, + msg180, + ]); + + var part263 = match("MESSAGE#163:sSMTP/0", "nwparser.payload", "Sent mail for %{to->} (%{fld1}) %{p0}"); + + var part264 = match("MESSAGE#163:sSMTP/1_0", "nwparser.p0", "uid=%{uid->} username=%{username->} outbytes=%{sbytes}"); + + var part265 = match_copy("MESSAGE#163:sSMTP/1_1", "nwparser.p0", "space"); + + var select59 = linear_select([ + part264, + part265, + ]); + + var all46 = all_match({ + processors: [ + part263, + select59, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg181 = msg("sSMTP", all46); + + var part266 = match("MESSAGE#164:sSMTP:02", "nwparser.payload", "Cannot open %{hostname}:%{network_port}", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg182 = msg("sSMTP:02", part266); + + var part267 = match("MESSAGE#165:sSMTP:03", "nwparser.payload", "Unable to locate %{hostname}.", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg183 = msg("sSMTP:03", part267); + + var msg184 = msg("sSMTP:04", dup74); + + var select60 = linear_select([ + msg181, + msg182, + msg183, + msg184, + ]); + + var part268 = match("MESSAGE#167:scheduled_backups", "nwparser.payload", "Backup to %{device->} was successful - Backup file %{filename}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg185 = msg("scheduled_backups", part268); + + var part269 = match("MESSAGE#168:scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Scheduled backup to the FTP server was successful"), + ])); + + var msg186 = msg("scheduled_ftp_backups", part269); + + var part270 = match("MESSAGE#169:failed_scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} failed - %{result}.", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","Scheduled backup to the FTP server failed"), + ])); + + var msg187 = msg("failed_scheduled_ftp_backups", part270); + + var select61 = linear_select([ + msg186, + msg187, + ]); + + var part271 = match("MESSAGE#170:scheduled_scp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Scheduled backup to the SCP server was successful"), + ])); + + var msg188 = msg("scheduled_scp_backups", part271); + + var part272 = match("MESSAGE#171:python", "nwparser.payload", "%{action->} even though zone '%{zone}' in view '%{fld1}' is locked.", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg189 = msg("python", part272); + + var part273 = match("MESSAGE#172:python:01", "nwparser.payload", "%{action->} (algorithm=%{fld1}, key tag=%{fld2}, key size=%{fld3}): '%{hostname}' in view '%{fld4}'.", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg190 = msg("python:01", part273); + + var part274 = match("MESSAGE#173:python:02", "nwparser.payload", "%{action}: '%{hostname}' in view '%{fld1}'.", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg191 = msg("python:02", part274); + + var part275 = match("MESSAGE#174:python:03", "nwparser.payload", "%{action}: FQDN='%{domain}', ADDRESS='%{saddr}', View='%{fld1}'", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg192 = msg("python:03", part275); + + var part276 = match("MESSAGE#175:python:04", "nwparser.payload", "%{action}: FQDN='%{domain}', View='%{fld1}'", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg193 = msg("python:04", part276); + + var part277 = match("MESSAGE#176:python:05", "nwparser.payload", "%{fld1}: %{fld2}.%{fld3->} [%{username}]: Populated %{zone->} %{hostname->} DnsView=%{fld4}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg194 = msg("python:05", part277); + + var msg195 = msg("python:06", dup65); + + var select62 = linear_select([ + msg189, + msg190, + msg191, + msg192, + msg193, + msg194, + msg195, + ]); + + var part278 = match("MESSAGE#178:monitor", "nwparser.payload", "Type: %{protocol}, State: %{event_state}, Event: %{event_description}.", processor_chain([ + dup12, + dup7, + dup9, + ])); + + var msg196 = msg("monitor", part278); + + var part279 = match("MESSAGE#179:snmptrapd", "nwparser.payload", "NET-SNMP version %{version->} %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg197 = msg("snmptrapd", part279); + + var part280 = match("MESSAGE#180:snmptrapd:01", "nwparser.payload", "lock in %{fld1->} sleeps more than %{duration->} milliseconds in %{fld2}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg198 = msg("snmptrapd:01", part280); + + var msg199 = msg("snmptrapd:02", dup65); + + var select63 = linear_select([ + msg197, + msg198, + msg199, + ]); + + var part281 = match("MESSAGE#182:ntpdate", "nwparser.payload", "adjust time server %{saddr->} offset %{duration->} sec", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg200 = msg("ntpdate", part281); + + var msg201 = msg("ntpdate:01", dup74); + + var select64 = linear_select([ + msg200, + msg201, + ]); + + var msg202 = msg("phonehome", dup65); + + var part282 = match("MESSAGE#185:purge_scheduled_tasks", "nwparser.payload", "Scheduled tasks have been purged%{}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg203 = msg("purge_scheduled_tasks", part282); + + var part283 = match("MESSAGE#186:serial_console:04", "nwparser.payload", "%{fld20->} %{fld21}.%{fld22->} [%{domain}]: Login_Denied - - to=%{terminal->} apparently_via=%{info->} ip=%{saddr->} error=%{result}", processor_chain([ + dup14, + dup3, + dup4, + dup11, + dup15, + dup7, + date_time({ + dest: "event_time", + args: ["fld20","fld21"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }), + dup9, + setc("event_description","Login Denied"), + ])); + + var msg204 = msg("serial_console:04", part283); + + var part284 = match("MESSAGE#187:serial_console:03", "nwparser.payload", "No authentication methods succeeded for user %{username}", processor_chain([ + dup14, + dup3, + dup4, + dup11, + dup15, + dup7, + dup9, + setc("event_description","No authentication methods succeeded for user"), + ])); + + var msg205 = msg("serial_console:03", part284); + + var part285 = match("MESSAGE#188:serial_console", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{terminal->} apparently_via=%{info->} auth=%{authmethod->} group=%{group}", processor_chain([ + dup10, + dup3, + dup4, + dup11, + dup6, + dup7, + dup8, + dup9, + ])); + + var msg206 = msg("serial_console", part285); + + var part286 = match("MESSAGE#189:serial_console:01", "nwparser.payload", "RADIUS authentication succeeded for user %{username}", processor_chain([ + setc("eventcategory","1302010100"), + dup3, + dup4, + dup11, + dup6, + dup7, + dup9, + setc("event_description","RADIUS authentication succeeded for user"), + ])); + + var msg207 = msg("serial_console:01", part286); + + var part287 = match("MESSAGE#190:serial_console:02", "nwparser.payload", "User group = %{group}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","User group identification"), + ])); + + var msg208 = msg("serial_console:02", part287); + + var part288 = match("MESSAGE#205:serial_console:05", "nwparser.payload", "%{fld1->} [%{username}]: rebooted the system", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","system reboot"), + ])); + + var msg209 = msg("serial_console:05", part288); + + var part289 = match("MESSAGE#214:serial_console:06", "nwparser.payload", "Local authentication succeeded for user %{username}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Local authentication succeeded for user"), + ])); + + var msg210 = msg("serial_console:06", part289); + + var select65 = linear_select([ + msg204, + msg205, + msg206, + msg207, + msg208, + msg209, + msg210, + ]); + + var msg211 = msg("rc6", dup65); + + var msg212 = msg("acpid", dup65); + + var msg213 = msg("diskcheck", dup65); + + var part290 = match("MESSAGE#210:debug_mount", "nwparser.payload", "mount %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg214 = msg("debug_mount", part290); + + var msg215 = msg("smart_check_io", dup65); + + var msg216 = msg("speedstep_control", dup65); + + var part291 = match("MESSAGE#215:controld", "nwparser.payload", "Distribution Started%{}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Distribution Started"), + ])); + + var msg217 = msg("controld", part291); + + var part292 = match("MESSAGE#216:controld:02", "nwparser.payload", "Distribution Complete%{}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Distribution Complete"), + ])); + + var msg218 = msg("controld:02", part292); + + var select66 = linear_select([ + msg217, + msg218, + ]); + + var part293 = match("MESSAGE#217:shutdown", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","shutting down for system reboot"), + ])); + + var msg219 = msg("shutdown", part293); + + var part294 = match("MESSAGE#218:ntpd_initres", "nwparser.payload", "ntpd exiting on signal 15%{}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","ntpd exiting"), + ])); + + var msg220 = msg("ntpd_initres", part294); + + var part295 = match("MESSAGE#220:rsyncd", "nwparser.payload", "name lookup failed for %{saddr}: %{info}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg221 = msg("rsyncd", part295); + + var part296 = match("MESSAGE#221:rsyncd:01", "nwparser.payload", "connect from %{shost->} (%{saddr})", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg222 = msg("rsyncd:01", part296); + + var part297 = match("MESSAGE#222:rsyncd:02", "nwparser.payload", "rsync on %{filename->} from %{shost->} (%{saddr})", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg223 = msg("rsyncd:02", part297); + + var part298 = match("MESSAGE#223:rsyncd:03", "nwparser.payload", "sent %{sbytes->} bytes received %{rbytes->} bytes total size %{fld1}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg224 = msg("rsyncd:03", part298); + + var part299 = match("MESSAGE#224:rsyncd:04", "nwparser.payload", "building file list%{}", processor_chain([ + dup13, + dup7, + setc("event_description","building file list"), + dup9, + ])); + + var msg225 = msg("rsyncd:04", part299); + + var select67 = linear_select([ + msg221, + msg222, + msg223, + msg224, + msg225, + ]); + + var msg226 = msg("syslog", dup77); + + var msg227 = msg("restarting", dup77); + + var part300 = match_copy("MESSAGE#227:ipmievd", "nwparser.payload", "fld1", processor_chain([ + dup13, + dup7, + dup9, + dup62, + ])); + + var msg228 = msg("ipmievd", part300); + + var part301 = match("MESSAGE#228:netauto_discovery", "nwparser.payload", "%{agent}: Processing path%{fld1}, vnid [%{fld2}]", processor_chain([ + dup59, + dup7, + dup9, + dup61, + ])); + + var msg229 = msg("netauto_discovery", part301); + + var part302 = match("MESSAGE#229:netauto_discovery:01", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}:%{product}ver%{version->} device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll", processor_chain([ + dup59, + dup7, + dup9, + dup61, + setc("event_description","device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll"), + ])); + + var msg230 = msg("netauto_discovery:01", part302); + + var part303 = match("MESSAGE#230:netauto_discovery:02", "nwparser.payload", "%{agent}:%{space}Static address already set with IP:%{hostip}, Processing%{fld1}", processor_chain([ + dup59, + dup7, + dup9, + dup61, + ])); + + var msg231 = msg("netauto_discovery:02", part303); + + var part304 = match("MESSAGE#231:netauto_discovery:03", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}: SNMP Credentials: Failed to authenticate", processor_chain([ + dup63, + dup7, + dup9, + dup61, + dup15, + ])); + + var msg232 = msg("netauto_discovery:03", part304); + + var select68 = linear_select([ + msg229, + msg230, + msg231, + msg232, + ]); + + var part305 = match("MESSAGE#232:netauto_core:01", "nwparser.payload", "%{agent}: Attempting CLI on device%{device}with interface not in table, ip%{hostip}", processor_chain([ + dup59, + dup7, + dup9, + dup61, + ])); + + var msg233 = msg("netauto_core:01", part305); + + var part306 = match("MESSAGE#233:netauto_core", "nwparser.payload", "netautoctl:%{event_description}", processor_chain([ + dup59, + dup7, + dup9, + dup61, + ])); + + var msg234 = msg("netauto_core", part306); + + var select69 = linear_select([ + msg233, + msg234, + ]); + + var part307 = match_copy("MESSAGE#234:captured_dns_uploader", "nwparser.payload", "event_description", processor_chain([ + dup49, + dup7, + dup9, + dup61, + dup15, + ])); + + var msg235 = msg("captured_dns_uploader", part307); + + var part308 = match("MESSAGE#235:DIS", "nwparser.payload", "%{fld1}:%{fld2}: Device%{device}/%{hostip}login failure%{result}", processor_chain([ + dup63, + dup7, + dup9, + dup61, + dup11, + dup15, + ])); + + var msg236 = msg("DIS", part308); + + var part309 = match("MESSAGE#236:DIS:01", "nwparser.payload", "%{fld2}: %{fld3}: Attempting discover-now for %{hostip->} on %{fld4}, using session ID", processor_chain([ + dup59, + dup7, + dup9, + dup61, + ])); + + var msg237 = msg("DIS:01", part309); + + var select70 = linear_select([ + msg236, + msg237, + ]); + + var part310 = match_copy("MESSAGE#237:ErrorMsg", "nwparser.payload", "result", processor_chain([ + dup64, + dup7, + dup9, + dup61, + ])); + + var msg238 = msg("ErrorMsg", part310); + + var part311 = match("MESSAGE#238:tacacs_acct", "nwparser.payload", "%{fld1}: Server %{daddr->} port %{dport}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + dup61, + ])); + + var msg239 = msg("tacacs_acct", part311); + + var part312 = match("MESSAGE#239:tacacs_acct:01", "nwparser.payload", "%{fld1}: Accounting request failed. %{fld2}Server is %{daddr}, port is %{dport}.", processor_chain([ + dup64, + dup7, + dup9, + dup61, + setc("event_description","Accounting request failed."), + ])); + + var msg240 = msg("tacacs_acct:01", part312); + + var part313 = match("MESSAGE#240:tacacs_acct:02", "nwparser.payload", "%{fld1}: Read %{fld2->} bytes from server %{daddr->} port %{dport}, expecting %{fld3}", processor_chain([ + dup13, + dup7, + dup9, + dup61, + ])); + + var msg241 = msg("tacacs_acct:02", part313); + + var select71 = linear_select([ + msg239, + msg240, + msg241, + ]); + + var part314 = match("MESSAGE#241:dhcpdv6", "nwparser.payload", "Relay-forward message from %{saddr_v6->} port %{sport}, link address %{fld1}, peer address %{daddr_v6}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Relay-forward message"), + ])); + + var msg242 = msg("dhcpdv6", part314); + + var part315 = match("MESSAGE#242:dhcpdv6:01", "nwparser.payload", "Encapsulated Solicit message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Encapsulated Solicit message"), + ])); + + var msg243 = msg("dhcpdv6:01", part315); + + var part316 = match("MESSAGE#243:dhcpdv6:02", "nwparser.payload", "Client %{fld1}, IP '%{fld2}': No addresses available for this interface", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","IP unknown - No addresses available for this interface"), + ])); + + var msg244 = msg("dhcpdv6:02", part316); + + var part317 = match("MESSAGE#244:dhcpdv6:03", "nwparser.payload", "Encapsulating Advertise message to send to %{saddr_v6->} port %{sport}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Encapsulating Advertise message"), + ])); + + var msg245 = msg("dhcpdv6:03", part317); + + var part318 = match("MESSAGE#245:dhcpdv6:04", "nwparser.payload", "Sending Relay-reply message to %{saddr_v6->} port %{sport}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Sending Relay-reply message"), + ])); + + var msg246 = msg("dhcpdv6:04", part318); + + var part319 = match("MESSAGE#246:dhcpdv6:05", "nwparser.payload", "Encapsulated Information-request message from %{saddr_v6->} port %{sport}, transaction ID %{id}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Encapsulated Information-request message"), + ])); + + var msg247 = msg("dhcpdv6:05", part319); + + var part320 = match("MESSAGE#247:dhcpdv6:06", "nwparser.payload", "Encapsulating Reply message to send to %{saddr_v6->} port %{sport}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Encapsulating Reply message"), + ])); + + var msg248 = msg("dhcpdv6:06", part320); + + var part321 = match("MESSAGE#248:dhcpdv6:07", "nwparser.payload", "Encapsulated Renew message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Encapsulated Renew message"), + ])); + + var msg249 = msg("dhcpdv6:07", part321); + + var part322 = match("MESSAGE#249:dhcpdv6:08", "nwparser.payload", "Reply NA: address %{saddr_v6->} to client with duid %{fld1->} iaid = %{fld2->} static", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg250 = msg("dhcpdv6:08", part322); + + var msg251 = msg("dhcpdv6:09", dup69); + + var select72 = linear_select([ + msg242, + msg243, + msg244, + msg245, + msg246, + msg247, + msg248, + msg249, + msg250, + msg251, + ]); + + var msg252 = msg("debug", dup69); + + var part323 = match("MESSAGE#252:cloud_api", "nwparser.payload", "proxying request to %{hostname}(%{hostip}) %{web_method->} %{url->} %{protocol->} %{info}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","proxying request"), + ])); + + var msg253 = msg("cloud_api", part323); + + var chain1 = processor_chain([ + select3, + msgid_select({ + "DIS": select70, + "ErrorMsg": msg238, + "INFOBLOX-Grid": select56, + "acpid": msg212, + "captured_dns_uploader": msg235, + "cloud_api": msg253, + "controld": select66, + "db_jnld": select58, + "debug": msg252, + "debug_mount": msg214, + "dhcpd": select14, + "dhcpdv6": select72, + "diskcheck": msg213, + "httpd": select4, + "in.tftpd": select5, + "init": msg147, + "ipmievd": msg228, + "kernel": select47, + "logger": select50, + "monitor": msg196, + "named": select44, + "netauto_core": select69, + "netauto_discovery": select68, + "ntpd": select15, + "ntpd_initres": msg220, + "ntpdate": select64, + "openvpn-master": select54, + "openvpn-member": select51, + "phonehome": msg202, + "pidof": select45, + "purge_scheduled_tasks": msg203, + "python": select62, + "radiusd": msg137, + "rc": msg138, + "rc3": msg139, + "rc6": msg211, + "rcsysinit": select48, + "restarting": msg227, + "rsyncd": select67, + "sSMTP": select60, + "scheduled_backups": msg185, + "scheduled_ftp_backups": select61, + "scheduled_scp_backups": msg188, + "serial_console": select65, + "shutdown": msg219, + "smart_check_io": msg215, + "snmptrapd": select63, + "speedstep_control": msg216, + "sshd": select53, + "syslog": msg226, + "syslog-ng": msg134, + "tacacs_acct": select71, + "validate_dhcpd": select46, + "watchdog": select49, + }), + ]); + + var hdr6 = match("HEADER#1:006/0", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{p0}"); + + var part324 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}"); + + var part325 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}"); + + var part326 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}"); + + var part327 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "(%{dhost}) via %{p0}"); + + var part328 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "via %{p0}"); + + var part329 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{smacaddr->} %{p0}"); + + var part330 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "(%{shost}) via %{p0}"); + + var part331 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{interface}"); + + var part332 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{interface->} relay %{fld1->} lease-duration %{duration}"); + + var part333 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved%{}"); + + var part334 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", "denied%{}"); + + var part335 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}"); + + var part336 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}"); + + var part337 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}"); + + var part338 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}"); + + var part339 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}"); + + var part340 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}"); + + var part341 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\""); + + var part342 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); + + var part343 = match_copy("MESSAGE#57:named:17/5_2", "nwparser.p0", "dns_querytype"); + + var part344 = match_copy("MESSAGE#60:named:19/2", "nwparser.p0", "event_description"); + + var part345 = match_copy("MESSAGE#66:named:25/1_1", "nwparser.p0", "result"); + + var part346 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); + + var part347 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{p0}"); + + var part348 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", "%{p0}"); + + var part349 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); + + var part350 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): %{p0}"); + + var part351 = match_copy("MESSAGE#7:httpd:06", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var select73 = linear_select([ + dup18, + dup19, + ]); + + var select74 = linear_select([ + dup21, + dup22, + ]); + + var select75 = linear_select([ + dup26, + dup22, + ]); + + var part352 = match_copy("MESSAGE#204:dhcpd:37", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var select76 = linear_select([ + dup33, + dup34, + ]); + + var select77 = linear_select([ + dup37, + dup38, + dup39, + ]); + + var select78 = linear_select([ + dup42, + dup43, + dup44, + ]); + + var select79 = linear_select([ + dup52, + dup53, + ]); + + var part353 = match_copy("MESSAGE#118:validate_dhcpd", "nwparser.payload", "event_description", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var part354 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var part355 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var part356 = match_copy("MESSAGE#225:syslog", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + dup62, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/infoblox/0.8.1/data_stream/nios/agent/stream/udp.yml.hbs b/packages/infoblox/0.8.1/data_stream/nios/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..df4ed5eb7f --- /dev/null +++ b/packages/infoblox/0.8.1/data_stream/nios/agent/stream/udp.yml.hbs @@ -0,0 +1,6288 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Infoblox" + product: "Network" + type: "IPAM" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{day->} %{time->} %{hhostname->} %{p0}"); + + var dup2 = setc("eventcategory","1401070000"); + + var dup3 = setc("ec_theme","Authentication"); + + var dup4 = setc("ec_subject","User"); + + var dup5 = setc("ec_activity","Logoff"); + + var dup6 = setc("ec_outcome","Success"); + + var dup7 = setf("msg","$MSG"); + + var dup8 = date_time({ + dest: "event_time", + args: ["fld1","fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup9 = setf("event_source","hhostname"); + + var dup10 = setc("eventcategory","1401060000"); + + var dup11 = setc("ec_activity","Logon"); + + var dup12 = setc("eventcategory","1609000000"); + + var dup13 = setc("eventcategory","1605000000"); + + var dup14 = setc("eventcategory","1401030000"); + + var dup15 = setc("ec_outcome","Failure"); + + var dup16 = setc("eventcategory","1603000000"); + + var dup17 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}"); + + var dup18 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}"); + + var dup19 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}"); + + var dup20 = setc("action","DHCPDECLINE"); + + var dup21 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "(%{dhost}) via %{p0}"); + + var dup22 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "via %{p0}"); + + var dup23 = setc("action","DHCPRELEASE"); + + var dup24 = setc("action","DHCPDISCOVER"); + + var dup25 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{smacaddr->} %{p0}"); + + var dup26 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "(%{shost}) via %{p0}"); + + var dup27 = setc("action","DHCPREQUEST"); + + var dup28 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{interface}"); + + var dup29 = setc("event_description","unknown network segment"); + + var dup30 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dF,dZ], + ], + }); + + var dup31 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{interface->} relay %{fld1->} lease-duration %{duration}"); + + var dup32 = setc("action","DHCPACK"); + + var dup33 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved%{}"); + + var dup34 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", "denied%{}"); + + var dup35 = setf("domain","zone"); + + var dup36 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}"); + + var dup37 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}"); + + var dup38 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}"); + + var dup39 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}"); + + var dup40 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}"); + + var dup41 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}"); + + var dup42 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\""); + + var dup43 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); + + var dup44 = match_copy("MESSAGE#57:named:17/5_2", "nwparser.p0", "dns_querytype"); + + var dup45 = setc("event_description","updating zone"); + + var dup46 = match_copy("MESSAGE#60:named:19/2", "nwparser.p0", "event_description"); + + var dup47 = setf("domain","hostname"); + + var dup48 = match_copy("MESSAGE#66:named:25/1_1", "nwparser.p0", "result"); + + var dup49 = setc("eventcategory","1801010000"); + + var dup50 = setc("ec_activity","Request"); + + var dup51 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); + + var dup52 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{p0}"); + + var dup53 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", "%{p0}"); + + var dup54 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); + + var dup55 = setc("action","Refused"); + + var dup56 = setf("dns_querytype","event_description"); + + var dup57 = setc("eventcategory","1901000000"); + + var dup58 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): %{p0}"); + + var dup59 = setc("eventcategory","1801000000"); + + var dup60 = setf("zone","domain"); + + var dup61 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dD,dZ], + ], + }); + + var dup62 = setf("info","hdata"); + + var dup63 = setc("eventcategory","1301000000"); + + var dup64 = setc("eventcategory","1303000000"); + + var dup65 = match_copy("MESSAGE#7:httpd:06", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var dup66 = linear_select([ + dup18, + dup19, + ]); + + var dup67 = linear_select([ + dup21, + dup22, + ]); + + var dup68 = linear_select([ + dup26, + dup22, + ]); + + var dup69 = match_copy("MESSAGE#204:dhcpd:37", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var dup70 = linear_select([ + dup33, + dup34, + ]); + + var dup71 = linear_select([ + dup37, + dup38, + dup39, + ]); + + var dup72 = linear_select([ + dup42, + dup43, + dup44, + ]); + + var dup73 = linear_select([ + dup52, + dup53, + ]); + + var dup74 = match_copy("MESSAGE#118:validate_dhcpd", "nwparser.payload", "event_description", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var dup75 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var dup76 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var dup77 = match_copy("MESSAGE#225:syslog", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + dup62, + ])); + + var hdr1 = match("HEADER#0:001", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{messageid}[%{data}]: %{payload}", processor_chain([ + setc("header_id","001"), + ])); + + var part1 = match("HEADER#1:006/1_0", "nwparser.p0", "%{hhostip} %{messageid}[%{data}]: %{p0}"); + + var part2 = match("HEADER#1:006/1_1", "nwparser.p0", "%{hhostip} %{messageid}: %{p0}"); + + var select1 = linear_select([ + part1, + part2, + ]); + + var part3 = match_copy("HEADER#1:006/2", "nwparser.p0", "payload"); + + var all1 = all_match({ + processors: [ + dup1, + select1, + part3, + ], + on_success: processor_chain([ + setc("header_id","006"), + ]), + }); + + var hdr2 = match("HEADER#2:005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{hdata}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","005"), + ])); + + var part4 = match("HEADER#3:002/1_0", "nwparser.p0", "-%{p0}"); + + var part5 = match_copy("HEADER#3:002/1_1", "nwparser.p0", "p0"); + + var select2 = linear_select([ + part4, + part5, + ]); + + var part6 = match("HEADER#3:002/2", "nwparser.p0", ":%{messageid->} %{payload}"); + + var all2 = all_match({ + processors: [ + dup1, + select2, + part6, + ], + on_success: processor_chain([ + setc("header_id","002"), + ]), + }); + + var hdr3 = match("HEADER#4:0003", "message", "%{messageid}[%{data}]: %{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr4 = match("HEADER#5:0004", "message", "%{messageid}: %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var hdr5 = match("HEADER#6:0005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{fld1->} |%{messageid->} |%{payload}", processor_chain([ + setc("header_id","0005"), + ])); + + var select3 = linear_select([ + hdr1, + all1, + hdr2, + all2, + hdr3, + hdr4, + hdr5, + ]); + + var part7 = match("MESSAGE#0:httpd", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Logout - - ip=%{saddr->} group=%{group->} trigger_event=%{event_description}", processor_chain([ + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + ])); + + var msg1 = msg("httpd", part7); + + var part8 = match("MESSAGE#1:httpd:01", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{fld4->} ip=%{saddr->} auth=%{authmethod->} group=%{group->} apparently_via=%{info}", processor_chain([ + dup10, + dup3, + dup4, + dup11, + dup6, + dup7, + dup8, + dup9, + ])); + + var msg2 = msg("httpd:01", part8); + + var part9 = match("MESSAGE#2:httpd:02", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{action->} message=%{info}", processor_chain([ + dup12, + dup7, + dup8, + dup9, + ])); + + var msg3 = msg("httpd:02", part9); + + var part10 = match("MESSAGE#3:httpd:03", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Created HostAddress %{hostip}: Set address=\"%{saddr}\",configure_for_dhcp=%{fld10},match_option=\"%{info}\",parent=%{context}", processor_chain([ + dup12, + dup7, + dup8, + dup9, + ])); + + var msg4 = msg("httpd:03", part10); + + var part11 = match("MESSAGE#4:httpd:04", "nwparser.payload", "%{shost}: %{fld1->} authentication for user %{username->} failed", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg5 = msg("httpd:04", part11); + + var part12 = match("MESSAGE#5:httpd:05", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{event_description}", processor_chain([ + dup13, + dup7, + dup8, + dup9, + ])); + + var msg6 = msg("httpd:05", part12); + + var part13 = match("MESSAGE#6:httpd:07", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Denied - - to=%{terminal->} ip=%{saddr->} info=%{info}", processor_chain([ + dup14, + dup3, + dup4, + dup11, + dup15, + dup7, + dup8, + dup9, + ])); + + var msg7 = msg("httpd:07", part13); + + var msg8 = msg("httpd:06", dup65); + + var select4 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + ]); + + var part14 = match("MESSAGE#8:in.tftpd:01", "nwparser.payload", "RRQ from %{saddr->} filename %{filename}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","RRQ from remote host"), + ])); + + var msg9 = msg("in.tftpd:01", part14); + + var part15 = match("MESSAGE#9:in.tftpd:02", "nwparser.payload", "sending NAK (%{resultcode}, %{result}) to %{daddr}", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","sending NAK to remote host"), + ])); + + var msg10 = msg("in.tftpd:02", part15); + + var part16 = match("MESSAGE#10:in.tftpd", "nwparser.payload", "connection refused from %{saddr}", processor_chain([ + setc("eventcategory","1801030000"), + dup7, + dup9, + ])); + + var msg11 = msg("in.tftpd", part16); + + var select5 = linear_select([ + msg9, + msg10, + msg11, + ]); + + var part17 = match("MESSAGE#11:dhcpd:12/0", "nwparser.payload", "%{event_type}: received a REQUEST DHCP packet from relay-agent %{interface->} with a circuit-id of \"%{id}\" and remote-id of \"%{smacaddr}\" for %{hostip->} (%{dmacaddr}) lease time is %{p0}"); + + var part18 = match("MESSAGE#11:dhcpd:12/1_0", "nwparser.p0", "undefined %{p0}"); + + var part19 = match("MESSAGE#11:dhcpd:12/1_1", "nwparser.p0", "%{duration->} %{p0}"); + + var select6 = linear_select([ + part18, + part19, + ]); + + var part20 = match("MESSAGE#11:dhcpd:12/2", "nwparser.p0", "seconds%{}"); + + var all3 = all_match({ + processors: [ + part17, + select6, + part20, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","received a REQUEST DHCP packet from relay-agent"), + ]), + }); + + var msg12 = msg("dhcpd:12", all3); + + var part21 = match("MESSAGE#12:dhcpd:21", "nwparser.payload", "bind update on %{hostip->} from %{hostname}(%{fld1}) rejected: %{result}", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","bind update rejected"), + ])); + + var msg13 = msg("dhcpd:21", part21); + + var part22 = match("MESSAGE#13:dhcpd:10", "nwparser.payload", "Unable to add forward map from %{shost->} %{fld1}to %{daddr}: %{result}", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","Unable to add forward map"), + ])); + + var msg14 = msg("dhcpd:10", part22); + + var part23 = match("MESSAGE#14:dhcpd:13", "nwparser.payload", "Average %{fld1->} dynamic DNS update latency: %{result->} micro seconds", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Average dynamic DNS update latency"), + ])); + + var msg15 = msg("dhcpd:13", part23); + + var part24 = match("MESSAGE#15:dhcpd:15", "nwparser.payload", "Dynamic DNS update timeout count in last %{info->} minutes: %{result}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Dynamic DNS update timeout count"), + ])); + + var msg16 = msg("dhcpd:15", part24); + + var part25 = match("MESSAGE#16:dhcpd:22", "nwparser.payload", "Removed forward map from %{shost->} %{fld1}to %{daddr}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Removed forward map"), + ])); + + var msg17 = msg("dhcpd:22", part25); + + var part26 = match("MESSAGE#17:dhcpd:25", "nwparser.payload", "Removed reverse map on %{hostname}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Removed reverse map"), + ])); + + var msg18 = msg("dhcpd:25", part26); + + var part27 = match("MESSAGE#18:dhcpd:06", "nwparser.payload", "received shutdown -/-/ %{result}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","received shutdown"), + ])); + + var msg19 = msg("dhcpd:06", part27); + + var part28 = match("MESSAGE#19:dhcpd:18/2", "nwparser.p0", "new forward map from %{hostname->} %{space->} %{daddr}"); + + var all4 = all_match({ + processors: [ + dup17, + dup66, + part28, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Added new forward map"), + ]), + }); + + var msg20 = msg("dhcpd:18", all4); + + var part29 = match("MESSAGE#20:dhcpd:19/2", "nwparser.p0", "reverse map from %{hostname->} %{space->} %{daddr}"); + + var all5 = all_match({ + processors: [ + dup17, + dup66, + part29, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","added reverse map"), + ]), + }); + + var msg21 = msg("dhcpd:19", all5); + + var part30 = match("MESSAGE#21:dhcpd", "nwparser.payload", "Abandoning IP address %{hostip}: declined", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","Abandoning IP declined"), + ])); + + var msg22 = msg("dhcpd", part30); + + var part31 = match("MESSAGE#22:dhcpd:30", "nwparser.payload", "Abandoning IP address %{hostip}: pinged before offer", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","Abandoning IP pinged before offer"), + ])); + + var msg23 = msg("dhcpd:30", part31); + + var part32 = match("MESSAGE#23:dhcpd:01", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} (%{shost}) via %{interface}: %{info}", processor_chain([ + dup16, + dup7, + dup9, + dup20, + ])); + + var msg24 = msg("dhcpd:01", part32); + + var part33 = match("MESSAGE#24:dhcpd:02", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} via %{interface}: %{info}", processor_chain([ + dup16, + dup7, + dup9, + dup20, + ])); + + var msg25 = msg("dhcpd:02", part33); + + var part34 = match("MESSAGE#25:dhcpd:03/0", "nwparser.payload", "DHCPRELEASE of %{saddr->} from %{dmacaddr->} %{p0}"); + + var part35 = match("MESSAGE#25:dhcpd:03/2", "nwparser.p0", "%{interface->} (%{info})"); + + var all6 = all_match({ + processors: [ + part34, + dup67, + part35, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup23, + ]), + }); + + var msg26 = msg("dhcpd:03", all6); + + var part36 = match("MESSAGE#26:dhcpd:04", "nwparser.payload", "DHCPDISCOVER from %{smacaddr->} via %{interface}: network %{mask}: %{info}", processor_chain([ + dup13, + dup7, + dup9, + dup24, + ])); + + var msg27 = msg("dhcpd:04", part36); + + var part37 = match("MESSAGE#27:dhcpd:07/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} %{p0}"); + + var part38 = match("MESSAGE#27:dhcpd:07/1_0", "nwparser.p0", "(%{shost}) from %{p0}"); + + var part39 = match("MESSAGE#27:dhcpd:07/1_1", "nwparser.p0", "from %{p0}"); + + var select7 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#27:dhcpd:07/2", "nwparser.p0", "%{smacaddr->} (%{hostname}) via %{interface}: ignored (%{result})"); + + var all7 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + setc("action","DHCPREQUEST ignored"), + ]), + }); + + var msg28 = msg("dhcpd:07", all7); + + var part41 = match("MESSAGE#28:dhcpd:09/2", "nwparser.p0", "%{interface}: wrong network"); + + var all8 = all_match({ + processors: [ + dup25, + dup68, + part41, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup27, + setc("result","wrong network"), + ]), + }); + + var msg29 = msg("dhcpd:09", all8); + + var part42 = match("MESSAGE#29:dhcpd:26/2", "nwparser.p0", "%{interface}: lease %{hostip->} unavailable"); + + var all9 = all_match({ + processors: [ + dup25, + dup68, + part42, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + dup27, + setc("result","lease unavailable"), + ]), + }); + + var msg30 = msg("dhcpd:26", all9); + + var part43 = match("MESSAGE#30:dhcpd:08", "nwparser.payload", "DHCPREQUEST for %{saddr->} (%{shost}) from %{smacaddr->} (%{hostname}) via %{interface}", processor_chain([ + dup13, + dup7, + dup9, + dup27, + ])); + + var msg31 = msg("dhcpd:08", part43); + + var all10 = all_match({ + processors: [ + dup25, + dup68, + dup28, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup27, + ]), + }); + + var msg32 = msg("dhcpd:11", all10); + + var part44 = match("MESSAGE#32:dhcpd:31", "nwparser.payload", "DHCPRELEASE from %{smacaddr->} via %{saddr}: unknown network segment", processor_chain([ + dup13, + dup7, + dup9, + dup23, + dup29, + ])); + + var msg33 = msg("dhcpd:31", part44); + + var part45 = match("MESSAGE#33:dhcpd:32", "nwparser.payload", "BOOTREQUEST from %{smacaddr->} via %{saddr}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + setc("action","BOOTREQUEST"), + dup30, + ])); + + var msg34 = msg("dhcpd:32", part45); + + var part46 = match("MESSAGE#34:dhcpd:33", "nwparser.payload", "Reclaiming abandoned lease %{saddr}.", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Reclaiming abandoned lease"), + ])); + + var msg35 = msg("dhcpd:33", part46); + + var part47 = match("MESSAGE#35:dhcpd:34/0", "nwparser.payload", "balanc%{p0}"); + + var part48 = match("MESSAGE#35:dhcpd:34/1_0", "nwparser.p0", "ed%{p0}"); + + var part49 = match("MESSAGE#35:dhcpd:34/1_1", "nwparser.p0", "ing%{p0}"); + + var select8 = linear_select([ + part48, + part49, + ]); + + var part50 = match("MESSAGE#35:dhcpd:34/2", "nwparser.p0", "%{}pool %{fld1->} %{saddr}/%{sport->} total %{fld2->} free %{fld3->} backup %{fld4->} lts %{fld5->} max-%{fld6->} %{p0}"); + + var part51 = match("MESSAGE#35:dhcpd:34/3_0", "nwparser.p0", "(+/-)%{fld7}(%{info})"); + + var part52 = match("MESSAGE#35:dhcpd:34/3_1", "nwparser.p0", "(+/-)%{fld7}"); + + var part53 = match_copy("MESSAGE#35:dhcpd:34/3_2", "nwparser.p0", "fld7"); + + var select9 = linear_select([ + part51, + part52, + part53, + ]); + + var all11 = all_match({ + processors: [ + part47, + select8, + part50, + select9, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg36 = msg("dhcpd:34", all11); + + var part54 = match("MESSAGE#36:dhcpd:35", "nwparser.payload", "Unable to add reverse map from %{shost->} to %{dhost}: REFUSED", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description"," Unable to add reverse map"), + ])); + + var msg37 = msg("dhcpd:35", part54); + + var part55 = match("MESSAGE#37:dhcpd:36", "nwparser.payload", "Forward map from %{shost->} %{fld2}to %{daddr->} FAILED: %{fld1}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description"," Forward map failed"), + ])); + + var msg38 = msg("dhcpd:36", part55); + + var part56 = match("MESSAGE#38:dhcpd:14/0", "nwparser.payload", "DHCPACK on %{saddr->} to %{dmacaddr->} %{p0}"); + + var all12 = all_match({ + processors: [ + part56, + dup67, + dup31, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup32, + ]), + }); + + var msg39 = msg("dhcpd:14", all12); + + var part57 = match("MESSAGE#39:dhcpd:24/0", "nwparser.payload", "DHCPOFFER on %{saddr->} to %{p0}"); + + var part58 = match("MESSAGE#39:dhcpd:24/1_0", "nwparser.p0", "\"%{dmacaddr}\" (%{dhost}) via %{p0}"); + + var part59 = match("MESSAGE#39:dhcpd:24/1_1", "nwparser.p0", "%{dmacaddr->} (%{dhost}) via %{p0}"); + + var part60 = match("MESSAGE#39:dhcpd:24/1_2", "nwparser.p0", "%{dmacaddr->} via %{p0}"); + + var select10 = linear_select([ + part58, + part59, + part60, + ]); + + var all13 = all_match({ + processors: [ + part57, + select10, + dup31, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + setc("action","DHCPOFFER"), + ]), + }); + + var msg40 = msg("dhcpd:24", all13); + + var part61 = match("MESSAGE#40:dhcpd:17", "nwparser.payload", "DHCPNAK on %{saddr->} to %{dmacaddr->} via %{interface}", processor_chain([ + dup13, + dup7, + dup9, + setc("action","DHCPNAK"), + ])); + + var msg41 = msg("dhcpd:17", part61); + + var part62 = match("MESSAGE#41:dhcpd:05/0", "nwparser.payload", "DHCPDISCOVER from %{smacaddr->} %{p0}"); + + var all14 = all_match({ + processors: [ + part62, + dup68, + dup28, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup24, + ]), + }); + + var msg42 = msg("dhcpd:05", all14); + + var part63 = match("MESSAGE#42:dhcpd:16", "nwparser.payload", "DHCPACK to %{daddr->} (%{dmacaddr}) via %{interface}", processor_chain([ + dup13, + dup7, + dup9, + dup32, + ])); + + var msg43 = msg("dhcpd:16", part63); + + var part64 = match("MESSAGE#43:dhcpd:20", "nwparser.payload", "DHCPINFORM from %{saddr->} via %{interface}", processor_chain([ + dup13, + dup7, + dup9, + setc("action","DHCPINFORM"), + ])); + + var msg44 = msg("dhcpd:20", part64); + + var part65 = match("MESSAGE#44:dhcpd:23", "nwparser.payload", "DHCPEXPIRE on %{saddr->} to %{dmacaddr}", processor_chain([ + dup13, + dup7, + dup9, + setc("action","DHCPEXPIRE"), + ])); + + var msg45 = msg("dhcpd:23", part65); + + var part66 = match("MESSAGE#45:dhcpd:28", "nwparser.payload", "uid lease %{hostip->} for client %{smacaddr->} is duplicate on %{mask}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg46 = msg("dhcpd:28", part66); + + var part67 = match("MESSAGE#46:dhcpd:29", "nwparser.payload", "Attempt to add forward map \"%{shost}\" (and reverse map \"%{dhost}\") for %{saddr->} abandoned because of non-retryable failure: %{result}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg47 = msg("dhcpd:29", part67); + + var part68 = match("MESSAGE#191:dhcpd:39", "nwparser.payload", "NOT FREE/BACKUP lease%{hostip}End Time%{fld1->} Bind-State %{change_old->} Next-Bind-State %{change_new}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg48 = msg("dhcpd:39", part68); + + var part69 = match("MESSAGE#192:dhcpd:41", "nwparser.payload", "RELEASE on%{saddr}to%{dmacaddr}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg49 = msg("dhcpd:41", part69); + + var part70 = match("MESSAGE#193:dhcpd:42", "nwparser.payload", "r-l-e:%{hostip},%{result},%{fld1},%{macaddr},%{fld3},%{fld4},%{fld5},%{info}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg50 = msg("dhcpd:42", part70); + + var part71 = match("MESSAGE#194:dhcpd:43", "nwparser.payload", "failover peer%{fld1}:%{dclass_counter1}leases added to send queue from pool%{fld3->} %{hostip}/%{network_port}", processor_chain([ + dup13, + dup7, + dup9, + setc("dclass_counter1_string","count of leases"), + dup30, + ])); + + var msg51 = msg("dhcpd:43", part71); + + var part72 = match("MESSAGE#195:dhcpd:44", "nwparser.payload", "DHCPDECLINE from%{macaddr}via%{hostip}: unknown network segment", processor_chain([ + dup13, + dup7, + dup9, + dup30, + dup29, + ])); + + var msg52 = msg("dhcpd:44", part72); + + var part73 = match("MESSAGE#196:dhcpd:45", "nwparser.payload", "Reverse map update for%{hostip}abandoned because of non-retryable failure:%{disposition}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg53 = msg("dhcpd:45", part73); + + var part74 = match("MESSAGE#197:dhcpd:46", "nwparser.payload", "Reclaiming REQUESTed abandoned IP address%{saddr}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Reclaiming REQUESTed abandoned IP address"), + ])); + + var msg54 = msg("dhcpd:46", part74); + + var part75 = match("MESSAGE#198:dhcpd:47/0", "nwparser.payload", "%{hostip}: removing client association (%{action})%{p0}"); + + var part76 = match("MESSAGE#198:dhcpd:47/1_0", "nwparser.p0", "uid=%{fld1}hw=%{p0}"); + + var part77 = match("MESSAGE#198:dhcpd:47/1_1", "nwparser.p0", "hw=%{p0}"); + + var select11 = linear_select([ + part76, + part77, + ]); + + var part78 = match_copy("MESSAGE#198:dhcpd:47/2", "nwparser.p0", "macaddr"); + + var all15 = all_match({ + processors: [ + part75, + select11, + part78, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg55 = msg("dhcpd:47", all15); + + var part79 = match("MESSAGE#199:dhcpd:48", "nwparser.payload", "Lease conflict at %{hostip}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg56 = msg("dhcpd:48", part79); + + var part80 = match("MESSAGE#200:dhcpd:49", "nwparser.payload", "ICMP Echo reply while lease %{hostip->} valid.", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("protocol","ICMP"), + ])); + + var msg57 = msg("dhcpd:49", part80); + + var part81 = match("MESSAGE#201:dhcpd:50", "nwparser.payload", "Lease state %{result}. Not abandoning %{hostip}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg58 = msg("dhcpd:50", part81); + + var part82 = match("MESSAGE#202:dhcpd:51/0_0", "nwparser.payload", "Addition%{p0}"); + + var part83 = match("MESSAGE#202:dhcpd:51/0_1", "nwparser.payload", "Removal%{p0}"); + + var select12 = linear_select([ + part82, + part83, + ]); + + var part84 = match("MESSAGE#202:dhcpd:51/1", "nwparser.p0", "%{}of %{p0}"); + + var part85 = match("MESSAGE#202:dhcpd:51/2_0", "nwparser.p0", "forward%{p0}"); + + var part86 = match("MESSAGE#202:dhcpd:51/2_1", "nwparser.p0", "reverse%{p0}"); + + var select13 = linear_select([ + part85, + part86, + ]); + + var part87 = match("MESSAGE#202:dhcpd:51/3", "nwparser.p0", "%{}map for %{hostip->} deferred"); + + var all16 = all_match({ + processors: [ + select12, + part84, + select13, + part87, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("disposition","deferred"), + ]), + }); + + var msg59 = msg("dhcpd:51", all16); + + var part88 = match("MESSAGE#203:dhcpd:52", "nwparser.payload", "Hostname%{change_old}replaced by%{hostname}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg60 = msg("dhcpd:52", part88); + + var msg61 = msg("dhcpd:37", dup69); + + var select14 = linear_select([ + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, + msg58, + msg59, + msg60, + msg61, + ]); + + var part89 = match("MESSAGE#47:ntpd:05", "nwparser.payload", "system event '%{event_type}' (%{fld1}) status '%{result}' (%{fld2})", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","system event status"), + ])); + + var msg62 = msg("ntpd:05", part89); + + var part90 = match("MESSAGE#48:ntpd:04", "nwparser.payload", "frequency initialized %{result->} from %{filename}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","frequency initialized from file"), + ])); + + var msg63 = msg("ntpd:04", part90); + + var part91 = match("MESSAGE#49:ntpd:03", "nwparser.payload", "ntpd exiting on signal %{dclass_counter1}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","ntpd exiting on signal"), + ])); + + var msg64 = msg("ntpd:03", part91); + + var part92 = match("MESSAGE#50:ntpd", "nwparser.payload", "time slew %{result}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","time slew duraion"), + ])); + + var msg65 = msg("ntpd", part92); + + var part93 = match("MESSAGE#51:ntpd:01", "nwparser.payload", "%{process}: signal %{dclass_counter1->} had flags %{result}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","signal had flags"), + ])); + + var msg66 = msg("ntpd:01", part93); + + var msg67 = msg("ntpd:02", dup65); + + var select15 = linear_select([ + msg62, + msg63, + msg64, + msg65, + msg66, + msg67, + ]); + + var part94 = match("MESSAGE#53:named:16/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: update '%{zone}' %{p0}"); + + var all17 = all_match({ + processors: [ + part94, + dup70, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + ]), + }); + + var msg68 = msg("named:16", all17); + + var part95 = match("MESSAGE#54:named/0", "nwparser.payload", "client %{saddr}#%{sport}: update '%{zone}/IN' %{p0}"); + + var all18 = all_match({ + processors: [ + part95, + dup70, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + dup35, + ]), + }); + + var msg69 = msg("named", all18); + + var part96 = match("MESSAGE#55:named:12/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: signer \"%{owner}\" %{p0}"); + + var all19 = all_match({ + processors: [ + part96, + dup70, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + ]), + }); + + var msg70 = msg("named:12", all19); + + var part97 = match("MESSAGE#56:named:01/1_0", "nwparser.p0", "%{sport}/%{fld1}: signer \"%{p0}"); + + var part98 = match("MESSAGE#56:named:01/1_1", "nwparser.p0", "%{sport}: signer \"%{p0}"); + + var select16 = linear_select([ + part97, + part98, + ]); + + var part99 = match("MESSAGE#56:named:01/2", "nwparser.p0", "%{owner}\" %{p0}"); + + var all20 = all_match({ + processors: [ + dup36, + select16, + part99, + dup70, + ], + on_success: processor_chain([ + dup16, + dup7, + dup9, + ]), + }); + + var msg71 = msg("named:01", all20); + + var part100 = match("MESSAGE#57:named:17/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}/%{p0}"); + + var part101 = match("MESSAGE#57:named:17/2", "nwparser.p0", "': %{p0}"); + + var part102 = match("MESSAGE#57:named:17/3_0", "nwparser.p0", "%{fld2}: %{action->} at '%{p0}"); + + var select17 = linear_select([ + part102, + dup40, + ]); + + var part103 = match("MESSAGE#57:named:17/4_1", "nwparser.p0", "%{hostname}' %{p0}"); + + var select18 = linear_select([ + dup41, + part103, + ]); + + var all21 = all_match({ + processors: [ + part100, + dup71, + part101, + select17, + select18, + dup72, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup45, + dup35, + ]), + }); + + var msg72 = msg("named:17", all21); + + var part104 = match("MESSAGE#58:named:18/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: updating zone '%{zone}': %{p0}"); + + var part105 = match("MESSAGE#58:named:18/1_0", "nwparser.p0", "adding %{p0}"); + + var part106 = match("MESSAGE#58:named:18/1_1", "nwparser.p0", "deleting%{p0}"); + + var select19 = linear_select([ + part105, + part106, + ]); + + var part107 = match("MESSAGE#58:named:18/2", "nwparser.p0", "%{} %{info->} at '%{hostname}'"); + + var all22 = all_match({ + processors: [ + part104, + select19, + part107, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg73 = msg("named:18", all22); + + var part108 = match("MESSAGE#59:named:02/0", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}/%{p0}"); + + var part109 = match("MESSAGE#59:named:02/2", "nwparser.p0", "':%{p0}"); + + var part110 = match("MESSAGE#59:named:02/3_0", "nwparser.p0", "%{fld1}: %{action->} at '%{p0}"); + + var select20 = linear_select([ + part110, + dup40, + ]); + + var part111 = match("MESSAGE#59:named:02/4_1", "nwparser.p0", "%{hostip}' %{p0}"); + + var select21 = linear_select([ + dup41, + part111, + ]); + + var all23 = all_match({ + processors: [ + part108, + dup71, + part109, + select20, + select21, + dup72, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup45, + dup35, + ]), + }); + + var msg74 = msg("named:02", all23); + + var part112 = match("MESSAGE#60:named:19/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': update %{disposition}: %{p0}"); + + var part113 = match("MESSAGE#60:named:19/1_0", "nwparser.p0", "%{hostname}/%{dns_querytype}: %{p0}"); + + var part114 = match("MESSAGE#60:named:19/1_1", "nwparser.p0", "%{hostname}: %{p0}"); + + var select22 = linear_select([ + part113, + part114, + ]); + + var all24 = all_match({ + processors: [ + part112, + select22, + dup46, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup47, + ]), + }); + + var msg75 = msg("named:19", all24); + + var part115 = match("MESSAGE#61:named:03", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{hostname}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg76 = msg("named:03", part115); + + var part116 = match("MESSAGE#62:named:11", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: zone is up to date", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","notify zone is up to date"), + ])); + + var msg77 = msg("named:11", part116); + + var part117 = match("MESSAGE#63:named:13", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: %{action}, %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg78 = msg("named:13", part117); + + var part118 = match("MESSAGE#64:named:14", "nwparser.payload", "zone %{zone}: refresh: retry limit for master %{saddr}#%{sport->} exceeded (%{action})", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg79 = msg("named:14", part118); + + var part119 = match("MESSAGE#65:named:15", "nwparser.payload", "zone %{zone}: refresh: failure trying master %{saddr}#%{sport->} (source ::#0): %{action}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg80 = msg("named:15", part119); + + var part120 = match("MESSAGE#66:named:25/0", "nwparser.payload", "DNS format error from %{saddr}#%{sport->} resolving %{domain}/%{dns_querytype->} for client %{daddr}#%{dport}: %{p0}"); + + var part121 = match("MESSAGE#66:named:25/1_0", "nwparser.p0", "%{error}--%{result}"); + + var select23 = linear_select([ + part121, + dup48, + ]); + + var all25 = all_match({ + processors: [ + part120, + select23, + ], + on_success: processor_chain([ + dup49, + dup50, + dup15, + dup7, + dup9, + setc("event_description","DNS format error"), + dup30, + ]), + }); + + var msg81 = msg("named:25", all25); + + var part122 = match("MESSAGE#67:named:63/2", "nwparser.p0", "#%{saddr->} %{sport->} (#%{fld5}): query: %{domain->} %{fld4->} (%{daddr})"); + + var all26 = all_match({ + processors: [ + dup51, + dup73, + part122, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg82 = msg("named:63", all26); + + var part123 = match("MESSAGE#68:named:72/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{fld1}): %{p0}"); + + var part124 = match("MESSAGE#68:named:72/1_0", "nwparser.p0", "view%{fld3}: query:%{p0}"); + + var part125 = match("MESSAGE#68:named:72/1_1", "nwparser.p0", "query:%{p0}"); + + var select24 = linear_select([ + part124, + part125, + ]); + + var part126 = match("MESSAGE#68:named:72/2", "nwparser.p0", "%{} %{domain->} %{fld2->} %{dns_querytype->} %{context->} (%{daddr})"); + + var all27 = all_match({ + processors: [ + part123, + select24, + part126, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg83 = msg("named:72", all27); + + var part127 = match("MESSAGE#69:named:28", "nwparser.payload", "%{action->} (%{saddr}#%{sport}) %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg84 = msg("named:28", part127); + + var part128 = match("MESSAGE#70:named:71/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: failed %{p0}"); + + var part129 = match("MESSAGE#70:named:71/1_0", "nwparser.p0", "to connect: %{p0}"); + + var part130 = match("MESSAGE#70:named:71/1_1", "nwparser.p0", "while receiving responses: %{p0}"); + + var select25 = linear_select([ + part129, + part130, + ]); + + var all28 = all_match({ + processors: [ + part128, + select25, + dup48, + ], + on_success: processor_chain([ + dup49, + dup7, + dup9, + dup30, + setc("event_description","failed"), + ]), + }); + + var msg85 = msg("named:71", all28); + + var part131 = match("MESSAGE#71:named:70/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: %{p0}"); + + var part132 = match("MESSAGE#71:named:70/1_0", "nwparser.p0", "connected using %{daddr}#%{dport}"); + + var select26 = linear_select([ + part132, + dup46, + ]); + + var all29 = all_match({ + processors: [ + part131, + select26, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg86 = msg("named:70", all29); + + var part133 = match("MESSAGE#72:named:40/0", "nwparser.payload", "%{fld1->} client %{saddr}#%{sport}: %{p0}"); + + var part134 = match("MESSAGE#72:named:40/1_0", "nwparser.p0", "view %{fld2}: %{protocol}: query: %{p0}"); + + var part135 = match("MESSAGE#72:named:40/1_1", "nwparser.p0", "%{protocol}: query: %{p0}"); + + var select27 = linear_select([ + part134, + part135, + ]); + + var part136 = match("MESSAGE#72:named:40/2", "nwparser.p0", "%{domain->} %{fld3->} %{dns_querytype->} response:%{result->} %{p0}"); + + var part137 = match("MESSAGE#72:named:40/3_0", "nwparser.p0", "%{context->} %{dns.resptext}"); + + var part138 = match_copy("MESSAGE#72:named:40/3_1", "nwparser.p0", "context"); + + var select28 = linear_select([ + part137, + part138, + ]); + + var all30 = all_match({ + processors: [ + part133, + select27, + part136, + select28, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg87 = msg("named:40", all30); + + var part139 = match("MESSAGE#73:named:05", "nwparser.payload", "zone '%{zone}' %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg88 = msg("named:05", part139); + + var part140 = match("MESSAGE#74:named:10/1_0", "nwparser.p0", "%{sport->} %{fld22}/%{fld21}:%{p0}"); + + var part141 = match("MESSAGE#74:named:10/1_1", "nwparser.p0", "%{sport}/%{fld21}:%{p0}"); + + var part142 = match("MESSAGE#74:named:10/1_2", "nwparser.p0", "%{sport->} (%{fld21}): %{p0}"); + + var select29 = linear_select([ + part140, + part141, + part142, + dup54, + ]); + + var part143 = match("MESSAGE#74:named:10/2", "nwparser.p0", "%{}query: %{domain->} %{info->} (%{daddr})"); + + var all31 = all_match({ + processors: [ + dup36, + select29, + part143, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","dns query"), + ]), + }); + + var msg89 = msg("named:10", all31); + + var part144 = match("MESSAGE#75:named:29", "nwparser.payload", "client %{saddr}#%{sport}: %{fld1}: received notify for zone '%{zone}'", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","received notify for zone"), + ])); + + var msg90 = msg("named:29", part144); + + var part145 = match("MESSAGE#76:named:08", "nwparser.payload", "client %{saddr}#%{sport}: received notify for zone '%{zone}'", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","client received notify for zone"), + ])); + + var msg91 = msg("named:08", part145); + + var part146 = match("MESSAGE#77:named:09", "nwparser.payload", "client %{saddr}#%{sport}: update forwarding '%{zone}' denied", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","client update forwarding for zone denied"), + ])); + + var msg92 = msg("named:09", part146); + + var part147 = match("MESSAGE#78:named:76/0", "nwparser.payload", "zone %{zone}: ZRQ appl%{p0}"); + + var part148 = match("MESSAGE#78:named:76/1_0", "nwparser.p0", "ied%{p0}"); + + var part149 = match("MESSAGE#78:named:76/1_1", "nwparser.p0", "ying%{p0}"); + + var select30 = linear_select([ + part148, + part149, + ]); + + var part150 = match("MESSAGE#78:named:76/2", "nwparser.p0", "%{}transaction %{p0}"); + + var part151 = match("MESSAGE#78:named:76/3_0", "nwparser.p0", "%{operation_id->} with SOA serial %{serial_number}. Zone version is now %{version}."); + + var part152 = match("MESSAGE#78:named:76/3_1", "nwparser.p0", "%{fld1}."); + + var select31 = linear_select([ + part151, + part152, + ]); + + var all32 = all_match({ + processors: [ + part147, + select30, + part150, + select31, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg93 = msg("named:76", all32); + + var part153 = match("MESSAGE#79:named:75", "nwparser.payload", "zone %{zone}: ZRQ applied %{action->} for '%{fld1}': %{fld2->} %{fld3->} %{dns_querytype->} %{info}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg94 = msg("named:75", part153); + + var part154 = match("MESSAGE#80:named:06/0", "nwparser.payload", "zone%{p0}"); + + var part155 = match("MESSAGE#80:named:06/1_0", "nwparser.p0", "_%{fld1}: %{p0}"); + + var part156 = match("MESSAGE#80:named:06/1_1", "nwparser.p0", " %{zone}: %{p0}"); + + var select32 = linear_select([ + part155, + part156, + ]); + + var all33 = all_match({ + processors: [ + part154, + select32, + dup46, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg95 = msg("named:06", all33); + + var part157 = match("MESSAGE#81:named:20", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup13, + dup50, + dup15, + dup7, + dup9, + dup55, + dup30, + dup56, + ])); + + var msg96 = msg("named:20", part157); + + var part158 = match("MESSAGE#82:named:49/0", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{zone}/%{dns_querytype}/IN': %{p0}"); + + var part159 = match("MESSAGE#82:named:49/1_0", "nwparser.p0", "%{daddr}#%{dport}"); + + var part160 = match_copy("MESSAGE#82:named:49/1_1", "nwparser.p0", "fld1"); + + var select33 = linear_select([ + part159, + part160, + ]); + + var all34 = all_match({ + processors: [ + part158, + select33, + ], + on_success: processor_chain([ + dup57, + dup50, + dup15, + dup7, + dup9, + dup55, + dup30, + dup35, + ]), + }); + + var msg97 = msg("named:49", all34); + + var part161 = match("MESSAGE#83:named:24/1_0", "nwparser.p0", "%{fld2}: zone transfer%{p0}"); + + var part162 = match("MESSAGE#83:named:24/1_1", "nwparser.p0", "zone transfer%{p0}"); + + var select34 = linear_select([ + part161, + part162, + ]); + + var part163 = match("MESSAGE#83:named:24/2", "nwparser.p0", "%{}'%{zone}' %{action}"); + + var all35 = all_match({ + processors: [ + dup58, + select34, + part163, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg98 = msg("named:24", all35); + + var part164 = match("MESSAGE#84:named:26/1_0", "nwparser.p0", "%{fld2}: no more recursive clients %{p0}"); + + var part165 = match("MESSAGE#84:named:26/1_1", "nwparser.p0", "no more recursive clients%{p0}"); + + var select35 = linear_select([ + part164, + part165, + ]); + + var part166 = match("MESSAGE#84:named:26/2", "nwparser.p0", "%{}(%{fld3}) %{info}"); + + var all36 = all_match({ + processors: [ + dup58, + select35, + part166, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg99 = msg("named:26", all36); + + var part167 = match("MESSAGE#85:named:27/1_0", "nwparser.p0", "%{fld2->} : %{fld3->} response from Internet for %{p0}"); + + var part168 = match("MESSAGE#85:named:27/1_1", "nwparser.p0", "%{fld3->} response from Internet for %{p0}"); + + var select36 = linear_select([ + part167, + part168, + ]); + + var part169 = match_copy("MESSAGE#85:named:27/2", "nwparser.p0", "fld4"); + + var all37 = all_match({ + processors: [ + dup58, + select36, + part169, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg100 = msg("named:27", all37); + + var part170 = match("MESSAGE#86:named:38/2", "nwparser.p0", "#%{saddr->} %{p0}"); + + var part171 = match("MESSAGE#86:named:38/3_0", "nwparser.p0", "%{sport}#%{fld5->} (%{fld6}):%{p0}"); + + var part172 = match("MESSAGE#86:named:38/3_1", "nwparser.p0", "%{sport->} (%{fld5}):%{p0}"); + + var select37 = linear_select([ + part171, + part172, + dup54, + ]); + + var part173 = match("MESSAGE#86:named:38/4", "nwparser.p0", "%{}query%{p0}"); + + var part174 = match("MESSAGE#86:named:38/5_0", "nwparser.p0", " (%{fld7}) '%{domain}/%{fld4}' %{result}"); + + var part175 = match("MESSAGE#86:named:38/5_1", "nwparser.p0", ": %{domain->} %{fld4->} (%{daddr})"); + + var select38 = linear_select([ + part174, + part175, + ]); + + var all38 = all_match({ + processors: [ + dup51, + dup73, + part170, + select37, + part173, + select38, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg101 = msg("named:38", all38); + + var part176 = match("MESSAGE#87:named:39", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: error (%{result}) resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup13, + dup50, + dup15, + dup7, + dup9, + dup55, + ])); + + var msg102 = msg("named:39", part176); + + var part177 = match("MESSAGE#88:named:46", "nwparser.payload", "%{event_description}: Authorization denied for the operation (%{fld4}): %{fld5->} (data=\"%{hostip}\", source=\"%{hostname}\")", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg103 = msg("named:46", part177); + + var part178 = match("MESSAGE#89:named:64", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg104 = msg("named:64", part178); + + var part179 = match("MESSAGE#90:named:45", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ + dup13, + dup7, + dup9, + dup47, + ])); + + var msg105 = msg("named:45", part179); + + var part180 = match("MESSAGE#91:named:44/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: updating zone '%{p0}"); + + var part181 = match("MESSAGE#91:named:44/1_0", "nwparser.p0", "%{domain}/IN'%{p0}"); + + var part182 = match("MESSAGE#91:named:44/1_1", "nwparser.p0", "%{domain}'%{p0}"); + + var select39 = linear_select([ + part181, + part182, + ]); + + var part183 = match("MESSAGE#91:named:44/2", "nwparser.p0", ": %{p0}"); + + var part184 = match("MESSAGE#91:named:44/3_0", "nwparser.p0", "deleting an RR at %{daddr}.in-addr.arpa"); + + var part185 = match("MESSAGE#91:named:44/3_1", "nwparser.p0", "deleting an RR at %{daddr}.%{fld6}"); + + var part186 = match_copy("MESSAGE#91:named:44/3_2", "nwparser.p0", "fld5"); + + var select40 = linear_select([ + part184, + part185, + part186, + ]); + + var all39 = all_match({ + processors: [ + part180, + select39, + part183, + select40, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg106 = msg("named:44", all39); + + var part187 = match("MESSAGE#92:named:43", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query (%{fld3}) '%{fld4}/%{dns_querytype}/IN' %{result}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg107 = msg("named:43", part187); + + var part188 = match("MESSAGE#93:named:42", "nwparser.payload", "%{result->} resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup13, + dup7, + dup9, + dup56, + ])); + + var msg108 = msg("named:42", part188); + + var part189 = match("MESSAGE#94:named:41", "nwparser.payload", "%{fld1}: unable to find root NS '%{domain}'", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg109 = msg("named:41", part189); + + var part190 = match("MESSAGE#95:named:47", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{event_description}", processor_chain([ + setc("eventcategory","1502000000"), + dup7, + dup9, + ])); + + var msg110 = msg("named:47", part190); + + var part191 = match("MESSAGE#96:named:48", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): query '%{zone}' %{result}", processor_chain([ + dup57, + dup7, + dup9, + dup30, + ])); + + var msg111 = msg("named:48", part191); + + var part192 = match("MESSAGE#97:named:62", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg112 = msg("named:62", part192); + + var part193 = match("MESSAGE#98:named:53", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg113 = msg("named:53", part193); + + var part194 = match("MESSAGE#99:named:77", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query failed (%{error}) for %{fld1}/IN/%{dns_querytype->} at %{filename}:%{fld2}", processor_chain([ + dup49, + dup7, + dup9, + setc("event_description"," query failed"), + ])); + + var msg114 = msg("named:77", part194); + + var part195 = match("MESSAGE#100:named:52", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): %{info}", processor_chain([ + dup59, + dup7, + dup9, + dup47, + ])); + + var msg115 = msg("named:52", part195); + + var part196 = match("MESSAGE#101:named:50", "nwparser.payload", "%{fld1}: %{domain}/%{dns_querytype->} (%{saddr}) %{info}", processor_chain([ + dup59, + dup7, + dup9, + ])); + + var msg116 = msg("named:50", part196); + + var part197 = match("MESSAGE#102:named:51", "nwparser.payload", "%{fld1}: %{fld2}: REFUSED", processor_chain([ + dup57, + dup7, + dup9, + dup50, + dup15, + dup55, + ])); + + var msg117 = msg("named:51", part197); + + var part198 = match("MESSAGE#103:named:54", "nwparser.payload", "%{hostip}#%{network_port}: GSS-TSIG authentication failed:%{event_description}", processor_chain([ + dup59, + dup7, + dup9, + dup3, + dup15, + dup30, + ])); + + var msg118 = msg("named:54", part198); + + var part199 = match("MESSAGE#104:named:55/0", "nwparser.payload", "success resolving '%{domain}/%{dns_querytype}' (in '%{fld1}'?) %{p0}"); + + var part200 = match("MESSAGE#104:named:55/1_0", "nwparser.p0", "after disabling EDNS%{}"); + + var part201 = match_copy("MESSAGE#104:named:55/1_1", "nwparser.p0", "fld2"); + + var select41 = linear_select([ + part200, + part201, + ]); + + var all40 = all_match({ + processors: [ + part199, + select41, + ], + on_success: processor_chain([ + dup59, + dup7, + dup9, + dup6, + dup30, + dup60, + ]), + }); + + var msg119 = msg("named:55", all40); + + var part202 = match("MESSAGE#105:named:56", "nwparser.payload", "SERVFAIL unexpected RCODE resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ + dup59, + dup7, + dup9, + dup50, + dup15, + dup30, + dup60, + ])); + + var msg120 = msg("named:56", part202); + + var part203 = match("MESSAGE#106:named:57", "nwparser.payload", "FORMERR resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ + dup59, + dup7, + dup9, + setc("ec_outcome","Error"), + dup30, + dup60, + ])); + + var msg121 = msg("named:57", part203); + + var part204 = match("MESSAGE#107:named:04/0", "nwparser.payload", "%{action->} on %{p0}"); + + var part205 = match("MESSAGE#107:named:04/1_0", "nwparser.p0", "IPv4 interface %{sinterface}, %{saddr}#%{p0}"); + + var part206 = match("MESSAGE#107:named:04/1_1", "nwparser.p0", "%{saddr}#%{p0}"); + + var select42 = linear_select([ + part205, + part206, + ]); + + var part207 = match_copy("MESSAGE#107:named:04/2", "nwparser.p0", "sport"); + + var all41 = all_match({ + processors: [ + part204, + select42, + part207, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg122 = msg("named:04", all41); + + var part208 = match("MESSAGE#108:named:58", "nwparser.payload", "lame server resolving '%{domain}' (in '%{fld2}'?):%{hostip}#%{network_port}", processor_chain([ + dup59, + dup7, + dup9, + dup30, + dup60, + ])); + + var msg123 = msg("named:58", part208); + + var part209 = match("MESSAGE#109:named:59", "nwparser.payload", "exceeded max queries resolving '%{domain}/%{dns_querytype}'", processor_chain([ + dup13, + dup7, + dup9, + dup30, + dup60, + ])); + + var msg124 = msg("named:59", part209); + + var part210 = match("MESSAGE#110:named:60", "nwparser.payload", "skipping nameserver '%{hostname}' because it is a CNAME, while resolving '%{domain}/%{dns_querytype}'", processor_chain([ + dup13, + dup7, + dup9, + dup30, + dup60, + setc("event_description","skipping nameserver because it is a CNAME"), + ])); + + var msg125 = msg("named:60", part210); + + var part211 = match("MESSAGE#111:named:61", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg126 = msg("named:61", part211); + + var part212 = match("MESSAGE#112:named:73", "nwparser.payload", "fetch: %{zone}/%{dns_querytype}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + dup35, + ])); + + var msg127 = msg("named:73", part212); + + var part213 = match("MESSAGE#113:named:74", "nwparser.payload", "decrement_reference: delete from rbt: %{fld1->} %{domain}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg128 = msg("named:74", part213); + + var part214 = match("MESSAGE#114:named:07/0_0", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): view %{fld2}: query: %{web_query}"); + + var part215 = match_copy("MESSAGE#114:named:07/0_1", "nwparser.payload", "event_description"); + + var select43 = linear_select([ + part214, + part215, + ]); + + var all42 = all_match({ + processors: [ + select43, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + dup30, + ]), + }); + + var msg129 = msg("named:07", all42); + + var select44 = linear_select([ + msg68, + msg69, + msg70, + msg71, + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, + msg89, + msg90, + msg91, + msg92, + msg93, + msg94, + msg95, + msg96, + msg97, + msg98, + msg99, + msg100, + msg101, + msg102, + msg103, + msg104, + msg105, + msg106, + msg107, + msg108, + msg109, + msg110, + msg111, + msg112, + msg113, + msg114, + msg115, + msg116, + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, + msg123, + msg124, + msg125, + msg126, + msg127, + msg128, + msg129, + ]); + + var part216 = match("MESSAGE#115:pidof:01", "nwparser.payload", "can't read sid from %{agent}", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","can't read sid"), + ])); + + var msg130 = msg("pidof:01", part216); + + var part217 = match("MESSAGE#116:pidof", "nwparser.payload", "can't get program name from %{agent}", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg131 = msg("pidof", part217); + + var select45 = linear_select([ + msg130, + msg131, + ]); + + var part218 = match("MESSAGE#117:validate_dhcpd:01", "nwparser.payload", "Configured local-address not available as source address for DNS updates. %{result}", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","Configured local-address not available as source address for DNS updates"), + ])); + + var msg132 = msg("validate_dhcpd:01", part218); + + var msg133 = msg("validate_dhcpd", dup74); + + var select46 = linear_select([ + msg132, + msg133, + ]); + + var msg134 = msg("syslog-ng", dup65); + + var part219 = match("MESSAGE#120:kernel", "nwparser.payload", "Linux version %{version->} (%{from}) (%{fld1}) %{fld2}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg135 = msg("kernel", part219); + + var msg136 = msg("kernel:01", dup65); + + var select47 = linear_select([ + msg135, + msg136, + ]); + + var msg137 = msg("radiusd", dup65); + + var part220 = match("MESSAGE#123:rc", "nwparser.payload", "executing %{agent->} start", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg138 = msg("rc", part220); + + var msg139 = msg("rc3", dup65); + + var part221 = match("MESSAGE#125:rcsysinit", "nwparser.payload", "fsck from %{version}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg140 = msg("rcsysinit", part221); + + var msg141 = msg("rcsysinit:01", dup65); + + var select48 = linear_select([ + msg140, + msg141, + ]); + + var part222 = match("MESSAGE#126:watchdog", "nwparser.payload", "opened %{filename}, with timeout = %{duration->} secs", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg142 = msg("watchdog", part222); + + var part223 = match("MESSAGE#127:watchdog:01", "nwparser.payload", "%{action}, pid = %{process_id}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg143 = msg("watchdog:01", part223); + + var part224 = match("MESSAGE#128:watchdog:02", "nwparser.payload", "received %{fld1}, cancelling softdog and exiting...", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg144 = msg("watchdog:02", part224); + + var part225 = match("MESSAGE#129:watchdog:03", "nwparser.payload", "%{filename->} could not be opened, errno = %{resultcode}", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg145 = msg("watchdog:03", part225); + + var msg146 = msg("watchdog:04", dup65); + + var select49 = linear_select([ + msg142, + msg143, + msg144, + msg145, + msg146, + ]); + + var msg147 = msg("init", dup65); + + var part226 = match("MESSAGE#131:logger", "nwparser.payload", "%{action}: %{saddr}/%{mask->} to %{interface}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg148 = msg("logger", part226); + + var msg149 = msg("logger:01", dup65); + + var select50 = linear_select([ + msg148, + msg149, + ]); + + var part227 = match("MESSAGE#133:openvpn-member", "nwparser.payload", "read %{protocol->} [%{info}] %{event_description->} (code=%{resultcode})", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg150 = msg("openvpn-member", part227); + + var msg151 = msg("openvpn-member:01", dup75); + + var part228 = match("MESSAGE#135:openvpn-member:02", "nwparser.payload", "Options error: %{event_description}", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg152 = msg("openvpn-member:02", part228); + + var part229 = match("MESSAGE#136:openvpn-member:03", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld2}] %{info}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg153 = msg("openvpn-member:03", part229); + + var msg154 = msg("openvpn-member:04", dup76); + + var msg155 = msg("openvpn-member:05", dup65); + + var select51 = linear_select([ + msg150, + msg151, + msg152, + msg153, + msg154, + msg155, + ]); + + var part230 = match("MESSAGE#139:sshd", "nwparser.payload", "Server listening on %{hostip->} port %{network_port}.", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg156 = msg("sshd", part230); + + var part231 = match("MESSAGE#140:sshd:01/0", "nwparser.payload", "Accepted password for %{p0}"); + + var part232 = match("MESSAGE#140:sshd:01/1_0", "nwparser.p0", "root from %{p0}"); + + var part233 = match("MESSAGE#140:sshd:01/1_1", "nwparser.p0", "%{username->} from %{p0}"); + + var select52 = linear_select([ + part232, + part233, + ]); + + var part234 = match("MESSAGE#140:sshd:01/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol}"); + + var all43 = all_match({ + processors: [ + part231, + select52, + part234, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg157 = msg("sshd:01", all43); + + var part235 = match("MESSAGE#141:sshd:02", "nwparser.payload", "Connection closed by %{hostip}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg158 = msg("sshd:02", part235); + + var part236 = match("MESSAGE#142:sshd:03", "nwparser.payload", "%{severity}: Bind to port %{network_port->} on %{hostip->} %{result}: %{event_description}", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg159 = msg("sshd:03", part236); + + var part237 = match("MESSAGE#143:sshd:04", "nwparser.payload", "%{severity}: Cannot bind any address.", processor_chain([ + setc("eventcategory","1601000000"), + dup7, + dup9, + ])); + + var msg160 = msg("sshd:04", part237); + + var part238 = match("MESSAGE#144:sshd:05", "nwparser.payload", "%{action}: logout() %{result}", processor_chain([ + dup2, + dup3, + dup5, + dup15, + dup7, + dup9, + setc("event_description","logout"), + ])); + + var msg161 = msg("sshd:05", part238); + + var part239 = match("MESSAGE#145:sshd:06", "nwparser.payload", "Did not receive identification string from %{saddr}", processor_chain([ + dup16, + dup7, + setc("result","no identification string"), + setc("event_description","Did not receive identification string from peer"), + ])); + + var msg162 = msg("sshd:06", part239); + + var part240 = match("MESSAGE#146:sshd:07", "nwparser.payload", "Sleep 60 seconds for slowing down ssh login%{}", processor_chain([ + dup13, + dup7, + setc("result","slowing down ssh login"), + setc("event_description","Sleep 60 seconds"), + ])); + + var msg163 = msg("sshd:07", part240); + + var part241 = match("MESSAGE#147:sshd:08", "nwparser.payload", "%{authmethod->} authentication succeeded for user %{username}", processor_chain([ + setc("eventcategory","1302010300"), + dup7, + setc("event_description","authentication succeeded"), + dup9, + dup61, + ])); + + var msg164 = msg("sshd:08", part241); + + var part242 = match("MESSAGE#148:sshd:09", "nwparser.payload", "User group = %{group}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","User group"), + dup61, + ])); + + var msg165 = msg("sshd:09", part242); + + var part243 = match("MESSAGE#149:sshd:10", "nwparser.payload", "Bad protocol version identification '%{protocol_detail}' from %{saddr}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Bad protocol version identification"), + dup61, + ])); + + var msg166 = msg("sshd:10", part243); + + var select53 = linear_select([ + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, + ]); + + var part244 = match("MESSAGE#150:openvpn-master", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld1}] %{info}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg167 = msg("openvpn-master", part244); + + var part245 = match("MESSAGE#151:openvpn-master:01", "nwparser.payload", "read %{protocol->} [%{info}]: %{event_description->} (code=%{resultcode})", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg168 = msg("openvpn-master:01", part245); + + var msg169 = msg("openvpn-master:02", dup75); + + var part246 = match("MESSAGE#153:openvpn-master:03", "nwparser.payload", "%{saddr}:%{sport->} TLS Error: TLS handshake failed", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg170 = msg("openvpn-master:03", part246); + + var part247 = match("MESSAGE#154:openvpn-master:04", "nwparser.payload", "%{fld1}/%{saddr}:%{sport->} [%{fld2}] %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg171 = msg("openvpn-master:04", part247); + + var part248 = match("MESSAGE#155:openvpn-master:05", "nwparser.payload", "%{saddr}:%{sport->} [%{fld1}] %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg172 = msg("openvpn-master:05", part248); + + var msg173 = msg("openvpn-master:06", dup76); + + var msg174 = msg("openvpn-master:07", dup65); + + var select54 = linear_select([ + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, + ]); + + var part249 = match("MESSAGE#158:INFOBLOX-Grid", "nwparser.payload", "Grid member at %{saddr->} %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg175 = msg("INFOBLOX-Grid", part249); + + var part250 = match("MESSAGE#159:INFOBLOX-Grid:02/0_0", "nwparser.payload", "Started%{p0}"); + + var part251 = match("MESSAGE#159:INFOBLOX-Grid:02/0_1", "nwparser.payload", "Completed%{p0}"); + + var select55 = linear_select([ + part250, + part251, + ]); + + var part252 = match("MESSAGE#159:INFOBLOX-Grid:02/1", "nwparser.p0", "%{}distribution on member with IP address %{saddr}"); + + var all44 = all_match({ + processors: [ + select55, + part252, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg176 = msg("INFOBLOX-Grid:02", all44); + + var part253 = match("MESSAGE#160:INFOBLOX-Grid:03", "nwparser.payload", "Upgrade Complete%{}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Upgrade Complete"), + ])); + + var msg177 = msg("INFOBLOX-Grid:03", part253); + + var part254 = match("MESSAGE#161:INFOBLOX-Grid:04", "nwparser.payload", "Upgrade to %{fld1}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg178 = msg("INFOBLOX-Grid:04", part254); + + var select56 = linear_select([ + msg175, + msg176, + msg177, + msg178, + ]); + + var part255 = match("MESSAGE#162:db_jnld", "nwparser.payload", "Grid member at %{saddr->} is online.", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg179 = msg("db_jnld", part255); + + var part256 = match("MESSAGE#219:db_jnld:01/0", "nwparser.payload", "Resolved conflict for replicated delete of %{p0}"); + + var part257 = match("MESSAGE#219:db_jnld:01/1_0", "nwparser.p0", "PTR %{p0}"); + + var part258 = match("MESSAGE#219:db_jnld:01/1_1", "nwparser.p0", "TXT %{p0}"); + + var part259 = match("MESSAGE#219:db_jnld:01/1_2", "nwparser.p0", "A %{p0}"); + + var part260 = match("MESSAGE#219:db_jnld:01/1_3", "nwparser.p0", "CNAME %{p0}"); + + var part261 = match("MESSAGE#219:db_jnld:01/1_4", "nwparser.p0", "SRV %{p0}"); + + var select57 = linear_select([ + part257, + part258, + part259, + part260, + part261, + ]); + + var part262 = match("MESSAGE#219:db_jnld:01/2", "nwparser.p0", "\"%{fld1}\" in zone \"%{zone}\""); + + var all45 = all_match({ + processors: [ + part256, + select57, + part262, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg180 = msg("db_jnld:01", all45); + + var select58 = linear_select([ + msg179, + msg180, + ]); + + var part263 = match("MESSAGE#163:sSMTP/0", "nwparser.payload", "Sent mail for %{to->} (%{fld1}) %{p0}"); + + var part264 = match("MESSAGE#163:sSMTP/1_0", "nwparser.p0", "uid=%{uid->} username=%{username->} outbytes=%{sbytes}"); + + var part265 = match_copy("MESSAGE#163:sSMTP/1_1", "nwparser.p0", "space"); + + var select59 = linear_select([ + part264, + part265, + ]); + + var all46 = all_match({ + processors: [ + part263, + select59, + ], + on_success: processor_chain([ + dup13, + dup7, + dup9, + ]), + }); + + var msg181 = msg("sSMTP", all46); + + var part266 = match("MESSAGE#164:sSMTP:02", "nwparser.payload", "Cannot open %{hostname}:%{network_port}", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg182 = msg("sSMTP:02", part266); + + var part267 = match("MESSAGE#165:sSMTP:03", "nwparser.payload", "Unable to locate %{hostname}.", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var msg183 = msg("sSMTP:03", part267); + + var msg184 = msg("sSMTP:04", dup74); + + var select60 = linear_select([ + msg181, + msg182, + msg183, + msg184, + ]); + + var part268 = match("MESSAGE#167:scheduled_backups", "nwparser.payload", "Backup to %{device->} was successful - Backup file %{filename}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg185 = msg("scheduled_backups", part268); + + var part269 = match("MESSAGE#168:scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Scheduled backup to the FTP server was successful"), + ])); + + var msg186 = msg("scheduled_ftp_backups", part269); + + var part270 = match("MESSAGE#169:failed_scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} failed - %{result}.", processor_chain([ + dup16, + dup7, + dup9, + setc("event_description","Scheduled backup to the FTP server failed"), + ])); + + var msg187 = msg("failed_scheduled_ftp_backups", part270); + + var select61 = linear_select([ + msg186, + msg187, + ]); + + var part271 = match("MESSAGE#170:scheduled_scp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Scheduled backup to the SCP server was successful"), + ])); + + var msg188 = msg("scheduled_scp_backups", part271); + + var part272 = match("MESSAGE#171:python", "nwparser.payload", "%{action->} even though zone '%{zone}' in view '%{fld1}' is locked.", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg189 = msg("python", part272); + + var part273 = match("MESSAGE#172:python:01", "nwparser.payload", "%{action->} (algorithm=%{fld1}, key tag=%{fld2}, key size=%{fld3}): '%{hostname}' in view '%{fld4}'.", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg190 = msg("python:01", part273); + + var part274 = match("MESSAGE#173:python:02", "nwparser.payload", "%{action}: '%{hostname}' in view '%{fld1}'.", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg191 = msg("python:02", part274); + + var part275 = match("MESSAGE#174:python:03", "nwparser.payload", "%{action}: FQDN='%{domain}', ADDRESS='%{saddr}', View='%{fld1}'", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg192 = msg("python:03", part275); + + var part276 = match("MESSAGE#175:python:04", "nwparser.payload", "%{action}: FQDN='%{domain}', View='%{fld1}'", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg193 = msg("python:04", part276); + + var part277 = match("MESSAGE#176:python:05", "nwparser.payload", "%{fld1}: %{fld2}.%{fld3->} [%{username}]: Populated %{zone->} %{hostname->} DnsView=%{fld4}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg194 = msg("python:05", part277); + + var msg195 = msg("python:06", dup65); + + var select62 = linear_select([ + msg189, + msg190, + msg191, + msg192, + msg193, + msg194, + msg195, + ]); + + var part278 = match("MESSAGE#178:monitor", "nwparser.payload", "Type: %{protocol}, State: %{event_state}, Event: %{event_description}.", processor_chain([ + dup12, + dup7, + dup9, + ])); + + var msg196 = msg("monitor", part278); + + var part279 = match("MESSAGE#179:snmptrapd", "nwparser.payload", "NET-SNMP version %{version->} %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg197 = msg("snmptrapd", part279); + + var part280 = match("MESSAGE#180:snmptrapd:01", "nwparser.payload", "lock in %{fld1->} sleeps more than %{duration->} milliseconds in %{fld2}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg198 = msg("snmptrapd:01", part280); + + var msg199 = msg("snmptrapd:02", dup65); + + var select63 = linear_select([ + msg197, + msg198, + msg199, + ]); + + var part281 = match("MESSAGE#182:ntpdate", "nwparser.payload", "adjust time server %{saddr->} offset %{duration->} sec", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg200 = msg("ntpdate", part281); + + var msg201 = msg("ntpdate:01", dup74); + + var select64 = linear_select([ + msg200, + msg201, + ]); + + var msg202 = msg("phonehome", dup65); + + var part282 = match("MESSAGE#185:purge_scheduled_tasks", "nwparser.payload", "Scheduled tasks have been purged%{}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg203 = msg("purge_scheduled_tasks", part282); + + var part283 = match("MESSAGE#186:serial_console:04", "nwparser.payload", "%{fld20->} %{fld21}.%{fld22->} [%{domain}]: Login_Denied - - to=%{terminal->} apparently_via=%{info->} ip=%{saddr->} error=%{result}", processor_chain([ + dup14, + dup3, + dup4, + dup11, + dup15, + dup7, + date_time({ + dest: "event_time", + args: ["fld20","fld21"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }), + dup9, + setc("event_description","Login Denied"), + ])); + + var msg204 = msg("serial_console:04", part283); + + var part284 = match("MESSAGE#187:serial_console:03", "nwparser.payload", "No authentication methods succeeded for user %{username}", processor_chain([ + dup14, + dup3, + dup4, + dup11, + dup15, + dup7, + dup9, + setc("event_description","No authentication methods succeeded for user"), + ])); + + var msg205 = msg("serial_console:03", part284); + + var part285 = match("MESSAGE#188:serial_console", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{terminal->} apparently_via=%{info->} auth=%{authmethod->} group=%{group}", processor_chain([ + dup10, + dup3, + dup4, + dup11, + dup6, + dup7, + dup8, + dup9, + ])); + + var msg206 = msg("serial_console", part285); + + var part286 = match("MESSAGE#189:serial_console:01", "nwparser.payload", "RADIUS authentication succeeded for user %{username}", processor_chain([ + setc("eventcategory","1302010100"), + dup3, + dup4, + dup11, + dup6, + dup7, + dup9, + setc("event_description","RADIUS authentication succeeded for user"), + ])); + + var msg207 = msg("serial_console:01", part286); + + var part287 = match("MESSAGE#190:serial_console:02", "nwparser.payload", "User group = %{group}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","User group identification"), + ])); + + var msg208 = msg("serial_console:02", part287); + + var part288 = match("MESSAGE#205:serial_console:05", "nwparser.payload", "%{fld1->} [%{username}]: rebooted the system", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","system reboot"), + ])); + + var msg209 = msg("serial_console:05", part288); + + var part289 = match("MESSAGE#214:serial_console:06", "nwparser.payload", "Local authentication succeeded for user %{username}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Local authentication succeeded for user"), + ])); + + var msg210 = msg("serial_console:06", part289); + + var select65 = linear_select([ + msg204, + msg205, + msg206, + msg207, + msg208, + msg209, + msg210, + ]); + + var msg211 = msg("rc6", dup65); + + var msg212 = msg("acpid", dup65); + + var msg213 = msg("diskcheck", dup65); + + var part290 = match("MESSAGE#210:debug_mount", "nwparser.payload", "mount %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg214 = msg("debug_mount", part290); + + var msg215 = msg("smart_check_io", dup65); + + var msg216 = msg("speedstep_control", dup65); + + var part291 = match("MESSAGE#215:controld", "nwparser.payload", "Distribution Started%{}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Distribution Started"), + ])); + + var msg217 = msg("controld", part291); + + var part292 = match("MESSAGE#216:controld:02", "nwparser.payload", "Distribution Complete%{}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","Distribution Complete"), + ])); + + var msg218 = msg("controld:02", part292); + + var select66 = linear_select([ + msg217, + msg218, + ]); + + var part293 = match("MESSAGE#217:shutdown", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","shutting down for system reboot"), + ])); + + var msg219 = msg("shutdown", part293); + + var part294 = match("MESSAGE#218:ntpd_initres", "nwparser.payload", "ntpd exiting on signal 15%{}", processor_chain([ + dup13, + dup7, + dup9, + setc("event_description","ntpd exiting"), + ])); + + var msg220 = msg("ntpd_initres", part294); + + var part295 = match("MESSAGE#220:rsyncd", "nwparser.payload", "name lookup failed for %{saddr}: %{info}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg221 = msg("rsyncd", part295); + + var part296 = match("MESSAGE#221:rsyncd:01", "nwparser.payload", "connect from %{shost->} (%{saddr})", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg222 = msg("rsyncd:01", part296); + + var part297 = match("MESSAGE#222:rsyncd:02", "nwparser.payload", "rsync on %{filename->} from %{shost->} (%{saddr})", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg223 = msg("rsyncd:02", part297); + + var part298 = match("MESSAGE#223:rsyncd:03", "nwparser.payload", "sent %{sbytes->} bytes received %{rbytes->} bytes total size %{fld1}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var msg224 = msg("rsyncd:03", part298); + + var part299 = match("MESSAGE#224:rsyncd:04", "nwparser.payload", "building file list%{}", processor_chain([ + dup13, + dup7, + setc("event_description","building file list"), + dup9, + ])); + + var msg225 = msg("rsyncd:04", part299); + + var select67 = linear_select([ + msg221, + msg222, + msg223, + msg224, + msg225, + ]); + + var msg226 = msg("syslog", dup77); + + var msg227 = msg("restarting", dup77); + + var part300 = match_copy("MESSAGE#227:ipmievd", "nwparser.payload", "fld1", processor_chain([ + dup13, + dup7, + dup9, + dup62, + ])); + + var msg228 = msg("ipmievd", part300); + + var part301 = match("MESSAGE#228:netauto_discovery", "nwparser.payload", "%{agent}: Processing path%{fld1}, vnid [%{fld2}]", processor_chain([ + dup59, + dup7, + dup9, + dup61, + ])); + + var msg229 = msg("netauto_discovery", part301); + + var part302 = match("MESSAGE#229:netauto_discovery:01", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}:%{product}ver%{version->} device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll", processor_chain([ + dup59, + dup7, + dup9, + dup61, + setc("event_description","device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll"), + ])); + + var msg230 = msg("netauto_discovery:01", part302); + + var part303 = match("MESSAGE#230:netauto_discovery:02", "nwparser.payload", "%{agent}:%{space}Static address already set with IP:%{hostip}, Processing%{fld1}", processor_chain([ + dup59, + dup7, + dup9, + dup61, + ])); + + var msg231 = msg("netauto_discovery:02", part303); + + var part304 = match("MESSAGE#231:netauto_discovery:03", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}: SNMP Credentials: Failed to authenticate", processor_chain([ + dup63, + dup7, + dup9, + dup61, + dup15, + ])); + + var msg232 = msg("netauto_discovery:03", part304); + + var select68 = linear_select([ + msg229, + msg230, + msg231, + msg232, + ]); + + var part305 = match("MESSAGE#232:netauto_core:01", "nwparser.payload", "%{agent}: Attempting CLI on device%{device}with interface not in table, ip%{hostip}", processor_chain([ + dup59, + dup7, + dup9, + dup61, + ])); + + var msg233 = msg("netauto_core:01", part305); + + var part306 = match("MESSAGE#233:netauto_core", "nwparser.payload", "netautoctl:%{event_description}", processor_chain([ + dup59, + dup7, + dup9, + dup61, + ])); + + var msg234 = msg("netauto_core", part306); + + var select69 = linear_select([ + msg233, + msg234, + ]); + + var part307 = match_copy("MESSAGE#234:captured_dns_uploader", "nwparser.payload", "event_description", processor_chain([ + dup49, + dup7, + dup9, + dup61, + dup15, + ])); + + var msg235 = msg("captured_dns_uploader", part307); + + var part308 = match("MESSAGE#235:DIS", "nwparser.payload", "%{fld1}:%{fld2}: Device%{device}/%{hostip}login failure%{result}", processor_chain([ + dup63, + dup7, + dup9, + dup61, + dup11, + dup15, + ])); + + var msg236 = msg("DIS", part308); + + var part309 = match("MESSAGE#236:DIS:01", "nwparser.payload", "%{fld2}: %{fld3}: Attempting discover-now for %{hostip->} on %{fld4}, using session ID", processor_chain([ + dup59, + dup7, + dup9, + dup61, + ])); + + var msg237 = msg("DIS:01", part309); + + var select70 = linear_select([ + msg236, + msg237, + ]); + + var part310 = match_copy("MESSAGE#237:ErrorMsg", "nwparser.payload", "result", processor_chain([ + dup64, + dup7, + dup9, + dup61, + ])); + + var msg238 = msg("ErrorMsg", part310); + + var part311 = match("MESSAGE#238:tacacs_acct", "nwparser.payload", "%{fld1}: Server %{daddr->} port %{dport}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + dup61, + ])); + + var msg239 = msg("tacacs_acct", part311); + + var part312 = match("MESSAGE#239:tacacs_acct:01", "nwparser.payload", "%{fld1}: Accounting request failed. %{fld2}Server is %{daddr}, port is %{dport}.", processor_chain([ + dup64, + dup7, + dup9, + dup61, + setc("event_description","Accounting request failed."), + ])); + + var msg240 = msg("tacacs_acct:01", part312); + + var part313 = match("MESSAGE#240:tacacs_acct:02", "nwparser.payload", "%{fld1}: Read %{fld2->} bytes from server %{daddr->} port %{dport}, expecting %{fld3}", processor_chain([ + dup13, + dup7, + dup9, + dup61, + ])); + + var msg241 = msg("tacacs_acct:02", part313); + + var select71 = linear_select([ + msg239, + msg240, + msg241, + ]); + + var part314 = match("MESSAGE#241:dhcpdv6", "nwparser.payload", "Relay-forward message from %{saddr_v6->} port %{sport}, link address %{fld1}, peer address %{daddr_v6}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Relay-forward message"), + ])); + + var msg242 = msg("dhcpdv6", part314); + + var part315 = match("MESSAGE#242:dhcpdv6:01", "nwparser.payload", "Encapsulated Solicit message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Encapsulated Solicit message"), + ])); + + var msg243 = msg("dhcpdv6:01", part315); + + var part316 = match("MESSAGE#243:dhcpdv6:02", "nwparser.payload", "Client %{fld1}, IP '%{fld2}': No addresses available for this interface", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","IP unknown - No addresses available for this interface"), + ])); + + var msg244 = msg("dhcpdv6:02", part316); + + var part317 = match("MESSAGE#244:dhcpdv6:03", "nwparser.payload", "Encapsulating Advertise message to send to %{saddr_v6->} port %{sport}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Encapsulating Advertise message"), + ])); + + var msg245 = msg("dhcpdv6:03", part317); + + var part318 = match("MESSAGE#245:dhcpdv6:04", "nwparser.payload", "Sending Relay-reply message to %{saddr_v6->} port %{sport}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Sending Relay-reply message"), + ])); + + var msg246 = msg("dhcpdv6:04", part318); + + var part319 = match("MESSAGE#246:dhcpdv6:05", "nwparser.payload", "Encapsulated Information-request message from %{saddr_v6->} port %{sport}, transaction ID %{id}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Encapsulated Information-request message"), + ])); + + var msg247 = msg("dhcpdv6:05", part319); + + var part320 = match("MESSAGE#247:dhcpdv6:06", "nwparser.payload", "Encapsulating Reply message to send to %{saddr_v6->} port %{sport}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Encapsulating Reply message"), + ])); + + var msg248 = msg("dhcpdv6:06", part320); + + var part321 = match("MESSAGE#248:dhcpdv6:07", "nwparser.payload", "Encapsulated Renew message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","Encapsulated Renew message"), + ])); + + var msg249 = msg("dhcpdv6:07", part321); + + var part322 = match("MESSAGE#249:dhcpdv6:08", "nwparser.payload", "Reply NA: address %{saddr_v6->} to client with duid %{fld1->} iaid = %{fld2->} static", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var msg250 = msg("dhcpdv6:08", part322); + + var msg251 = msg("dhcpdv6:09", dup69); + + var select72 = linear_select([ + msg242, + msg243, + msg244, + msg245, + msg246, + msg247, + msg248, + msg249, + msg250, + msg251, + ]); + + var msg252 = msg("debug", dup69); + + var part323 = match("MESSAGE#252:cloud_api", "nwparser.payload", "proxying request to %{hostname}(%{hostip}) %{web_method->} %{url->} %{protocol->} %{info}", processor_chain([ + dup13, + dup7, + dup9, + dup30, + setc("event_description","proxying request"), + ])); + + var msg253 = msg("cloud_api", part323); + + var chain1 = processor_chain([ + select3, + msgid_select({ + "DIS": select70, + "ErrorMsg": msg238, + "INFOBLOX-Grid": select56, + "acpid": msg212, + "captured_dns_uploader": msg235, + "cloud_api": msg253, + "controld": select66, + "db_jnld": select58, + "debug": msg252, + "debug_mount": msg214, + "dhcpd": select14, + "dhcpdv6": select72, + "diskcheck": msg213, + "httpd": select4, + "in.tftpd": select5, + "init": msg147, + "ipmievd": msg228, + "kernel": select47, + "logger": select50, + "monitor": msg196, + "named": select44, + "netauto_core": select69, + "netauto_discovery": select68, + "ntpd": select15, + "ntpd_initres": msg220, + "ntpdate": select64, + "openvpn-master": select54, + "openvpn-member": select51, + "phonehome": msg202, + "pidof": select45, + "purge_scheduled_tasks": msg203, + "python": select62, + "radiusd": msg137, + "rc": msg138, + "rc3": msg139, + "rc6": msg211, + "rcsysinit": select48, + "restarting": msg227, + "rsyncd": select67, + "sSMTP": select60, + "scheduled_backups": msg185, + "scheduled_ftp_backups": select61, + "scheduled_scp_backups": msg188, + "serial_console": select65, + "shutdown": msg219, + "smart_check_io": msg215, + "snmptrapd": select63, + "speedstep_control": msg216, + "sshd": select53, + "syslog": msg226, + "syslog-ng": msg134, + "tacacs_acct": select71, + "validate_dhcpd": select46, + "watchdog": select49, + }), + ]); + + var hdr6 = match("HEADER#1:006/0", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{p0}"); + + var part324 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}"); + + var part325 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}"); + + var part326 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}"); + + var part327 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "(%{dhost}) via %{p0}"); + + var part328 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "via %{p0}"); + + var part329 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{smacaddr->} %{p0}"); + + var part330 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "(%{shost}) via %{p0}"); + + var part331 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{interface}"); + + var part332 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{interface->} relay %{fld1->} lease-duration %{duration}"); + + var part333 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved%{}"); + + var part334 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", "denied%{}"); + + var part335 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}"); + + var part336 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}"); + + var part337 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}"); + + var part338 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}"); + + var part339 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}"); + + var part340 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}"); + + var part341 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\""); + + var part342 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); + + var part343 = match_copy("MESSAGE#57:named:17/5_2", "nwparser.p0", "dns_querytype"); + + var part344 = match_copy("MESSAGE#60:named:19/2", "nwparser.p0", "event_description"); + + var part345 = match_copy("MESSAGE#66:named:25/1_1", "nwparser.p0", "result"); + + var part346 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); + + var part347 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{p0}"); + + var part348 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", "%{p0}"); + + var part349 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); + + var part350 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): %{p0}"); + + var part351 = match_copy("MESSAGE#7:httpd:06", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var select73 = linear_select([ + dup18, + dup19, + ]); + + var select74 = linear_select([ + dup21, + dup22, + ]); + + var select75 = linear_select([ + dup26, + dup22, + ]); + + var part352 = match_copy("MESSAGE#204:dhcpd:37", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + dup30, + ])); + + var select76 = linear_select([ + dup33, + dup34, + ]); + + var select77 = linear_select([ + dup37, + dup38, + dup39, + ]); + + var select78 = linear_select([ + dup42, + dup43, + dup44, + ]); + + var select79 = linear_select([ + dup52, + dup53, + ]); + + var part353 = match_copy("MESSAGE#118:validate_dhcpd", "nwparser.payload", "event_description", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var part354 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ + dup16, + dup7, + dup9, + ])); + + var part355 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + ])); + + var part356 = match_copy("MESSAGE#225:syslog", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + dup62, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/infoblox/0.8.1/data_stream/nios/elasticsearch/ingest_pipeline/default.yml b/packages/infoblox/0.8.1/data_stream/nios/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..87ddd98690 --- /dev/null +++ b/packages/infoblox/0.8.1/data_stream/nios/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,68 @@ +--- +description: Pipeline for Infoblox NIOS + +processors: + - set: + field: ecs.version + value: '8.2.0' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/infoblox/0.8.1/data_stream/nios/fields/base-fields.yml b/packages/infoblox/0.8.1/data_stream/nios/fields/base-fields.yml new file mode 100755 index 0000000000..f9d913dd56 --- /dev/null +++ b/packages/infoblox/0.8.1/data_stream/nios/fields/base-fields.yml @@ -0,0 +1,46 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: infoblox +- name: event.dataset + type: constant_keyword + description: Event dataset + value: infoblox.nios +- name: '@timestamp' + type: date + description: Event timestamp. +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/infoblox/0.8.1/data_stream/nios/fields/ecs.yml b/packages/infoblox/0.8.1/data_stream/nios/fields/ecs.yml new file mode 100755 index 0000000000..78ddffacce --- /dev/null +++ b/packages/infoblox/0.8.1/data_stream/nios/fields/ecs.yml @@ -0,0 +1,541 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/infoblox/0.8.1/data_stream/nios/fields/fields.yml b/packages/infoblox/0.8.1/data_stream/nios/fields/fields.yml new file mode 100755 index 0000000000..ea69cd79e3 --- /dev/null +++ b/packages/infoblox/0.8.1/data_stream/nios/fields/fields.yml @@ -0,0 +1,1754 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + ignore_above: 1024 + description: Server domain. +- name: network.interface.name + type: keyword diff --git a/packages/infoblox/0.8.1/data_stream/nios/manifest.yml b/packages/infoblox/0.8.1/data_stream/nios/manifest.yml new file mode 100755 index 0000000000..1a5481090a --- /dev/null +++ b/packages/infoblox/0.8.1/data_stream/nios/manifest.yml @@ -0,0 +1,204 @@ +title: Infoblox NIOS logs +release: experimental +type: logs +streams: + - input: udp + title: Infoblox NIOS logs + description: Collect Infoblox NIOS logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - infoblox-nios + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9512 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Infoblox NIOS logs + description: Collect Infoblox NIOS logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - infoblox-nios + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9512 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Infoblox NIOS logs + description: Collect Infoblox NIOS logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/infoblox-nios.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - infoblox-nios + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/infoblox/0.8.1/data_stream/nios/sample_event.json b/packages/infoblox/0.8.1/data_stream/nios/sample_event.json new file mode 100755 index 0000000000..e76a61b2f2 --- /dev/null +++ b/packages/infoblox/0.8.1/data_stream/nios/sample_event.json @@ -0,0 +1,91 @@ +{ + "@timestamp": "2017-02-18T04:19:24.000Z", + "agent": { + "ephemeral_id": "49aae60b-226f-4fc1-b3c0-9d400ccbf210", + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "infoblox.nios", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "code": "httpd", + "dataset": "infoblox.nios", + "ingested": "2022-01-25T12:41:28Z", + "outcome": "failure", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.30.0.4:60049" + } + }, + "observer": { + "product": "Network", + "type": "IPAM", + "vendor": "Infoblox" + }, + "related": { + "hosts": [ + "dolor2707.api.localhost" + ], + "ip": [ + "10.153.111.103" + ], + "user": [ + "doloremi" + ] + }, + "rsa": { + "db": { + "index": "itquiin\n" + }, + "internal": { + "data": "commod", + "messageid": "httpd" + }, + "investigations": { + "ec_activity": "Logon", + "ec_outcome": "Failure", + "ec_subject": "User", + "ec_theme": "Authentication" + }, + "misc": { + "event_source": "dolor2707.api.localhost", + "terminal": "luptasn" + }, + "time": { + "day": "18", + "event_time": "2017-02-18T04:19:24.000Z", + "month": "February" + } + }, + "source": { + "ip": [ + "10.153.111.103" + ] + }, + "tags": [ + "infoblox-nios", + "forwarded" + ], + "user": { + "name": "doloremi" + } +} \ No newline at end of file diff --git a/packages/infoblox/0.8.1/docs/README.md b/packages/infoblox/0.8.1/docs/README.md new file mode 100755 index 0000000000..9c79db21fd --- /dev/null +++ b/packages/infoblox/0.8.1/docs/README.md @@ -0,0 +1,799 @@ +# Infoblox integration (Deprecated) + +_This integration is deprecated. Please use one of the other Infoblox +integrations that are specific to an Infoblox product._ + +This integration is for Infoblox device's logs. It includes the following +datasets for receiving logs over syslog or read from a file: +- `nios` dataset: supports Infoblox NIOS logs. + +### Nios + +The `nios` dataset collects Infoblox NIOS logs. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| container.id | Unique container id. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | Destination domain. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location.lat | | double | +| destination.geo.location.lon | | double | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| error.message | Error message. | text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | +| event.original | Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | +| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.pid | Process id. | long | +| process.ppid | Parent process' pid. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names seen on your event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | This key is used to capture the directory of the target process or file | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | Server domain. | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | Source domain. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location.lat | | double | +| source.geo.location.lon | | double | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword | +| url.path | Path of the request, such as "/search". | keyword | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | + diff --git a/packages/infoblox/0.8.1/img/logo.svg b/packages/infoblox/0.8.1/img/logo.svg new file mode 100755 index 0000000000..57b4d23b16 --- /dev/null +++ b/packages/infoblox/0.8.1/img/logo.svg @@ -0,0 +1,93 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/infoblox/0.8.1/manifest.yml b/packages/infoblox/0.8.1/manifest.yml new file mode 100755 index 0000000000..3b58b30f64 --- /dev/null +++ b/packages/infoblox/0.8.1/manifest.yml @@ -0,0 +1,32 @@ +format_version: 1.0.0 +name: infoblox +title: Infoblox Logs +version: "0.8.1" +description: Deprecated. Use a product-specific Infoblox package instead. +categories: ["network"] +release: experimental +license: basic +type: integration +conditions: + kibana.version: "^7.14.1 || ^8.0.0" +policy_templates: + - name: nios + title: Infoblox NIOS + description: Collect Infoblox NIOS logs from syslog or a file. + inputs: + - type: udp + title: Collect logs from Infoblox NIOS via UDP + description: Collecting syslog from Infoblox NIOS via UDP + - type: tcp + title: Collect logs from Infoblox NIOS via TCP + description: Collecting syslog from Infoblox NIOS via TCP + - type: logfile + title: Collect logs from Infoblox NIOS via file + description: Collecting syslog from Infoblox NIOS via file. +icons: + - src: /img/logo.svg + title: Infoblox NIOS logo + size: 32x32 + type: image/svg+xml +owner: + github: elastic/security-external-integrations diff --git a/packages/juniper/1.1.1/changelog.yml b/packages/juniper/1.1.1/changelog.yml new file mode 100755 index 0000000000..11a217e4c8 --- /dev/null +++ b/packages/juniper/1.1.1/changelog.yml @@ -0,0 +1,101 @@ +# newer versions go on top +- version: "1.1.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.1.0" + changes: + - description: Update to ECS 8.0.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2588 +- version: "1.0.7" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.0.6" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.0.5" + changes: + - description: Deprecate in favor of new specific packages + type: enhancement + link: https://github.com/elastic/integrations/pull/2210 +- version: "1.0.4" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2100 +- version: "1.0.3" + changes: + - description: Update title and description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1997 +- version: "1.0.2" + changes: + - description: Fixed a bug that prevents the package from working in 7.16. + type: bugfix + link: https://github.com/elastic/integrations/pull/1882 +- version: "1.0.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1826 +- version: "1.0.0" + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1744 +- version: "0.9.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1666 +- version: "0.8.4" + changes: + - description: Requires version 7.14.1 of the stack + type: bugfix + link: https://github.com/elastic/integrations/pull/1541 +- version: "0.8.3" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1485 +- version: "0.8.2" + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1392 +- version: "0.8.1" + changes: + - description: Escape special characters in docs + type: enhancement + link: https://github.com/elastic/integrations/pull/1405 +- version: "0.8.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.7.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1267 +- version: "0.6.0" + changes: + - description: update to ECS 1.10.0 and add event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1058 +- version: "0.5.1" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/853 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/package-storage/pull/181 diff --git a/packages/juniper/1.1.1/data_stream/junos/agent/stream/stream.yml.hbs b/packages/juniper/1.1.1/data_stream/junos/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..f8f304c324 --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/junos/agent/stream/stream.yml.hbs @@ -0,0 +1,12572 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Juniper" + product: "Junos" + type: "Routers" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{day->} %{time->} %{p0}"); + + var dup2 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); + + var dup3 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); + + var dup4 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); + + var dup5 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); + + var dup6 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); + + var dup7 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); + + var dup8 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); + + var dup9 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": "), + field("p0"), + ], + }); + + var dup10 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("p0"), + ], + }); + + var dup11 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("messageid"), + constant(": "), + field("p0"), + ], + }); + + var dup12 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("["), + field("pid"), + constant("]: "), + field("messageid"), + constant(": "), + field("p0"), + ], + }); + + var dup13 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" ["), + field("p0"), + ], + }); + + var dup14 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); + + var dup15 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); + + var dup16 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); + + var dup17 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); + + var dup18 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); + + var dup19 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("pid"), + constant("]: "), + field("p0"), + ], + }); + + var dup20 = setc("messageid","JUNOSROUTER_GENERIC"); + + var dup21 = setc("eventcategory","1605000000"); + + var dup22 = setf("msg","$MSG"); + + var dup23 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dF,dH,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup24 = setf("hostname","hhost"); + + var dup25 = setc("event_description","AUDIT"); + + var dup26 = setc("event_description","CRON command"); + + var dup27 = setc("eventcategory","1801030000"); + + var dup28 = setc("eventcategory","1801020000"); + + var dup29 = setc("eventcategory","1605010000"); + + var dup30 = setc("eventcategory","1603000000"); + + var dup31 = setc("event_description","Process mode"); + + var dup32 = setc("event_description","NTP Server Unreachable"); + + var dup33 = setc("eventcategory","1401060000"); + + var dup34 = setc("ec_theme","Authentication"); + + var dup35 = setc("ec_subject","User"); + + var dup36 = setc("ec_activity","Logon"); + + var dup37 = setc("ec_outcome","Success"); + + var dup38 = setc("event_description","rpd proceeding"); + + var dup39 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); + + var dup40 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); + + var dup41 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); + + var dup42 = setc("eventcategory","1701010000"); + + var dup43 = setc("ec_outcome","Failure"); + + var dup44 = setc("eventcategory","1401030000"); + + var dup45 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); + + var dup46 = setc("eventcategory","1803000000"); + + var dup47 = setc("event_type","VPN"); + + var dup48 = setc("eventcategory","1605020000"); + + var dup49 = setc("eventcategory","1602020000"); + + var dup50 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); + + var dup51 = setc("eventcategory","1603020000"); + + var dup52 = date_time({ + dest: "event_time", + args: ["hfld32"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup53 = setc("ec_subject","NetworkComm"); + + var dup54 = setc("ec_activity","Create"); + + var dup55 = setc("ec_activity","Stop"); + + var dup56 = setc("event_description","Trap state change"); + + var dup57 = setc("event_description","peer NLRI mismatch"); + + var dup58 = setc("eventcategory","1605030000"); + + var dup59 = setc("eventcategory","1603010000"); + + var dup60 = setc("eventcategory","1606000000"); + + var dup61 = setf("hostname","hhostname"); + + var dup62 = date_time({ + dest: "event_time", + args: ["hfld6"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup63 = setc("eventcategory","1401050200"); + + var dup64 = setc("event_description","Memory allocation failed during initialization for configuration load"); + + var dup65 = setc("event_description","unable to run in the background as a daemon"); + + var dup66 = setc("event_description","Another copy of this program is running"); + + var dup67 = setc("event_description","Unable to lock PID file"); + + var dup68 = setc("event_description","Unable to update process PID file"); + + var dup69 = setc("eventcategory","1301000000"); + + var dup70 = setc("event_description","Command stopped"); + + var dup71 = setc("event_description","Unable to create pipes for command"); + + var dup72 = setc("event_description","Command exited"); + + var dup73 = setc("eventcategory","1603050000"); + + var dup74 = setc("eventcategory","1801010000"); + + var dup75 = setc("event_description","Login failure"); + + var dup76 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); + + var dup77 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); + + var dup78 = setc("event_description","Unable to open file"); + + var dup79 = setc("event_description","SNMP index assigned changed"); + + var dup80 = setc("eventcategory","1302000000"); + + var dup81 = setc("eventcategory","1001020300"); + + var dup82 = setc("event_description","PFE FW SYSLOG_IP"); + + var dup83 = setc("event_description","process_mode"); + + var dup84 = setc("event_description","Logical interface collision"); + + var dup85 = setc("event_description","excessive runtime time during action of module"); + + var dup86 = setc("event_description","Reinitializing"); + + var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); + + var dup88 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); + + var dup89 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); + + var dup90 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); + + var dup91 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); + + var dup92 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); + + var dup93 = setc("eventcategory","1803010000"); + + var dup94 = setc("ec_activity","Deny"); + + var dup95 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); + + var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); + + var dup97 = setc("event_description","session denied"); + + var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); + + var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); + + var dup100 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); + + var dup101 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); + + var dup102 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); + + var dup103 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); + + var dup104 = setc("dclass_counter1_string","No.of packets from client"); + + var dup105 = setc("event_description","SNMPD AUTH FAILURE"); + + var dup106 = setc("event_description","send send-type (index1) failure"); + + var dup107 = setc("event_description","SNMP trap error"); + + var dup108 = setc("event_description","SNMP TRAP LINK DOWN"); + + var dup109 = setc("event_description","SNMP TRAP LINK UP"); + + var dup110 = setc("event_description","Login Failure"); + + var dup111 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); + + var dup112 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); + + var dup113 = setc("eventcategory","1701020000"); + + var dup114 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); + + var dup115 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); + + var dup116 = setc("event_description","User set command"); + + var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); + + var dup118 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); + + var dup119 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); + + var dup120 = setc("event_description","User set groups to secret"); + + var dup121 = setc("event_description","UI CMDLINE READ LINE"); + + var dup122 = setc("event_description","User commit"); + + var dup123 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); + + var dup124 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); + + var dup125 = setc("eventcategory","1401070000"); + + var dup126 = setc("ec_activity","Logoff"); + + var dup127 = setc("event_description","Successful login"); + + var dup128 = setf("hostname","hostip"); + + var dup129 = setc("event_description","TACACS+ failure"); + + var dup130 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); + + var dup131 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); + + var dup132 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); + + var dup133 = setc("eventcategory","1003010000"); + + var dup134 = setc("eventcategory","1901000000"); + + var dup135 = linear_select([ + dup14, + dup15, + dup16, + dup17, + ]); + + var dup136 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ + dup13, + ])); + + var dup137 = linear_select([ + dup40, + dup41, + ]); + + var dup138 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ + dup21, + dup22, + dup56, + dup23, + ])); + + var dup139 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ + dup51, + dup22, + dup64, + dup23, + ])); + + var dup140 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ + dup30, + dup22, + dup65, + dup23, + ])); + + var dup141 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ + dup30, + dup22, + dup66, + dup23, + ])); + + var dup142 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ + dup30, + dup22, + dup67, + dup23, + ])); + + var dup143 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ + dup30, + dup22, + dup68, + dup23, + ])); + + var dup144 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ + dup30, + dup22, + dup71, + dup23, + ])); + + var dup145 = linear_select([ + dup76, + dup77, + ]); + + var dup146 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ + dup30, + dup22, + dup79, + dup23, + ])); + + var dup147 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ + dup30, + dup22, + dup84, + dup23, + ])); + + var dup148 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ + dup30, + dup22, + dup85, + dup23, + ])); + + var dup149 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ + dup21, + dup22, + dup86, + dup23, + ])); + + var dup150 = linear_select([ + dup88, + dup89, + ]); + + var dup151 = linear_select([ + dup90, + dup45, + ]); + + var dup152 = linear_select([ + dup95, + dup96, + ]); + + var dup153 = linear_select([ + dup101, + dup91, + ]); + + var dup154 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var dup155 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ + dup27, + dup22, + dup52, + ])); + + var dup156 = linear_select([ + dup118, + dup119, + ]); + + var dup157 = linear_select([ + dup123, + dup124, + ]); + + var dup158 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var dup159 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ + dup48, + dup47, + dup23, + dup22, + ])); + + var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{messageid}: restart %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": restart "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid->} message repeated %{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" message repeated "), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb %{messageid}(%{hfld1}): %{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("("), + field("hfld1"), + constant("): "), + field("p0"), + ], + }), + ])); + + var part1 = match("HEADER#3:0004/1_6", "nwparser.p0", "fpc6 %{p0}"); + + var part2 = match("HEADER#3:0004/1_7", "nwparser.p0", "fpc7 %{p0}"); + + var part3 = match("HEADER#3:0004/1_8", "nwparser.p0", "fpc8 %{p0}"); + + var part4 = match("HEADER#3:0004/1_9", "nwparser.p0", "fpc9 %{p0}"); + + var part5 = match("HEADER#3:0004/1_10", "nwparser.p0", "cfeb %{p0}"); + + var select1 = linear_select([ + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + part1, + part2, + part3, + part4, + part5, + dup8, + ]); + + var part6 = match("HEADER#3:0004/2", "nwparser.p0", "%{} %{messageid}: %{p0}", processor_chain([ + dup9, + ])); + + var all1 = all_match({ + processors: [ + dup1, + select1, + part6, + ], + on_success: processor_chain([ + setc("header_id","0004"), + ]), + }); + + var select2 = linear_select([ + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + ]); + + var part7 = match("HEADER#4:0005/2", "nwparser.p0", "%{} %{messageid->} %{p0}", processor_chain([ + dup10, + ])); + + var all2 = all_match({ + processors: [ + dup1, + select2, + part7, + ], + on_success: processor_chain([ + setc("header_id","0005"), + ]), + }); + + var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}[%{hpid}]: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0007"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant("["), + field("hpid"), + constant("]: "), + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}[%{hpid}]: %{p0}", processor_chain([ + setc("header_id","0008"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hpid"), + constant("]: "), + field("p0"), + ], + }), + ])); + + var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} IFP trace> %{messageid}: %{p0}", processor_chain([ + setc("header_id","0009"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" IFP trace> "), + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr7 = match("HEADER#8:0010", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} %{messageid}: %{p0}", processor_chain([ + setc("header_id","0010"), + dup11, + ])); + + var hdr8 = match("HEADER#9:0029", "message", "%{month->} %{day->} %{time->} %{hostip->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0029"), + dup12, + ])); + + var hdr9 = match("HEADER#10:0015", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0015"), + dup12, + ])); + + var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{messageid}: %{p0}", processor_chain([ + setc("header_id","0011"), + dup11, + ])); + + var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname->} RT_FLOW: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0027"), + dup9, + ])); + + var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0012"), + dup9, + ])); + + var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname->} RT_FLOW - %{messageid->} [%{p0}", processor_chain([ + setc("header_id","0013"), + dup13, + ])); + + var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time->} %{hfld32->} %{hhostname->} %{p0}"); + + var all3 = all_match({ + processors: [ + hdr14, + dup135, + dup136, + ], + on_success: processor_chain([ + setc("header_id","0026.upd.a"), + ]), + }); + + var all4 = all_match({ + processors: [ + dup18, + dup135, + dup136, + ], + on_success: processor_chain([ + setc("header_id","0026.upd.b"), + ]), + }); + + var all5 = all_match({ + processors: [ + dup18, + dup135, + dup136, + ], + on_success: processor_chain([ + setc("header_id","0026"), + ]), + }); + + var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}[%{hpid}]: %{p0}", processor_chain([ + setc("header_id","0014"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("["), + field("pid"), + constant("]: "), + field("messageid"), + constant("["), + field("hpid"), + constant("]: "), + field("p0"), + ], + }), + ])); + + var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0016"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant(": "), + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid->} %{p0}", processor_chain([ + setc("header_id","0017"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("["), + field("pid"), + constant("]: "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr18 = match("HEADER#21:0018", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}[%{pid}]: %{p0}", processor_chain([ + setc("header_id","0018"), + dup19, + ])); + + var hdr19 = match("HEADER#22:0028", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}[%{pid}]: %{p0}", processor_chain([ + setc("header_id","0028"), + dup19, + ])); + + var hdr20 = match("HEADER#23:0019", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0019"), + dup9, + ])); + + var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{messageid}[%{pid}]: %{p0}", processor_chain([ + setc("header_id","0020"), + dup19, + ])); + + var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time->} /%{messageid}: %{p0}", processor_chain([ + setc("header_id","0021"), + dup9, + ])); + + var hdr23 = match("HEADER#26:0022", "message", "%{month->} %{day->} %{time->} %{messageid}: %{p0}", processor_chain([ + setc("header_id","0022"), + dup9, + ])); + + var hdr24 = match("HEADER#27:0023", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}[%{pid}]: %{p0}", processor_chain([ + setc("header_id","0023"), + dup19, + ])); + + var hdr25 = match("HEADER#28:0024", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0024"), + dup9, + ])); + + var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{hfld2->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","0025"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid->} %{p0}", processor_chain([ + setc("header_id","0031"), + dup10, + ])); + + var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip->} (%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{p0}", processor_chain([ + setc("header_id","0032"), + dup19, + ])); + + var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname->} %{messageid}: %{p0}", processor_chain([ + setc("header_id","0033"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant(" "), + field("hhostname"), + constant(" "), + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr30 = match("HEADER#33:3336", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","3336"), + ])); + + var hdr31 = match("HEADER#34:3339", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid->} %{payload}", processor_chain([ + setc("header_id","3339"), + ])); + + var hdr32 = match("HEADER#35:3337", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","3337"), + ])); + + var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostname->} %{hfld2->} %{hfld3->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","3341"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr34 = match("HEADER#37:3338", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","3338"), + ])); + + var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost->} node%{hfld1}.fpc%{p0}", processor_chain([ + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hhost"), + constant(" node"), + field("hfld1"), + constant(".fpc"), + field("p0"), + ], + }), + ])); + + var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld2}.pic%{hfld3->} %{p0}"); + + var part9 = match("HEADER#38:3340/1_1", "nwparser.p0", "%{hfld2->} %{p0}"); + + var select3 = linear_select([ + part8, + part9, + ]); + + var part10 = match("HEADER#38:3340/2", "nwparser.p0", "%{} %{p0}"); + + var all6 = all_match({ + processors: [ + hdr35, + select3, + part10, + ], + on_success: processor_chain([ + setc("header_id","3340"), + setc("messageid","node"), + ]), + }); + + var hdr36 = match("HEADER#39:9997/0_0", "message", "mgd[%{p0}"); + + var hdr37 = match("HEADER#39:9997/0_1", "message", "rpd[%{p0}"); + + var hdr38 = match("HEADER#39:9997/0_2", "message", "dcd[%{p0}"); + + var select4 = linear_select([ + hdr36, + hdr37, + hdr38, + ]); + + var part11 = match("HEADER#39:9997/1", "nwparser.p0", "%{process_id}]:%{payload}"); + + var all7 = all_match({ + processors: [ + select4, + part11, + ], + on_success: processor_chain([ + setc("header_id","9997"), + dup20, + ]), + }); + + var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{hhost->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{p0}", processor_chain([ + setc("header_id","9995"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld3"), + constant("]:"), + field("p0"), + ], + }), + ])); + + var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1->} qsfp %{p0}", processor_chain([ + setc("header_id","9994"), + setc("messageid","qsfp"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("hfld1"), + constant(" qsfp "), + field("p0"), + ], + }), + ])); + + var hdr41 = match("HEADER#42:9999", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{hevent_type}: %{p0}", processor_chain([ + setc("header_id","9999"), + dup20, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hevent_type"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{process}: %{p0}", processor_chain([ + setc("header_id","9998"), + dup20, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("process"), + constant(": "), + field("p0"), + ], + }), + ])); + + var select5 = linear_select([ + hdr1, + hdr2, + hdr3, + all1, + all2, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, + hdr13, + all3, + all4, + all5, + hdr15, + hdr16, + hdr17, + hdr18, + hdr19, + hdr20, + hdr21, + hdr22, + hdr23, + hdr24, + hdr25, + hdr26, + hdr27, + hdr28, + hdr29, + hdr30, + hdr31, + hdr32, + hdr33, + hdr34, + all6, + all7, + hdr39, + hdr40, + hdr41, + hdr42, + ]); + + var part12 = match("MESSAGE#0:/usr/sbin/sshd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","sshd exit status"), + dup23, + ])); + + var msg1 = msg("/usr/sbin/sshd", part12); + + var part13 = match("MESSAGE#1:/usr/libexec/telnetd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","telnetd exit status"), + dup23, + ])); + + var msg2 = msg("/usr/libexec/telnetd", part13); + + var part14 = match("MESSAGE#2:alarmd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License color=%{severity}, class=%{device}, reason=%{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Alarm Set or Cleared"), + dup23, + ])); + + var msg3 = msg("alarmd", part14); + + var part15 = match("MESSAGE#3:bigd", "nwparser.payload", "%{process}: Node detected UP for %{node}", processor_chain([ + dup21, + dup22, + setc("event_description","Node detected UP"), + dup23, + ])); + + var msg4 = msg("bigd", part15); + + var part16 = match("MESSAGE#4:bigd:01", "nwparser.payload", "%{process}: Monitor template id is %{id}", processor_chain([ + dup21, + dup22, + setc("event_description","Monitor template id"), + dup23, + ])); + + var msg5 = msg("bigd:01", part16); + + var select6 = linear_select([ + msg4, + msg5, + ]); + + var part17 = match("MESSAGE#5:bigpipe", "nwparser.payload", "%{process}: Loading the configuration file %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","Loading configuration file"), + dup23, + ])); + + var msg6 = msg("bigpipe", part17); + + var part18 = match("MESSAGE#6:bigpipe:01", "nwparser.payload", "%{process}: Begin config install operation %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","Begin config install operation"), + dup23, + ])); + + var msg7 = msg("bigpipe:01", part18); + + var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ + dup21, + dup22, + setc("event_description","Audit"), + dup23, + ])); + + var msg8 = msg("bigpipe:02", part19); + + var select7 = linear_select([ + msg6, + msg7, + msg8, + ]); + + var part20 = match("MESSAGE#8:bigstart", "nwparser.payload", "%{process}: shutdown %{service}", processor_chain([ + dup21, + dup22, + setc("event_description","portal shutdown"), + dup23, + ])); + + var msg9 = msg("bigstart", part20); + + var part21 = match("MESSAGE#9:cgatool", "nwparser.payload", "%{process}: %{event_type}: generated address is %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","cga address genration"), + dup23, + ])); + + var msg10 = msg("cgatool", part21); + + var part22 = match("MESSAGE#10:chassisd:01", "nwparser.payload", "%{process}[%{process_id}]:%{fld12}", processor_chain([ + dup21, + dup22, + dup23, + dup24, + ])); + + var msg11 = msg("chassisd:01", part22); + + var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ + dup21, + dup22, + dup25, + dup23, + ])); + + var msg12 = msg("checkd", part23); + + var part24 = match("MESSAGE#12:checkd:01", "nwparser.payload", "%{process}: exiting", processor_chain([ + dup21, + dup22, + setc("event_description","checkd exiting"), + dup23, + ])); + + var msg13 = msg("checkd:01", part24); + + var select8 = linear_select([ + msg12, + msg13, + ]); + + var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1->} for intf %{interface}", processor_chain([ + dup21, + dup22, + setc("event_description","link protection for interface"), + dup23, + ])); + + var msg14 = msg("cosd", part25); + + var part26 = match("MESSAGE#14:craftd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}, %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","License expiration warning"), + dup23, + ])); + + var msg15 = msg("craftd", part26); + + var part27 = match("MESSAGE#15:CRON/0", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{p0}"); + + var part28 = match("MESSAGE#15:CRON/1_0", "nwparser.p0", "CMD (%{result})"); + + var part29 = match("MESSAGE#15:CRON/1_1", "nwparser.p0", "cmd='%{result}'"); + + var select9 = linear_select([ + part28, + part29, + ]); + + var all8 = all_match({ + processors: [ + part27, + select9, + ], + on_success: processor_chain([ + dup21, + dup22, + dup26, + dup23, + ]), + }); + + var msg16 = msg("CRON", all8); + + var part30 = match("MESSAGE#16:Cmerror/0_0", "nwparser.payload", "%{hostname->} %{node}Cmerror: Level%{level}count increment %{dclass_counter1->} %{fld1}"); + + var part31 = match_copy("MESSAGE#16:Cmerror/0_1", "nwparser.payload", "fld2"); + + var select10 = linear_select([ + part30, + part31, + ]); + + var all9 = all_match({ + processors: [ + select10, + ], + on_success: processor_chain([ + dup21, + dup23, + dup22, + ]), + }); + + var msg17 = msg("Cmerror", all9); + + var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action->} (%{filename})", processor_chain([ + dup21, + dup22, + setc("event_description","cron RELOAD"), + dup23, + ])); + + var msg18 = msg("cron", part32); + + var part33 = match("MESSAGE#18:CROND", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ + dup21, + dup22, + dup23, + dup24, + ])); + + var msg19 = msg("CROND", part33); + + var part34 = match("MESSAGE#20:CROND:02", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session closed for user %{username}", processor_chain([ + dup27, + dup22, + dup23, + dup24, + ])); + + var msg20 = msg("CROND:02", part34); + + var select11 = linear_select([ + msg19, + msg20, + ]); + + var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username->} by (uid=%{uid})", processor_chain([ + dup28, + dup22, + dup23, + dup24, + ])); + + var msg21 = msg("crond:01", part35); + + var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result->} Setting ignored, %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","Setting ignored"), + dup23, + ])); + + var msg22 = msg("dcd", part36); + + var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface->} index %{resultcode->} %{p0}"); + + var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{p0}"); + + var part39 = match("MESSAGE#22:EVENT/1_1", "nwparser.p0", "\u003c\u003c%{p0}"); + + var select12 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#22:EVENT/2", "nwparser.p0", ">%{result}"); + + var all10 = all_match({ + processors: [ + part37, + select12, + part40, + ], + on_success: processor_chain([ + dup21, + dup22, + setc("event_description","EVENT"), + dup23, + ]), + }); + + var msg23 = msg("EVENT", all10); + + var part41 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr->} (%{shost})", processor_chain([ + setc("eventcategory","1802000000"), + dup22, + setc("event_description","ftpd connection"), + dup23, + ])); + + var msg24 = msg("ftpd", part41); + + var part42 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hostname->} %{node}ha_rto_stats_handler:%{fld12}", processor_chain([ + dup29, + dup23, + dup22, + ])); + + var msg25 = msg("ha_rto_stats_handler", part42); + + var part43 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name->} -- LDAP Connection not bound correctly. %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","LDAP Connection not bound correctly"), + dup23, + ])); + + var msg26 = msg("hostinit", part43); + + var part44 = match("MESSAGE#26:ifinfo", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Added entry - %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","PIC_INFO debug - Added entry"), + dup23, + ])); + + var msg27 = msg("ifinfo", part44); + + var part45 = match("MESSAGE#27:ifinfo:01", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Initializing spu listtype %{resultcode}", processor_chain([ + dup21, + dup22, + setc("event_description","PIC_INFO debug Initializing spu"), + dup23, + ])); + + var msg28 = msg("ifinfo:01", part45); + + var part46 = match("MESSAGE#28:ifinfo:02", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","PIC_INFO debug delete from list"), + dup23, + ])); + + var msg29 = msg("ifinfo:02", part46); + + var select13 = linear_select([ + msg27, + msg28, + msg29, + ]); + + var part47 = match("MESSAGE#29:ifp_ifl_anydown_change_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL anydown change event: \"%{event_type}\"", processor_chain([ + dup21, + dup22, + setc("event_description","IFL anydown change event"), + dup23, + ])); + + var msg30 = msg("ifp_ifl_anydown_change_event", part47); + + var part48 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL config: \"%{filename}\"", processor_chain([ + dup21, + dup22, + setc("event_description","ifp ifl config_event"), + dup23, + ])); + + var msg31 = msg("ifp_ifl_config_event", part48); + + var part49 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid->} zone_id %{zone}", processor_chain([ + dup21, + dup22, + setc("event_description","ifp_ifl_ext_chg"), + dup23, + ])); + + var msg32 = msg("ifp_ifl_ext_chg", part49); + + var part50 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol->} from %{saddr->} exceeded counts/min (%{result})", processor_chain([ + dup30, + dup22, + setc("event_description","connection exceeded count limit"), + dup23, + ])); + + var msg33 = msg("inetd", part50); + + var part51 = match("MESSAGE#33:inetd:01", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exited, status %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","exited"), + dup23, + ])); + + var msg34 = msg("inetd:01", part51); + + var select14 = linear_select([ + msg33, + msg34, + ]); + + var part52 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type->} current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ + dup21, + dup22, + dup31, + dup23, + ])); + + var msg35 = msg("init:04", part52); + + var part53 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type->} mode=%{protocol->} cmd=%{action->} master_mode=%{result}", processor_chain([ + dup21, + dup22, + dup31, + dup23, + ])); + + var msg36 = msg("init", part53); + + var part54 = match("MESSAGE#36:init:01", "nwparser.payload", "%{process}: failure target for routing set to %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","failure target for routing set"), + dup23, + ])); + + var msg37 = msg("init:01", part54); + + var part55 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (PID %{child_pid}) started", processor_chain([ + dup21, + dup22, + setc("event_description","ntp started"), + dup23, + ])); + + var msg38 = msg("init:02", part55); + + var part56 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info->} model %{dclass_counter1}", processor_chain([ + dup21, + dup22, + setc("event_description","product mask and model info"), + dup23, + ])); + + var msg39 = msg("init:03", part56); + + var select15 = linear_select([ + msg35, + msg36, + msg37, + msg38, + msg39, + ]); + + var part57 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode->} exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","IPC message exceeds MTU"), + dup23, + ])); + + var msg40 = msg("ipc_msg_write", part57); + + var part58 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}", processor_chain([ + dup28, + dup22, + setc("event_description","listener connection established"), + dup23, + ])); + + var msg41 = msg("connection_established", part58); + + var part59 = match("MESSAGE#41:connection_dropped/0", "nwparser.payload", "%{process}: %{p0}"); + + var part60 = match("MESSAGE#41:connection_dropped/1_0", "nwparser.p0", "%{result}, connection dropped - src %{saddr}:%{sport->} dest %{daddr}:%{dport}"); + + var part61 = match("MESSAGE#41:connection_dropped/1_1", "nwparser.p0", "%{result}: conn dropped: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}"); + + var select16 = linear_select([ + part60, + part61, + ]); + + var all11 = all_match({ + processors: [ + part59, + select16, + ], + on_success: processor_chain([ + dup27, + dup22, + setc("event_description","connection dropped"), + dup23, + ]), + }); + + var msg42 = msg("connection_dropped", all11); + + var part62 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{interface}: Asserting SONET alarm(s) %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","Asserting SONET alarm(s)"), + dup23, + ])); + + var msg43 = msg("kernel", part62); + + var part63 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface->} down: %{result}.", processor_chain([ + dup21, + dup22, + setc("event_description","interface down"), + dup23, + ])); + + var msg44 = msg("kernel:01", part63); + + var part64 = match("MESSAGE#44:kernel:02", "nwparser.payload", "%{process}: %{interface}: loopback suspected; %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","loopback suspected om interface"), + dup23, + ])); + + var msg45 = msg("kernel:02", part64); + + var part65 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{service}: soreceive() error %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","soreceive error"), + dup23, + ])); + + var msg46 = msg("kernel:03", part65); + + var part66 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service->} !VALID(state 4)->%{result}", processor_chain([ + dup21, + dup22, + setc("event_description","pfe_peer_alloc state 4"), + dup23, + ])); + + var msg47 = msg("kernel:04", part66); + + var part67 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip->} (%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ + dup21, + dup22, + dup32, + dup23, + ])); + + var msg48 = msg("kernel:05", part67); + + var part68 = match("MESSAGE#48:kernel:06", "nwparser.payload", "%{fld1->} %{hostip->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ + dup21, + dup22, + dup32, + dup23, + ])); + + var msg49 = msg("kernel:06", part68); + + var select17 = linear_select([ + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, + ]); + + var part69 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr->} on %{interface->} as %{username}", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + setc("event_description","successful user login"), + dup23, + ])); + + var msg50 = msg("successful_login", part69); + + var part70 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username->} from host %{hostip}", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup22, + setc("event_description","user login attempt"), + dup23, + ])); + + var msg51 = msg("login_attempt", part70); + + var part71 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup33, + dup34, + dup37, + dup22, + setc("event_description","PAM module return from login"), + dup23, + ])); + + var msg52 = msg("login", part71); + + var select18 = linear_select([ + msg50, + msg51, + msg52, + ]); + + var part72 = match("MESSAGE#52:lsys_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing lsys root-logical-system %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","processing lsys root-logical-system"), + dup23, + ])); + + var msg53 = msg("lsys_ssam_handler", part72); + + var part73 = match("MESSAGE#53:mcsn", "nwparser.payload", "%{process}[%{process_id}]: Removing mif from group [%{group}] %{space->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Removing mif from group"), + dup23, + ])); + + var msg54 = msg("mcsn", part73); + + var part74 = match("MESSAGE#54:mrvl_dfw_log_effuse_status", "nwparser.payload", "%{process}: Firewall rows could not be redirected on device %{device}.", processor_chain([ + dup30, + dup22, + setc("event_description","Firewall rows could not be redirected on device"), + dup23, + ])); + + var msg55 = msg("mrvl_dfw_log_effuse_status", part74); + + var part75 = match("MESSAGE#55:MRVL-L2", "nwparser.payload", "%{process}:%{action}(),%{process_id}:MFilter (%{filter}) already exists", processor_chain([ + dup30, + dup22, + setc("event_description","mfilter already exists for add"), + dup23, + ])); + + var msg56 = msg("MRVL-L2", part75); + + var part76 = match("MESSAGE#56:profile_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing profile SP-root %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","processing profile SP-root"), + dup23, + ])); + + var msg57 = msg("profile_ssam_handler", part76); + + var part77 = match("MESSAGE#57:pst_nat_binding_set_profile", "nwparser.payload", "%{node->} %{process}: %{event_source}: can't get resource bucket %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","can't get resource bucket"), + dup23, + ])); + + var msg58 = msg("pst_nat_binding_set_profile", part77); + + var part78 = match("MESSAGE#58:task_reconfigure", "nwparser.payload", "%{process}[%{process_id}]: task_reconfigure %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","reinitializing done"), + dup23, + ])); + + var msg59 = msg("task_reconfigure", part78); + + var part79 = match("MESSAGE#59:tnetd/0_0", "nwparser.payload", "%{process}[%{process_id}]:%{service}[%{fld1}]: exit status%{resultcode}"); + + var part80 = match_copy("MESSAGE#59:tnetd/0_1", "nwparser.payload", "fld3"); + + var select19 = linear_select([ + part79, + part80, + ]); + + var all12 = all_match({ + processors: [ + select19, + ], + on_success: processor_chain([ + dup21, + dup22, + dup23, + dup24, + ]), + }); + + var msg60 = msg("tnetd", all12); + + var part81 = match("MESSAGE#60:PFEMAN", "nwparser.payload", "%{process}: Session manager active", processor_chain([ + dup21, + dup22, + setc("event_description","Session manager active"), + dup23, + ])); + + var msg61 = msg("PFEMAN", part81); + + var part82 = match("MESSAGE#61:mgd", "nwparser.payload", "%{process}[%{process_id}]: Could not send message to %{service}", processor_chain([ + dup30, + dup22, + setc("event_description","Could not send message to service"), + dup23, + ])); + + var msg62 = msg("mgd", part82); + + var part83 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request came for an address matching on Wrong nh nh:%{result}, %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","Resolve request came for an address matching on Wrong nh"), + dup23, + ])); + + var msg63 = msg("Resolve", part83); + + var part84 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service->} exited with status = %{resultcode}", processor_chain([ + dup21, + dup22, + setc("event_description","service exited with status"), + dup23, + ])); + + var msg64 = msg("respawn", part84); + + var part85 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: This system does not have 3-DNS or Link Controller enabled", processor_chain([ + dup30, + dup22, + setc("event_description","system does not have 3-DNS or Link Controller enabled"), + dup23, + ])); + + var msg65 = msg("root", part85); + + var part86 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result->} for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([ + dup21, + dup22, + setc("event_description","Received data for interface"), + dup23, + ])); + + var msg66 = msg("rpd", part86); + + var part87 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr->} up on interface %{interface}", processor_chain([ + dup21, + dup22, + setc("event_description","RSVP neighbor up on interface "), + dup23, + ])); + + var msg67 = msg("rpd:01", part87); + + var part88 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr->} (%{shost}): reseting pending active connection", processor_chain([ + dup21, + dup22, + setc("event_description","reseting pending active connection"), + dup23, + ])); + + var msg68 = msg("rpd:02", part88); + + var part89 = match("MESSAGE#68:rpd_proceeding", "nwparser.payload", "%{process}: proceeding. %{param}", processor_chain([ + dup21, + dup22, + dup38, + dup23, + ])); + + var msg69 = msg("rpd_proceeding", part89); + + var select20 = linear_select([ + msg66, + msg67, + msg68, + msg69, + ]); + + var part90 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}'", processor_chain([ + dup21, + dup22, + setc("event_description","user issuing command as root"), + dup23, + ])); + + var msg70 = msg("rshd", part90); + + var part91 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on accept", processor_chain([ + dup21, + dup22, + setc("event_description","sfd waiting on accept"), + dup23, + ])); + + var msg71 = msg("sfd", part91); + + var part92 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol}", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + setc("event_description","Accepted password"), + dup23, + ])); + + var msg72 = msg("sshd", part92); + + var part93 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result}", processor_chain([ + dup27, + dup22, + setc("event_description","Received disconnect"), + dup23, + ])); + + var msg73 = msg("sshd:02", part93); + + var part94 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr}", processor_chain([ + dup30, + dup22, + setc("result","no identification string"), + setc("event_description","Did not receive identification string from peer"), + dup23, + ])); + + var msg74 = msg("sshd:03", part94); + + var part95 = match("MESSAGE#75:sshd:04", "nwparser.payload", "%{process}[%{process_id}]: Could not write ident string to %{dhost}", processor_chain([ + dup30, + dup22, + setc("event_description","Could not write ident string"), + dup23, + ])); + + var msg75 = msg("sshd:04", part95); + + var part96 = match("MESSAGE#76:sshd:05", "nwparser.payload", "%{process}[%{process_id}]: subsystem request for netconf", processor_chain([ + dup21, + dup22, + setc("event_description","subsystem request for netconf"), + dup23, + ])); + + var msg76 = msg("sshd:05", part96); + + var part97 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "sendmsg to %{saddr}(%{shost}).%{sport}: %{info}"); + + var all13 = all_match({ + processors: [ + dup39, + dup137, + part97, + ], + on_success: processor_chain([ + dup29, + dup22, + setc("event_description","send message stats"), + dup23, + ]), + }); + + var msg77 = msg("sshd:06", all13); + + var part98 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "Added radius server %{saddr}(%{shost})"); + + var all14 = all_match({ + processors: [ + dup39, + dup137, + part98, + ], + on_success: processor_chain([ + dup42, + setc("ec_theme","Configuration"), + setc("ec_activity","Modify"), + dup37, + dup22, + setc("event_description","Added radius server"), + dup23, + ]), + }); + + var msg78 = msg("sshd:07", all14); + + var part99 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space->} [%{resultcode}]authentication error", processor_chain([ + setc("eventcategory","1301020000"), + dup34, + dup43, + dup22, + setc("event_description","authentication error"), + dup23, + ])); + + var msg79 = msg("sshd:08", part99); + + var part100 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute}", processor_chain([ + dup30, + dup22, + setc("event_description","unrecognized attribute in policy"), + dup23, + ])); + + var msg80 = msg("sshd:09", part100); + + var part101 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup44, + dup34, + dup43, + dup22, + setc("event_description","PAM module return from sshd"), + dup23, + ])); + + var msg81 = msg("sshd:10", part101); + + var part102 = match("MESSAGE#82:sshd:11", "nwparser.payload", "%{process}: PAM authentication chain returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup44, + dup34, + dup43, + dup22, + setc("event_description","PAM authentication chain return"), + dup23, + ])); + + var msg82 = msg("sshd:11", part102); + + var part103 = match("MESSAGE#83:sshd:12", "nwparser.payload", "%{process}: %{severity}: can't get client address: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","can't get client address"), + dup23, + ])); + + var msg83 = msg("sshd:12", part103); + + var part104 = match("MESSAGE#84:sshd:13", "nwparser.payload", "%{process}: auth server unresponsive", processor_chain([ + dup30, + dup22, + setc("event_description","auth server unresponsive"), + dup23, + ])); + + var msg84 = msg("sshd:13", part104); + + var part105 = match("MESSAGE#85:sshd:14", "nwparser.payload", "%{process}: %{service}: No valid RADIUS responses received", processor_chain([ + dup30, + dup22, + setc("event_description","No valid RADIUS responses received"), + dup23, + ])); + + var msg85 = msg("sshd:14", part105); + + var part106 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Moving to next server: %{saddr}(%{shost}).%{sport}", processor_chain([ + dup21, + dup22, + setc("event_description","Moving to next server"), + dup23, + ])); + + var msg86 = msg("sshd:15", part106); + + var part107 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1->} sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([ + dup44, + dup34, + dup43, + dup22, + setc("event_description","Login failed for user"), + dup23, + ])); + + var msg87 = msg("sshd:16", part107); + + var select21 = linear_select([ + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + ]); + + var part108 = match("MESSAGE#72:Failed:05/0", "nwparser.payload", "%{process}[%{process_id}]: Failed password for %{p0}"); + + var part109 = match("MESSAGE#72:Failed:05/1_0", "nwparser.p0", "illegal user %{p0}"); + + var part110 = match("MESSAGE#72:Failed:05/1_1", "nwparser.p0", "invalid user %{p0}"); + + var select22 = linear_select([ + part109, + part110, + dup45, + ]); + + var part111 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{username->} from %{saddr->} port %{sport->} %{protocol}"); + + var all15 = all_match({ + processors: [ + part108, + select22, + part111, + ], + on_success: processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + setc("event_description","authentication failure"), + dup23, + ]), + }); + + var msg88 = msg("Failed:05", all15); + + var part112 = match("MESSAGE#746:Failed/0", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: Failed to resolve ipv%{p0}"); + + var part113 = match("MESSAGE#746:Failed/1_0", "nwparser.p0", "4%{p0}"); + + var part114 = match("MESSAGE#746:Failed/1_1", "nwparser.p0", "6%{p0}"); + + var select23 = linear_select([ + part113, + part114, + ]); + + var part115 = match("MESSAGE#746:Failed/2", "nwparser.p0", "%{}addresses for domain name %{sdomain}"); + + var all16 = all_match({ + processors: [ + part112, + select23, + part115, + ], + on_success: processor_chain([ + dup46, + dup47, + dup23, + dup22, + ]), + }); + + var msg89 = msg("Failed", all16); + + var part116 = match("MESSAGE#767:Failed:01", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: %{fld1}", processor_chain([ + dup46, + dup23, + dup22, + ])); + + var msg90 = msg("Failed:01", part116); + + var part117 = match("MESSAGE#768:Failed:02/0_0", "nwparser.payload", "%{fld1->} to create a route if table for Multiservice"); + + var part118 = match_copy("MESSAGE#768:Failed:02/0_1", "nwparser.payload", "fld10"); + + var select24 = linear_select([ + part117, + part118, + ]); + + var all17 = all_match({ + processors: [ + select24, + ], + on_success: processor_chain([ + dup46, + dup23, + dup22, + setf("hostname","hfld1"), + ]), + }); + + var msg91 = msg("Failed:02", all17); + + var select25 = linear_select([ + msg88, + msg89, + msg90, + msg91, + ]); + + var part119 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: restart", processor_chain([ + dup21, + dup22, + setc("event_description","syslog daemon restart"), + dup23, + ])); + + var msg92 = msg("syslogd", part119); + + var part120 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action->} User: %{username}", processor_chain([ + dup21, + dup22, + dup25, + dup23, + ])); + + var msg93 = msg("ucd-snmp", part120); + + var part121 = match("MESSAGE#90:ucd-snmp:01", "nwparser.payload", "%{process}[%{process_id}]: Received TERM or STOP signal %{space->} %{result}.", processor_chain([ + dup21, + dup22, + setc("event_description","Received TERM or STOP signal"), + dup23, + ])); + + var msg94 = msg("ucd-snmp:01", part121); + + var select26 = linear_select([ + msg93, + msg94, + ]); + + var part122 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result->} (%{resultcode})", processor_chain([ + dup27, + dup22, + setc("event_description","failed to connect to the server"), + dup23, + ])); + + var msg95 = msg("usp_ipc_client_reconnect", part122); + + var part123 = match("MESSAGE#92:usp_trace_ipc_disconnect", "nwparser.payload", "%{node->} %{process}:Trace client disconnected. %{result}", processor_chain([ + dup27, + dup22, + setc("event_description","Trace client disconnected"), + dup23, + ])); + + var msg96 = msg("usp_trace_ipc_disconnect", part123); + + var part124 = match("MESSAGE#93:usp_trace_ipc_reconnect", "nwparser.payload", "%{node->} %{process}:USP trace client cannot reconnect to server", processor_chain([ + dup30, + dup22, + setc("event_description","USP trace client cannot reconnect to server"), + dup23, + ])); + + var msg97 = msg("usp_trace_ipc_reconnect", part124); + + var part125 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_print_session_summary_output received %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","flow_print_session_summary_output received"), + dup23, + ])); + + var msg98 = msg("uspinfo", part125); + + var part126 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version->} by builder on %{event_time_string}", processor_chain([ + dup21, + dup22, + setc("event_description","Version build date"), + dup23, + ])); + + var msg99 = msg("Version", part126); + + var part127 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result->} from %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","frequency initialized from file"), + dup23, + ])); + + var msg100 = msg("xntpd", part127); + + var part128 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string->} (%{resultcode})", processor_chain([ + dup21, + dup22, + setc("event_description","nptd version build"), + dup23, + ])); + + var msg101 = msg("xntpd:01", part128); + + var part129 = match("MESSAGE#98:xntpd:02", "nwparser.payload", "%{process}: kernel time sync enabled %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","kernel time sync enabled"), + dup23, + ])); + + var msg102 = msg("xntpd:02", part129); + + var part130 = match("MESSAGE#99:xntpd:03", "nwparser.payload", "%{process}[%{process_id}]: NTP Server %{result}", processor_chain([ + dup21, + dup22, + dup32, + dup23, + ])); + + var msg103 = msg("xntpd:03", part130); + + var select27 = linear_select([ + msg100, + msg101, + msg102, + msg103, + ]); + + var part131 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1->} times", processor_chain([ + dup21, + dup22, + setc("event_description","last message repeated"), + dup23, + ])); + + var msg104 = msg("last", part131); + + var part132 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1->} times", processor_chain([ + dup48, + dup47, + dup23, + dup22, + dup24, + ])); + + var msg105 = msg("last:01", part132); + + var select28 = linear_select([ + msg104, + msg105, + ]); + + var part133 = match("MESSAGE#101:BCHIP", "nwparser.payload", "%{process->} %{device}: cannot write ucode mask reg", processor_chain([ + dup30, + dup22, + setc("event_description","cannot write ucode mask reg"), + dup23, + ])); + + var msg106 = msg("BCHIP", part133); + + var part134 = match("MESSAGE#102:CM", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}: On-line", processor_chain([ + dup21, + dup22, + setc("event_description","Slot on-line"), + dup23, + ])); + + var msg107 = msg("CM", part134); + + var part135 = match("MESSAGE#103:COS", "nwparser.payload", "%{process}: Received FC->Q map, %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","Received FC Q map"), + dup23, + ])); + + var msg108 = msg("COS", part135); + + var part136 = match("MESSAGE#104:COSFPC", "nwparser.payload", "%{process}: ifd %{resultcode}: %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","ifd error"), + dup23, + ])); + + var msg109 = msg("COSFPC", part136); + + var part137 = match("MESSAGE#105:COSMAN", "nwparser.payload", "%{process}: %{service}: delete class_to_ifl table %{dclass_counter1}, ifl %{dclass_counter2}", processor_chain([ + dup21, + dup22, + setc("event_description","delete class to ifl link"), + dup23, + ])); + + var msg110 = msg("COSMAN", part137); + + var part138 = match("MESSAGE#106:RDP", "nwparser.payload", "%{process}: Keepalive timeout for rdp.(%{interface}).(%{device}) (%{result})", processor_chain([ + dup30, + dup22, + setc("event_description","Keepalive timeout"), + dup23, + ])); + + var msg111 = msg("RDP", part138); + + var part139 = match("MESSAGE#107:SNTPD", "nwparser.payload", "%{process}: Initial time of day set", processor_chain([ + dup30, + dup22, + setc("event_description","Initial time of day set"), + dup23, + ])); + + var msg112 = msg("SNTPD", part139); + + var part140 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}, serial number S/N %{serial_number}.", processor_chain([ + dup21, + dup22, + setc("event_description","Slot serial number"), + dup23, + ])); + + var msg113 = msg("SSB", part140); + + var part141 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result->} from file %{filename}", processor_chain([ + dup30, + dup22, + setc("event_description","Unexpected error"), + dup23, + ])); + + var msg114 = msg("ACCT_ACCOUNTING_FERROR", part141); + + var part142 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to open file %{filename}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Failed to open file"), + dup23, + ])); + + var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part142); + + var part143 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename->} size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([ + dup49, + dup22, + setc("event_description","File size mismatch"), + dup23, + ])); + + var msg116 = msg("ACCT_ACCOUNTING_SMALL_FILE_SIZE", part143); + + var part144 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid statistics record: %{result}", processor_chain([ + dup49, + dup22, + setc("event_description","Invalid statistics record"), + dup23, + ])); + + var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part144); + + var part145 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} getting class usage statistics for interface %{interface}: %{result}", processor_chain([ + dup49, + dup22, + setc("event_description","Class usage statistics error for interface"), + dup23, + ])); + + var msg118 = msg("ACCT_CU_RTSLIB_error", part145); + + var part146 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_0", "nwparser.p0", "Error %{resultcode->} trying %{p0}"); + + var part147 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_1", "nwparser.p0", "trying %{p0}"); + + var select29 = linear_select([ + part146, + part147, + ]); + + var part148 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/2", "nwparser.p0", "to get hostname%{}"); + + var all18 = all_match({ + processors: [ + dup50, + select29, + part148, + ], + on_success: processor_chain([ + dup49, + dup22, + setc("event_description","error trying to get hostname"), + dup23, + ]), + }); + + var msg119 = msg("ACCT_GETHOSTNAME_error", all18); + + var part149 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed while reallocating %{obj_name}", processor_chain([ + dup51, + dup22, + setc("event_description","Memory allocation failure"), + dup23, + ])); + + var msg120 = msg("ACCT_MALLOC_FAILURE", part149); + + var part150 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} in accounting profile %{dclass_counter1->} is not defined in a firewall using this filter profile", processor_chain([ + dup30, + dup22, + setc("event_description","Accounting profile counter not defined in firewall"), + dup23, + ])); + + var msg121 = msg("ACCT_UNDEFINED_COUNTER_NAME", part150); + + var part151 = match("MESSAGE#117:ACCT_XFER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: %{disposition}", processor_chain([ + dup30, + dup22, + setc("event_description","ACCT_XFER_FAILED"), + dup23, + ])); + + var msg122 = msg("ACCT_XFER_FAILED", part151); + + var part152 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: in invoking command command to transfer file %{filename}", processor_chain([ + dup30, + dup22, + setc("event_description","POPEN FAIL invoking command command to transfer file"), + dup23, + ])); + + var msg123 = msg("ACCT_XFER_POPEN_FAIL", part152); + + var part153 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([ + dup28, + dup22, + dup52, + ])); + + var msg124 = msg("APPQOS_LOG_EVENT", part153); + + var part154 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", "%{event_type}: AppTrack session created %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username->} %{fld10}", processor_chain([ + dup28, + dup53, + dup54, + dup22, + setc("result","AppTrack session created"), + dup23, + ])); + + var msg125 = msg("APPTRACK_SESSION_CREATE", part154); + + var part155 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup28, + dup53, + dup55, + dup22, + dup52, + ])); + + var msg126 = msg("APPTRACK_SESSION_CLOSE", part155); + + var part156 = match("MESSAGE#122:APPTRACK_SESSION_CLOSE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ + dup28, + dup53, + dup55, + dup22, + dup23, + ])); + + var msg127 = msg("APPTRACK_SESSION_CLOSE:01", part156); + + var select30 = linear_select([ + msg126, + msg127, + ]); + + var part157 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup28, + dup53, + dup22, + dup52, + ])); + + var msg128 = msg("APPTRACK_SESSION_VOL_UPDATE", part157); + + var part158 = match("MESSAGE#124:APPTRACK_SESSION_VOL_UPDATE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ + dup28, + dup53, + dup22, + dup23, + ])); + + var msg129 = msg("APPTRACK_SESSION_VOL_UPDATE:01", part158); + + var select31 = linear_select([ + msg128, + msg129, + ]); + + var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup138); + + var msg131 = msg("BFDD_TRAP_STATE_UP", dup138); + + var part159 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","bgp connect error"), + dup23, + ])); + + var msg132 = msg("bgp_connect_start", part159); + + var part160 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new}", processor_chain([ + dup21, + dup22, + setc("event_description","bgp peer state change"), + dup23, + ])); + + var msg133 = msg("bgp_event", part160); + + var part161 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Connection attempt from unconfigured neighbor"), + dup23, + ])); + + var msg134 = msg("bgp_listen_accept", part161); + + var part162 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","bgp reset"), + dup23, + ])); + + var msg135 = msg("bgp_listen_reset", part162); + + var part163 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) next hop %{saddr->} local, %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","peer next hop local"), + dup23, + ])); + + var msg136 = msg("bgp_nexthop_sanity", part163); + + var part164 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{severity->} (%{action}) subcode %{version->} (%{result}) value %{disposition}", processor_chain([ + dup30, + dup22, + setc("event_description","code RED error NOTIFICATION sent"), + dup23, + ])); + + var msg137 = msg("bgp_process_caps", part164); + + var part165 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ + dup30, + dup22, + dup57, + dup23, + ])); + + var msg138 = msg("bgp_process_caps:01", part165); + + var select32 = linear_select([ + msg137, + msg138, + ]); + + var part166 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr->} (%{dhost}), %{info->} (%{protocol})", processor_chain([ + dup30, + dup22, + setc("event_description","connection collision"), + setc("result","dropping connection to peer"), + dup23, + ])); + + var msg139 = msg("bgp_pp_recv", part166); + + var part167 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}): received unexpected EOF", processor_chain([ + dup30, + dup22, + setc("event_description","peer received unexpected EOF"), + dup23, + ])); + + var msg140 = msg("bgp_pp_recv:01", part167); + + var select33 = linear_select([ + msg139, + msg140, + ]); + + var part168 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","bgp send blocked error"), + dup23, + ])); + + var msg141 = msg("bgp_send", part168); + + var part169 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","bgp timeout NOTIFICATION sent"), + dup23, + ])); + + var msg142 = msg("bgp_traffic_timeout", part169); + + var part170 = match("MESSAGE#138:BOOTPD_ARG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring unknown option %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","boot argument error"), + dup23, + ])); + + var msg143 = msg("BOOTPD_ARG_ERR", part170); + + var part171 = match("MESSAGE#139:BOOTPD_BAD_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","boot unexpected Id value"), + dup23, + ])); + + var msg144 = msg("BOOTPD_BAD_ID", part171); + + var part172 = match("MESSAGE#140:BOOTPD_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Boot string: %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","Invalid boot string"), + dup23, + ])); + + var msg145 = msg("BOOTPD_BOOTSTRING", part172); + + var part173 = match("MESSAGE#141:BOOTPD_CONFIG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file '%{filename}', %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","configuration file error"), + dup23, + ])); + + var msg146 = msg("BOOTPD_CONFIG_ERR", part173); + + var part174 = match("MESSAGE#142:BOOTPD_CONF_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open configuration file '%{filename}'", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to open configuration file"), + dup23, + ])); + + var msg147 = msg("BOOTPD_CONF_OPEN", part174); + + var part175 = match("MESSAGE#143:BOOTPD_DUP_REV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate revision: %{version}", processor_chain([ + dup30, + dup22, + setc("event_description","boot - Duplicate revision"), + dup23, + ])); + + var msg148 = msg("BOOTPD_DUP_REV", part175); + + var part176 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate slot default: %{ssid}", processor_chain([ + dup30, + dup22, + setc("event_description","boot - duplicate slot"), + dup23, + ])); + + var msg149 = msg("BOOTPD_DUP_SLOT", part176); + + var part177 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id->} for model %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","Unexpected ID for model"), + dup23, + ])); + + var msg150 = msg("BOOTPD_MODEL_CHK", part177); + + var part178 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unsupported model %{dclass_counter1}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unsupported model"), + dup23, + ])); + + var msg151 = msg("BOOTPD_MODEL_ERR", part178); + + var part179 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed", processor_chain([ + dup21, + dup22, + setc("event_description","New configuration installed"), + dup23, + ])); + + var msg152 = msg("BOOTPD_NEW_CONF", part179); + + var part180 = match("MESSAGE#148:BOOTPD_NO_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No boot string found for type %{filename}", processor_chain([ + dup30, + dup22, + setc("event_description","No boot string found"), + dup23, + ])); + + var msg153 = msg("BOOTPD_NO_BOOTSTRING", part180); + + var part181 = match("MESSAGE#149:BOOTPD_NO_CONFIG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No configuration file '%{filename}', %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","No configuration file found"), + dup23, + ])); + + var msg154 = msg("BOOTPD_NO_CONFIG", part181); + + var part182 = match("MESSAGE#150:BOOTPD_PARSE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: number parse errors on SIGHUP", processor_chain([ + dup30, + dup22, + setc("event_description","parse errors on SIGHUP"), + dup23, + ])); + + var msg155 = msg("BOOTPD_PARSE_ERR", part182); + + var part183 = match("MESSAGE#151:BOOTPD_REPARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reparsing configuration file '%{filename}'", processor_chain([ + dup21, + dup22, + setc("event_description","Reparsing configuration file"), + dup23, + ])); + + var msg156 = msg("BOOTPD_REPARSE", part183); + + var part184 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","select error"), + dup23, + ])); + + var msg157 = msg("BOOTPD_SELECT_ERR", part184); + + var part185 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result->} unreasonable", processor_chain([ + dup30, + dup22, + setc("event_description","timeout unreasonable"), + dup23, + ])); + + var msg158 = msg("BOOTPD_TIMEOUT", part185); + + var part186 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string}", processor_chain([ + dup21, + dup22, + setc("event_description","boot version built"), + dup23, + ])); + + var msg159 = msg("BOOTPD_VERSION", part186); + + var part187 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version->} built by builder on %{event_time_string}", processor_chain([ + dup58, + dup22, + setc("event_description","CHASSISD release built"), + dup23, + ])); + + var msg160 = msg("CHASSISD", part187); + + var part188 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD Unknown option"), + dup23, + ])); + + var msg161 = msg("CHASSISD_ARGUMENT_ERROR", part188); + + var part189 = match("MESSAGE#157:CHASSISD_BLOWERS_SPEED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers are now running at normal speed", processor_chain([ + dup21, + dup22, + setc("event_description","Fans and impellers are now running at normal speed"), + dup23, + ])); + + var msg162 = msg("CHASSISD_BLOWERS_SPEED", part189); + + var part190 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers being set to full speed [%{result}]", processor_chain([ + dup21, + dup22, + setc("event_description","Fans and impellers being set to full speed"), + dup23, + ])); + + var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part190); + + var part191 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([ + dup21, + dup22, + setc("event_description","reading midplane ID EEPROM"), + dup23, + ])); + + var msg164 = msg("CHASSISD_CB_READ", part191); + + var part192 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} online ack code %{dclass_counter1->} - - %{result}, %{interface}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD COMMAND ACK ERROR"), + dup23, + ])); + + var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part192); + + var part193 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition->} - %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD COMMAND ACK SF ERROR"), + dup23, + ])); + + var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part193); + + var part194 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2->} PIC %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","Cannot set no-concatenated mode for FPC"), + dup23, + ])); + + var msg167 = msg("CHASSISD_CONCAT_MODE_ERROR", part194); + + var part195 = match("MESSAGE#163:CHASSISD_CONFIG_INIT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file %{filename}; %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","CONFIG File Problem"), + dup23, + ])); + + var msg168 = msg("CHASSISD_CONFIG_INIT_ERROR", part195); + + var part196 = match("MESSAGE#164:CHASSISD_CONFIG_WARNING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: %{result}, FPC %{dclass_counter2->} %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD CONFIG WARNING"), + dup23, + ])); + + var msg169 = msg("CHASSISD_CONFIG_WARNING", part196); + + var part197 = match("MESSAGE#165:CHASSISD_EXISTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd already running; %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","chassisd already running"), + dup23, + ])); + + var msg170 = msg("CHASSISD_EXISTS", part197); + + var part198 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Killing existing chassisd and exiting", processor_chain([ + dup21, + dup22, + setc("event_description","Killing existing chassisd and exiting"), + dup23, + ])); + + var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part198); + + var part199 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","file open error"), + dup23, + ])); + + var msg172 = msg("CHASSISD_FILE_OPEN", part199); + + var part200 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD file statistics error"), + dup23, + ])); + + var msg173 = msg("CHASSISD_FILE_STAT", part200); + + var part201 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD received restart EVENT"), + dup23, + ])); + + var msg174 = msg("CHASSISD_FRU_EVENT", part201); + + var part202 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD restart WRITE_ERROR"), + dup23, + ])); + + var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part202); + + var part203 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode->} at step %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD FRU STEP ERROR"), + dup23, + ])); + + var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part203); + + var part204 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode->} - %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","Unexpected error from gettimeofday"), + dup23, + ])); + + var msg177 = msg("CHASSISD_GETTIMEOFDAY", part204); + + var part205 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading host temperature sensor", processor_chain([ + dup21, + dup22, + setc("event_description","reading host temperature sensor"), + dup23, + ])); + + var msg178 = msg("CHASSISD_HOST_TEMP_READ", part205); + + var part206 = match("MESSAGE#174:CHASSISD_IFDEV_DETACH_ALL_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ + dup21, + dup22, + setc("event_description","detaching all pseudo devices"), + dup23, + ])); + + var msg179 = msg("CHASSISD_IFDEV_DETACH_ALL_PSEUDO", part206); + + var part207 = match("MESSAGE#175:CHASSISD_IFDEV_DETACH_FPC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ + dup21, + dup22, + setc("event_description","CHASSISD IFDEV DETACH FPC"), + dup23, + ])); + + var msg180 = msg("CHASSISD_IFDEV_DETACH_FPC", part207); + + var part208 = match("MESSAGE#176:CHASSISD_IFDEV_DETACH_PIC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ + dup21, + dup22, + setc("event_description","CHASSISD IFDEV DETACH PIC"), + dup23, + ])); + + var msg181 = msg("CHASSISD_IFDEV_DETACH_PIC", part208); + + var part209 = match("MESSAGE#177:CHASSISD_IFDEV_DETACH_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ + dup21, + dup22, + setc("event_description","CHASSISD IFDEV DETACH PSEUDO"), + dup23, + ])); + + var msg182 = msg("CHASSISD_IFDEV_DETACH_PSEUDO", part209); + + var part210 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD IFDEV DETACH TLV ERROR"), + dup23, + ])); + + var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part210); + + var part211 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode->} - %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","rtslib_ifdm_get_by_index failed"), + dup23, + ])); + + var msg184 = msg("CHASSISD_IFDEV_GET_BY_INDEX_FAIL", part211); + + var part212 = match("MESSAGE#180:CHASSISD_IPC_MSG_QFULL_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Message Queue full"), + dup23, + ])); + + var msg185 = msg("CHASSISD_IPC_MSG_QFULL_ERROR", part212); + + var part213 = match("MESSAGE#181:CHASSISD_IPC_UNEXPECTED_RECV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received unexpected message from %{service}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Received unexpected message"), + dup23, + ])); + + var msg186 = msg("CHASSISD_IPC_UNEXPECTED_RECV", part213); + + var part214 = match("MESSAGE#182:CHASSISD_IPC_WRITE_ERR_NO_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection pipe %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","FRU has no connection pipe"), + dup23, + ])); + + var msg187 = msg("CHASSISD_IPC_WRITE_ERR_NO_PIPE", part214); + + var part215 = match("MESSAGE#183:CHASSISD_IPC_WRITE_ERR_NULL_ARGS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection arguments %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","FRU has no connection arguments"), + dup23, + ])); + + var msg188 = msg("CHASSISD_IPC_WRITE_ERR_NULL_ARGS", part215); + + var part216 = match("MESSAGE#184:CHASSISD_MAC_ADDRESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd MAC address allocation error", processor_chain([ + dup30, + dup22, + setc("event_description","chassisd MAC address allocation error"), + dup23, + ])); + + var msg189 = msg("CHASSISD_MAC_ADDRESS_ERROR", part216); + + var part217 = match("MESSAGE#185:CHASSISD_MAC_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using default MAC address base", processor_chain([ + dup21, + dup22, + setc("event_description","Using default MAC address base"), + dup23, + ])); + + var msg190 = msg("CHASSISD_MAC_DEFAULT", part217); + + var part218 = match("MESSAGE#186:CHASSISD_MBUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} %{resultcode}: management bus failed sanity test", processor_chain([ + dup30, + dup22, + setc("event_description","management bus failed sanity test"), + dup23, + ])); + + var msg191 = msg("CHASSISD_MBUS_ERROR", part218); + + var part219 = match("MESSAGE#187:CHASSISD_PARSE_COMPLETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using new configuration", processor_chain([ + dup21, + dup22, + setc("event_description","Using new configuration"), + dup23, + ])); + + var msg192 = msg("CHASSISD_PARSE_COMPLETE", part219); + + var part220 = match("MESSAGE#188:CHASSISD_PARSE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{resultcode->} %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD PARSE ERROR"), + dup23, + ])); + + var msg193 = msg("CHASSISD_PARSE_ERROR", part220); + + var part221 = match("MESSAGE#189:CHASSISD_PARSE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Parsing configuration file '%{filename}'", processor_chain([ + dup21, + dup22, + setc("event_description","Parsing configuration file"), + dup23, + ])); + + var msg194 = msg("CHASSISD_PARSE_INIT", part221); + + var part222 = match("MESSAGE#190:CHASSISD_PIDFILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open PID file '%{filename}': %{result->} %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to open PID file"), + dup23, + ])); + + var msg195 = msg("CHASSISD_PIDFILE_OPEN", part222); + + var part223 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Pipe error: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","Pipe error"), + dup23, + ])); + + var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part223); + + var part224 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1->} not powering up", processor_chain([ + dup59, + dup22, + setc("event_description","device not powering up"), + dup23, + ])); + + var msg197 = msg("CHASSISD_POWER_CHECK", part224); + + var part225 = match("MESSAGE#193:CHASSISD_RECONNECT_SUCCESSFUL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Successfully reconnected on soft restart", processor_chain([ + dup21, + dup22, + setc("event_description","Successful reconnect on soft restart"), + dup23, + ])); + + var msg198 = msg("CHASSISD_RECONNECT_SUCCESSFUL", part225); + + var part226 = match("MESSAGE#194:CHASSISD_RELEASE_MASTERSHIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Release mastership notification", processor_chain([ + dup21, + dup22, + setc("event_description","Release mastership notification"), + dup23, + ])); + + var msg199 = msg("CHASSISD_RELEASE_MASTERSHIP", part226); + + var part227 = match("MESSAGE#195:CHASSISD_RE_INIT_INVALID_RE_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: re_init: re %{resultcode}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","re_init Invalid RE slot"), + dup23, + ])); + + var msg200 = msg("CHASSISD_RE_INIT_INVALID_RE_SLOT", part227); + + var part228 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine the mount point for root directory: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to determine mount point for root directory"), + dup23, + ])); + + var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part228); + + var part229 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","ifmsg sequence gap"), + dup23, + ])); + + var msg202 = msg("CHASSISD_RTS_SEQ_ERROR", part229); + + var part230 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ + setc("eventcategory","1603040000"), + dup22, + setc("event_description","Version mismatch"), + dup23, + ])); + + var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part230); + + var part231 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","Serial ID read error"), + dup23, + ])); + + var msg204 = msg("CHASSISD_SERIAL_ID", part231); + + var part232 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: fpga download not complete: val %{resultcode}, %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","fpga download not complete"), + dup23, + ])); + + var msg205 = msg("CHASSISD_SMB_ERROR", part232); + + var part233 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result->} (%{info})", processor_chain([ + dup58, + dup22, + setc("event_description","SNMP Trap6 generated"), + dup23, + ])); + + var msg206 = msg("CHASSISD_SNMP_TRAP6", part233); + + var part234 = match("MESSAGE#202:CHASSISD_SNMP_TRAP7", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP Trap7 generated"), + dup23, + ])); + + var msg207 = msg("CHASSISD_SNMP_TRAP7", part234); + + var part235 = match("MESSAGE#203:CHASSISD_SNMP_TRAP10", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP trap - FRU power on"), + dup23, + ])); + + var msg208 = msg("CHASSISD_SNMP_TRAP10", part235); + + var part236 = match("MESSAGE#204:CHASSISD_TERM_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received SIGTERM request, %{result}", processor_chain([ + dup60, + dup22, + setc("event_description","Received SIGTERM request"), + dup23, + ])); + + var msg209 = msg("CHASSISD_TERM_SIGNAL", part236); + + var part237 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Taking PIC offline - - FPC slot %{dclass_counter1}, PIC slot %{dclass_counter2}", processor_chain([ + dup21, + dup22, + setc("event_description","Taking PIC offline"), + dup23, + ])); + + var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part237); + + var part238 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} returned %{resultcode}: %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","UNEXPECTED EXIT"), + dup23, + ])); + + var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part238); + + var part239 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1->} unsupported with this version of chassisd", processor_chain([ + dup59, + dup22, + setc("event_description","Model number unsupported with this version of chassisd"), + dup23, + ])); + + var msg212 = msg("CHASSISD_UNSUPPORTED_MODEL", part239); + + var part240 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ + dup59, + dup22, + setc("event_description","Chassisd Version mismatch"), + dup23, + ])); + + var msg213 = msg("CHASSISD_VERSION_MISMATCH", part240); + + var part241 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([ + dup59, + dup22, + setc("event_description","CHASSISD HIGH TEMP CONDITION"), + dup61, + dup62, + ])); + + var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part241); + + var part242 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent->} RESTART mode %{event_state->} new master=%{obj_name->} old failover=%{change_old->} new failover = %{change_new}", processor_chain([ + dup21, + dup22, + setc("event_description","process RESTART mode"), + dup23, + ])); + + var msg215 = msg("clean_process", part242); + + var part243 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group->} Linklocal MAC:%{macaddr}", processor_chain([ + dup21, + dup22, + setc("event_description","Chassis Linklocal to MAC"), + dup23, + ])); + + var msg216 = msg("CM_JAVA", part243); + + var part244 = match("MESSAGE#212:DCD_AS_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, + dup22, + setc("event_description","DCD must be run as root"), + dup23, + ])); + + var msg217 = msg("DCD_AS_ROOT", part244); + + var part245 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Filter library initialization failed", processor_chain([ + dup30, + dup22, + setc("event_description","Filter library initialization failed"), + dup23, + ])); + + var msg218 = msg("DCD_FILTER_LIB_ERROR", part245); + + var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup139); + + var part246 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([ + dup30, + dup22, + setc("event_description","errors while parsing configuration file"), + dup23, + ])); + + var msg220 = msg("DCD_PARSE_EMERGENCY", part246); + + var part247 = match("MESSAGE#216:DCD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing filter index file", processor_chain([ + dup30, + dup22, + setc("event_description","errors while parsing filter index file"), + dup23, + ])); + + var msg221 = msg("DCD_PARSE_FILTER_EMERGENCY", part247); + + var part248 = match("MESSAGE#217:DCD_PARSE_MINI_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration overlay", processor_chain([ + dup30, + dup22, + setc("event_description","errors while parsing configuration overlay"), + dup23, + ])); + + var msg222 = msg("DCD_PARSE_MINI_EMERGENCY", part248); + + var part249 = match("MESSAGE#218:DCD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: An unhandled state was encountered during interface parsing", processor_chain([ + dup30, + dup22, + setc("event_description","unhandled state was encountered during interface parsing"), + dup23, + ])); + + var msg223 = msg("DCD_PARSE_STATE_EMERGENCY", part249); + + var part250 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing policer indexfile", processor_chain([ + dup30, + dup22, + setc("event_description","errors while parsing policer indexfile"), + dup23, + ])); + + var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part250); + + var part251 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename->} after %{dclass_counter1->} retries last error=%{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","Failed to pull file"), + dup23, + ])); + + var msg225 = msg("DCD_PULL_LOG_FAILURE", part251); + + var part252 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","DFWD ARGUMENT ERROR"), + dup23, + ])); + + var msg226 = msg("DFWD_ARGUMENT_ERROR", part252); + + var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup139); + + var part253 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([ + dup30, + dup22, + setc("event_description","errors encountered while parsing filter index file"), + dup23, + ])); + + var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part253); + + var part254 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered unhandled state while parsing interface", processor_chain([ + dup30, + dup22, + setc("event_description","encountered unhandled state while parsing interface"), + dup23, + ])); + + var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part254); + + var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup140); + + var msg231 = msg("ECCD_DUPLICATE", dup141); + + var part255 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","ECCD LOOP EXIT FAILURE"), + dup23, + ])); + + var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part255); + + var part256 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, + dup22, + setc("event_description","ECCD Must be run as root"), + dup23, + ])); + + var msg233 = msg("ECCD_NOT_ROOT", part256); + + var part257 = match("MESSAGE#229:ECCD_PCI_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: open() failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","ECCD PCI FILE OPEN FAILED"), + dup23, + ])); + + var msg234 = msg("ECCD_PCI_FILE_OPEN_FAILED", part257); + + var part258 = match("MESSAGE#230:ECCD_PCI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","PCI read failure"), + dup23, + ])); + + var msg235 = msg("ECCD_PCI_READ_FAILED", part258); + + var part259 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","PCI write failure"), + dup23, + ])); + + var msg236 = msg("ECCD_PCI_WRITE_FAILED", part259); + + var msg237 = msg("ECCD_PID_FILE_LOCK", dup142); + + var msg238 = msg("ECCD_PID_FILE_UPDATE", dup143); + + var part260 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","ECCD TRACE FILE OPEN FAILURE"), + dup23, + ])); + + var msg239 = msg("ECCD_TRACE_FILE_OPEN_FAILED", part260); + + var part261 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","ECCD Usage"), + dup23, + ])); + + var msg240 = msg("ECCD_usage", part261); + + var part262 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} viewed security audit log with arguments: %{param}", processor_chain([ + dup21, + dup22, + setc("event_description","User viewed security audit log with arguments"), + dup23, + ])); + + var msg241 = msg("EVENTD_AUDIT_SHOW", part262); + + var part263 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr->} destination %{daddr->} ipid %{fld11->} succeed", processor_chain([ + dup21, + dup22, + dup23, + ])); + + var msg242 = msg("FLOW_REASSEMBLE_SUCCEED", part263); + + var part264 = match("MESSAGE#238:FSAD_CHANGE_FILE_OWNER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to change owner of file `%{filename}' to user %{username}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to change owner of file"), + dup23, + ])); + + var msg243 = msg("FSAD_CHANGE_FILE_OWNER", part264); + + var part265 = match("MESSAGE#239:FSAD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","FSAD CONFIG ERROR"), + dup23, + ])); + + var msg244 = msg("FSAD_CONFIG_ERROR", part265); + + var part266 = match("MESSAGE#240:FSAD_CONNTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection timed out to the client (%{shost}, %{saddr}) having request type %{obj_type}", processor_chain([ + dup30, + dup22, + setc("event_description","Connection timed out to client"), + dup23, + ])); + + var msg245 = msg("FSAD_CONNTIMEDOUT", part266); + + var part267 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","FSAD_FAILED"), + dup23, + ])); + + var msg246 = msg("FSAD_FAILED", part267); + + var part268 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname->} for file `%{filename}' timed out", processor_chain([ + dup30, + dup22, + setc("event_description","Fetch to server to get file timed out"), + dup23, + ])); + + var msg247 = msg("FSAD_FETCHTIMEDOUT", part268); + + var part269 = match("MESSAGE#243:FSAD_FILE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: fn failed for file `%{filename}' with error message %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","fn failed for file"), + dup23, + ])); + + var msg248 = msg("FSAD_FILE_FAILED", part269); + + var part270 = match("MESSAGE#244:FSAD_FILE_REMOVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to remove file `%{filename}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to remove file"), + dup23, + ])); + + var msg249 = msg("FSAD_FILE_REMOVE", part270); + + var part271 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to rename file `%{filename}' to `%{resultcode}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to rename file"), + dup23, + ])); + + var msg250 = msg("FSAD_FILE_RENAME", part271); + + var part272 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed for file pathname %{filename}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","stat failed for file"), + dup23, + ])); + + var msg251 = msg("FSAD_FILE_STAT", part272); + + var part273 = match("MESSAGE#247:FSAD_FILE_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to sync file %{filename}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to sync file"), + dup23, + ])); + + var msg252 = msg("FSAD_FILE_SYNC", part273); + + var part274 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Upper limit reached in fsad for handling connections", processor_chain([ + dup30, + dup22, + setc("event_description","Upper limit reached in fsad"), + dup23, + ])); + + var msg253 = msg("FSAD_MAXCONN", part274); + + var part275 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed in the function %{action->} (%{resultcode})", processor_chain([ + dup51, + dup22, + setc("event_description","FSAD MEMORYALLOC FAILED"), + dup23, + ])); + + var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part275); + + var part276 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, + dup22, + setc("event_description","FSAD must be run as root"), + dup23, + ])); + + var msg255 = msg("FSAD_NOT_ROOT", part276); + + var part277 = match("MESSAGE#251:FSAD_PARENT_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: invalid directory: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","invalid directory"), + dup23, + ])); + + var msg256 = msg("FSAD_PARENT_DIRECTORY", part277); + + var part278 = match("MESSAGE#252:FSAD_PATH_IS_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File path cannot be a directory (%{filename})", processor_chain([ + dup30, + dup22, + setc("event_description","File path cannot be a directory"), + dup23, + ])); + + var msg257 = msg("FSAD_PATH_IS_DIRECTORY", part278); + + var part279 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Not a regular file (%{filename})", processor_chain([ + dup30, + dup22, + setc("event_description","Not a regular file"), + dup23, + ])); + + var msg258 = msg("FSAD_PATH_IS_SPECIAL", part279); + + var part280 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type->} at (%{saddr}, %{sport})", processor_chain([ + dup30, + dup22, + setc("event_description","fsad received error message from client"), + dup23, + ])); + + var msg259 = msg("FSAD_RECVERROR", part280); + + var part281 = match("MESSAGE#255:FSAD_TERMINATED_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open file %{filename}` closed due to %{result}", processor_chain([ + dup27, + dup22, + setc("event_description","FSAD TERMINATED CONNECTION"), + dup23, + ])); + + var msg260 = msg("FSAD_TERMINATED_CONNECTION", part281); + + var part282 = match("MESSAGE#256:FSAD_TERMINATING_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received terminating %{resultcode}; %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Received terminating signal"), + dup23, + ])); + + var msg261 = msg("FSAD_TERMINATING_SIGNAL", part282); + + var part283 = match("MESSAGE#257:FSAD_TRACEOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open operation on trace file `%{filename}' returned error %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Open operation on trace file failed"), + dup23, + ])); + + var msg262 = msg("FSAD_TRACEOPEN_FAILED", part283); + + var part284 = match("MESSAGE#258:FSAD_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage, %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","Incorrect FSAD usage"), + dup23, + ])); + + var msg263 = msg("FSAD_USAGE", part284); + + var part285 = match("MESSAGE#259:GGSN_ALARM_TRAP_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","GGSN ALARM TRAP FAILED"), + dup23, + ])); + + var msg264 = msg("GGSN_ALARM_TRAP_FAILED", part285); + + var part286 = match("MESSAGE#260:GGSN_ALARM_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","GGSN ALARM TRAP SEND FAILED"), + dup23, + ])); + + var msg265 = msg("GGSN_ALARM_TRAP_SEND", part286); + + var part287 = match("MESSAGE#261:GGSN_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown trap request type %{obj_type}", processor_chain([ + dup30, + dup22, + setc("event_description","Unknown trap request type"), + dup23, + ])); + + var msg266 = msg("GGSN_TRAP_SEND", part287); + + var part288 = match("MESSAGE#262:JADE_AUTH_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authorization failed: %{result}", processor_chain([ + dup69, + dup34, + setc("ec_subject","Service"), + dup43, + dup22, + setc("event_description","Authorization failed"), + dup23, + ])); + + var msg267 = msg("JADE_AUTH_ERROR", part288); + + var part289 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: CLI %{resultcode->} %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","JADE EXEC ERROR"), + dup23, + ])); + + var msg268 = msg("JADE_EXEC_ERROR", part289); + + var part290 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username->} does not exist", processor_chain([ + dup30, + dup22, + setc("event_description","Local user does not exist"), + dup23, + ])); + + var msg269 = msg("JADE_NO_LOCAL_USER", part290); + + var part291 = match("MESSAGE#265:JADE_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","JADE PAM error"), + dup23, + ])); + + var msg270 = msg("JADE_PAM_ERROR", part291); + + var part292 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get local username from PAM: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to get local username from PAM"), + dup23, + ])); + + var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part292); + + var part293 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr->} from %{smacaddr->} to %{dmacaddr}", processor_chain([ + dup30, + dup22, + setc("event_description","arp info overwritten"), + dup23, + ])); + + var msg272 = msg("KERN_ARP_ADDR_CHANGE", part293); + + var part294 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5}", processor_chain([ + dup30, + dup22, + setc("event_description","security association has been established"), + dup23, + ])); + + var msg273 = msg("KMD_PM_SA_ESTABLISHED", part294); + + var part295 = match("MESSAGE#269:L2CPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialized", processor_chain([ + dup21, + dup22, + setc("event_description","Task Reinitialized"), + dup61, + dup23, + ])); + + var msg274 = msg("L2CPD_TASK_REINIT", part295); + + var part296 = match("MESSAGE#270:LIBJNX_EXEC_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal='%{obj_type}' %{result}, command '%{action}'", processor_chain([ + dup21, + dup22, + dup70, + dup23, + ])); + + var msg275 = msg("LIBJNX_EXEC_EXITED", part296); + + var part297 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Child exec failed for command"), + dup23, + ])); + + var msg276 = msg("LIBJNX_EXEC_FAILED", part297); + + var msg277 = msg("LIBJNX_EXEC_PIPE", dup144); + + var part298 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([ + dup30, + dup22, + setc("event_description","Command received signal"), + dup23, + ])); + + var msg278 = msg("LIBJNX_EXEC_SIGNALED", part298); + + var part299 = match("MESSAGE#274:LIBJNX_EXEC_WEXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ + dup21, + dup22, + dup72, + dup23, + ])); + + var msg279 = msg("LIBJNX_EXEC_WEXIT", part299); + + var part300 = match("MESSAGE#275:LIBJNX_FILE_COPY_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: copy_file_to_transfer_dir failed to copy from source to destination", processor_chain([ + dup73, + dup22, + setc("event_description","copy_file_to_transfer_dir failed to copy"), + dup23, + ])); + + var msg280 = msg("LIBJNX_FILE_COPY_FAILED", part300); + + var part301 = match("MESSAGE#276:LIBJNX_PRIV_LOWER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lower privilege level: %{result}", processor_chain([ + dup73, + dup22, + setc("event_description","Unable to lower privilege level"), + dup23, + ])); + + var msg281 = msg("LIBJNX_PRIV_LOWER_FAILED", part301); + + var part302 = match("MESSAGE#277:LIBJNX_PRIV_RAISE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to raise privilege level: %{result}", processor_chain([ + dup73, + dup22, + setc("event_description","Unable to raise privilege level"), + dup23, + ])); + + var msg282 = msg("LIBJNX_PRIV_RAISE_FAILED", part302); + + var part303 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup73, + dup22, + setc("event_description","rcp failed"), + dup23, + ])); + + var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part303); + + var part304 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1->} -f %{action}: %{result}", processor_chain([ + dup73, + dup22, + setc("event_description","ROTATE COMPRESS EXEC FAILED"), + dup23, + ])); + + var msg284 = msg("LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", part304); + + var part305 = match("MESSAGE#280:LIBSERVICED_CLIENT_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client connection error: %{result}", processor_chain([ + dup74, + dup22, + setc("event_description","Client connection error"), + dup23, + ])); + + var msg285 = msg("LIBSERVICED_CLIENT_CONNECTION", part305); + + var part306 = match("MESSAGE#281:LIBSERVICED_OUTBOUND_REQUEST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Outbound request failed for command [%{action}]: %{result}", processor_chain([ + dup73, + dup22, + setc("event_description","Outbound request failed for command"), + dup23, + ])); + + var msg286 = msg("LIBSERVICED_OUTBOUND_REQUEST", part306); + + var part307 = match("MESSAGE#282:LIBSERVICED_SNMP_LOST_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection closed while receiving from client %{dclass_counter1}", processor_chain([ + dup27, + dup22, + setc("event_description","Connection closed while receiving from client"), + dup23, + ])); + + var msg287 = msg("LIBSERVICED_SNMP_LOST_CONNECTION", part307); + + var part308 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: unable to bind socket %{ssid}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","unable to bind socket"), + dup23, + ])); + + var msg288 = msg("LIBSERVICED_SOCKET_BIND", part308); + + var part309 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid->} to management routing instance: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to attach socket to management routing instance"), + dup23, + ])); + + var msg289 = msg("LIBSERVICED_SOCKET_PRIVATIZE", part309); + + var part310 = match("MESSAGE#285:LICENSE_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","LICENSE EXPIRED"), + dup23, + ])); + + var msg290 = msg("LICENSE_EXPIRED", part310); + + var part311 = match("MESSAGE#286:LICENSE_EXPIRED_KEY_DELETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License key \"%{filename}\" has expired.", processor_chain([ + dup21, + dup22, + setc("event_description","License key has expired"), + dup23, + ])); + + var msg291 = msg("LICENSE_EXPIRED_KEY_DELETED", part311); + + var part312 = match("MESSAGE#287:LICENSE_NEARING_EXPIRY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License for feature %{disposition->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","License key expiration soon"), + dup23, + ])); + + var msg292 = msg("LICENSE_NEARING_EXPIRY", part312); + + var part313 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client aborted login", processor_chain([ + dup30, + dup22, + setc("event_description","client aborted login"), + dup23, + ])); + + var msg293 = msg("LOGIN_ABORTED", part313); + + var part314 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username->} from host %{dhost}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + dup23, + ])); + + var msg294 = msg("LOGIN_FAILED", part314); + + var part315 = match("MESSAGE#290:LOGIN_FAILED_INCORRECT_PASSWORD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect password for user %{username}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Incorrect password for user"), + dup23, + ])); + + var msg295 = msg("LOGIN_FAILED_INCORRECT_PASSWORD", part315); + + var part316 = match("MESSAGE#291:LOGIN_FAILED_SET_CONTEXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set context for user %{username}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Failed to set context for user"), + dup23, + ])); + + var msg296 = msg("LOGIN_FAILED_SET_CONTEXT", part316); + + var part317 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set login ID for user %{username}: %{dhost}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Failed to set login ID for user"), + dup23, + ])); + + var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part317); + + var part318 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Unable to resolve hostname"), + dup23, + ])); + + var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part318); + + var part319 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{event_type}: %{p0}"); + + var part320 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{username->} logged in from host %{dhost->} on %{p0}"); + + var part321 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}"); + + var select34 = linear_select([ + part321, + dup45, + ]); + + var part322 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{terminal}"); + + var all19 = all_match({ + processors: [ + dup39, + dup137, + part319, + dup145, + part320, + select34, + part322, + ], + on_success: processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + setc("event_description","Successful Login"), + dup23, + ]), + }); + + var msg299 = msg("LOGIN_INFORMATION", all19); + + var part323 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","No entry in local password file for user"), + dup23, + ])); + + var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part323); + + var part324 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Invalid username"), + dup23, + ])); + + var msg301 = msg("LOGIN_MALFORMED_USER", part324); + + var part325 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_0", "nwparser.p0", "PAM authentication error for user %{p0}"); + + var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_1", "nwparser.p0", "Failed password for user %{p0}"); + + var select35 = linear_select([ + part325, + part326, + ]); + + var part327 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{username}"); + + var all20 = all_match({ + processors: [ + dup50, + select35, + part327, + ], + on_success: processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","PAM authentication error for user"), + dup23, + ]), + }); + + var msg302 = msg("LOGIN_PAM_AUTHENTICATION_ERROR", all20); + + var part328 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failure while authenticating user %{username}: %{dhost}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + setc("event_description","PAM authentication failure"), + setc("result","Failure while authenticating user"), + dup23, + ])); + + var msg303 = msg("LOGIN_PAM_ERROR", part328); + + var part329 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Too many retries while authenticating user"), + dup23, + ])); + + var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part329); + + var part330 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} authenticated but has no local login ID", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","User authenticated but has no local login ID"), + dup23, + ])); + + var msg305 = msg("LOGIN_PAM_NONLOCAL_USER", part330); + + var part331 = match("MESSAGE#301:LOGIN_PAM_STOP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to end PAM session: %{info}", processor_chain([ + setc("eventcategory","1303000000"), + dup34, + dup43, + dup22, + setc("event_description","Failed to end PAM session"), + dup23, + ])); + + var msg306 = msg("LOGIN_PAM_STOP", part331); + + var part332 = match("MESSAGE#302:LOGIN_PAM_USER_UNKNOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Attempt to authenticate unknown user %{username}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Attempt to authenticate unknown user"), + dup23, + ])); + + var msg307 = msg("LOGIN_PAM_USER_UNKNOWN", part332); + + var part333 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Forcing change of expired password for user %{username}>", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Forcing change of expired password for user"), + dup23, + ])); + + var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part333); + + var part334 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username->} from host %{shost->} on %{terminal->} was refused: %{info}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Login of user refused"), + dup23, + ])); + + var msg309 = msg("LOGIN_REFUSED", part334); + + var part335 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} logged in as root from host %{shost->} on %{terminal}", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + setc("event_description","successful login as root"), + setc("result","User logged in as root"), + dup23, + ])); + + var msg310 = msg("LOGIN_ROOT", part335); + + var part336 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1->} seconds", processor_chain([ + dup44, + dup34, + dup36, + dup43, + dup22, + dup75, + setc("result","Login attempt timed out"), + dup23, + ])); + + var msg311 = msg("LOGIN_TIMED_OUT", part336); + + var part337 = match("MESSAGE#307:MIB2D_ATM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","MIB2D ATM ERROR"), + dup23, + ])); + + var msg312 = msg("MIB2D_ATM_ERROR", part337); + + var part338 = match("MESSAGE#308:MIB2D_CONFIG_CHECK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","CONFIG CHECK FAILED"), + dup23, + ])); + + var msg313 = msg("MIB2D_CONFIG_CHECK_FAILED", part338); + + var part339 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}': %{result}", processor_chain([ + dup30, + dup22, + dup78, + dup23, + ])); + + var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part339); + + var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup146); + + var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup146); + + var part340 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","mib2d initialization failure"), + dup23, + ])); + + var msg317 = msg("MIB2D_INIT_FAILURE", part340); + + var part341 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","MIB2D KVM FAILURE"), + dup23, + ])); + + var msg318 = msg("MIB2D_KVM_FAILURE", part341); + + var part342 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2->} index (%{result})", processor_chain([ + dup30, + dup22, + setc("event_description","MIB2D RTSLIB READ FAILURE"), + dup23, + ])); + + var msg319 = msg("MIB2D_RTSLIB_READ_FAILURE", part342); + + var part343 = match("MESSAGE#315:MIB2D_RTSLIB_SEQ_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: sequence mismatch (%{result}), %{action}", processor_chain([ + dup30, + dup22, + setc("event_description","RTSLIB sequence mismatch"), + dup23, + ])); + + var msg320 = msg("MIB2D_RTSLIB_SEQ_MISMATCH", part343); + + var part344 = match("MESSAGE#316:MIB2D_SYSCTL_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","MIB2D SYSCTL FAILURE"), + dup23, + ])); + + var msg321 = msg("MIB2D_SYSCTL_FAILURE", part344); + + var part345 = match("MESSAGE#317:MIB2D_TRAP_HEADER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: trap_request_header failed", processor_chain([ + dup30, + dup22, + setc("event_description","trap_request_header failed"), + dup23, + ])); + + var msg322 = msg("MIB2D_TRAP_HEADER_FAILURE", part345); + + var part346 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","MIB2D TRAP SEND FAILURE"), + dup23, + ])); + + var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part346); + + var part347 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new->} sighupped=%{result}", processor_chain([ + dup21, + dup22, + setc("event_description","user sighupped"), + dup23, + ])); + + var msg324 = msg("Multiuser", part347); + + var part348 = match("MESSAGE#320:NASD_AUTHENTICATION_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate authentication handle: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to allocate authentication handle"), + dup23, + ])); + + var msg325 = msg("NASD_AUTHENTICATION_CREATE_FAILED", part348); + + var part349 = match("MESSAGE#321:NASD_CHAP_AUTHENTICATION_IN_PROGRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}, authentication already in progress", processor_chain([ + dup80, + dup34, + dup43, + dup22, + setc("event_description","authentication already in progress"), + dup23, + ])); + + var msg326 = msg("NASD_CHAP_AUTHENTICATION_IN_PROGRESS", part349); + + var part350 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: unable to obtain hostname for outgoing CHAP message: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","unable to obtain hostname for outgoing CHAP message"), + dup23, + ])); + + var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part350); + + var part351 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename->} expected CHAP ID: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","CHAP INVALID_CHAP IDENTIFIER"), + dup23, + ])); + + var msg328 = msg("NASD_CHAP_INVALID_CHAP_IDENTIFIER", part351); + + var part352 = match("MESSAGE#324:NASD_CHAP_INVALID_OPCODE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}.%{dclass_counter1}: invalid operation code received %{filename}, CHAP ID: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","CHAP INVALID OPCODE"), + dup23, + ])); + + var msg329 = msg("NASD_CHAP_INVALID_OPCODE", part352); + + var part353 = match("MESSAGE#325:NASD_CHAP_LOCAL_NAME_UNAVAILABLE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine value for '%{username}' in outgoing CHAP packet", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to determine value for username in outgoing CHAP packet"), + dup23, + ])); + + var msg330 = msg("NASD_CHAP_LOCAL_NAME_UNAVAILABLE", part353); + + var part354 = match("MESSAGE#326:NASD_CHAP_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}", processor_chain([ + dup30, + dup22, + setc("event_description","CHAP MESSAGE UNEXPECTED"), + dup23, + ])); + + var msg331 = msg("NASD_CHAP_MESSAGE_UNEXPECTED", part354); + + var part355 = match("MESSAGE#327:NASD_CHAP_REPLAY_ATTACK_DETECTED", "nwparser.payload", "%{process}[%{ssid}]: %{event_type}: %{interface}.%{dclass_counter1}: received %{filename->} %{result}.%{info}", processor_chain([ + dup81, + dup22, + setc("event_description","CHAP REPLAY ATTACK DETECTED"), + dup23, + ])); + + var msg332 = msg("NASD_CHAP_REPLAY_ATTACK_DETECTED", part355); + + var part356 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine last modified time of JUNOS configuration database: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to determine last modified time of JUNOS configuration database"), + dup23, + ])); + + var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part356); + + var msg334 = msg("NASD_DAEMONIZE_FAILED", dup140); + + var part357 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to allocate database object"), + dup23, + ])); + + var msg335 = msg("NASD_DB_ALLOC_FAILURE", part357); + + var part358 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{filename}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","DB TABLE CREATE FAILURE"), + dup23, + ])); + + var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part358); + + var msg337 = msg("NASD_DUPLICATE", dup141); + + var part359 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","EVLIB CREATE FAILURE"), + dup23, + ])); + + var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part359); + + var part360 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} value: %{result}, error: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","EVLIB EXIT FAILURE"), + dup23, + ])); + + var msg339 = msg("NASD_EVLIB_EXIT_FAILURE", part360); + + var part361 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate LOCAL module handle: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to allocate LOCAL module handle"), + dup23, + ])); + + var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part361); + + var part362 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, + dup22, + setc("event_description","NASD must be run as root"), + dup23, + ])); + + var msg341 = msg("NASD_NOT_ROOT", part362); + + var msg342 = msg("NASD_PID_FILE_LOCK", dup142); + + var msg343 = msg("NASD_PID_FILE_UPDATE", dup143); + + var part363 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","POST CONFIGURE EVENT FAILED"), + dup23, + ])); + + var msg344 = msg("NASD_POST_CONFIGURE_EVENT_FAILED", part363); + + var part364 = match("MESSAGE#340:NASD_PPP_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","PPP READ FAILURE"), + dup23, + ])); + + var msg345 = msg("NASD_PPP_READ_FAILURE", part364); + + var part365 = match("MESSAGE#341:NASD_PPP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send message: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to send message"), + dup23, + ])); + + var msg346 = msg("NASD_PPP_SEND_FAILURE", part365); + + var part366 = match("MESSAGE#342:NASD_PPP_SEND_PARTIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send all of message: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to send all of message"), + dup23, + ])); + + var msg347 = msg("NASD_PPP_SEND_PARTIAL", part366); + + var part367 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unrecognized authentication protocol: %{protocol}", processor_chain([ + dup30, + dup22, + setc("event_description","Unrecognized authentication protocol"), + dup23, + ])); + + var msg348 = msg("NASD_PPP_UNRECOGNIZED", part367); + + var part368 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} when allocating password for RADIUS: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RADIUS password allocation failure"), + dup23, + ])); + + var msg349 = msg("NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", part368); + + var part369 = match("MESSAGE#345:NASD_RADIUS_CONFIG_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RADIUS CONFIG FAILED"), + dup23, + ])); + + var msg350 = msg("NASD_RADIUS_CONFIG_FAILED", part369); + + var part370 = match("MESSAGE#346:NASD_RADIUS_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate RADIUS module handle: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to allocate RADIUS module handle"), + dup23, + ])); + + var msg351 = msg("NASD_RADIUS_CREATE_FAILED", part370); + + var part371 = match("MESSAGE#347:NASD_RADIUS_CREATE_REQUEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RADIUS CREATE REQUEST FAILED"), + dup23, + ])); + + var msg352 = msg("NASD_RADIUS_CREATE_REQUEST_FAILED", part371); + + var part372 = match("MESSAGE#348:NASD_RADIUS_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain hostname for outgoing RADIUS message: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to obtain hostname for outgoing RADIUS message"), + dup23, + ])); + + var msg353 = msg("NASD_RADIUS_GETHOSTNAME_FAILED", part372); + + var part373 = match("MESSAGE#349:NASD_RADIUS_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown response from RADIUS server: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unknown response from RADIUS server"), + dup23, + ])); + + var msg354 = msg("NASD_RADIUS_MESSAGE_UNEXPECTED", part373); + + var part374 = match("MESSAGE#350:NASD_RADIUS_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RADIUS OPEN FAILED"), + dup23, + ])); + + var msg355 = msg("NASD_RADIUS_OPEN_FAILED", part374); + + var part375 = match("MESSAGE#351:NASD_RADIUS_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RADIUS SELECT FAILED"), + dup23, + ])); + + var msg356 = msg("NASD_RADIUS_SELECT_FAILED", part375); + + var part376 = match("MESSAGE#352:NASD_RADIUS_SET_TIMER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RADIUS SET TIMER FAILED"), + dup23, + ])); + + var msg357 = msg("NASD_RADIUS_SET_TIMER_FAILED", part376); + + var part377 = match("MESSAGE#353:NASD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TRACE FILE OPEN FAILED"), + dup23, + ])); + + var msg358 = msg("NASD_TRACE_FILE_OPEN_FAILED", part377); + + var part378 = match("MESSAGE#354:NASD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","NASD Usage"), + dup23, + ])); + + var msg359 = msg("NASD_usage", part378); + + var part379 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event_type}:%{action}: %{event_description}: The %{result}", processor_chain([ + dup21, + dup22, + dup23, + ])); + + var msg360 = msg("NOTICE", part379); + + var part380 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ + dup21, + dup22, + dup82, + dup23, + ])); + + var msg361 = msg("PFE_FW_SYSLOG_IP", part380); + + var part381 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ + dup21, + dup22, + dup82, + dup23, + ])); + + var msg362 = msg("PFE_FW_SYSLOG_IP:01", part381); + + var select36 = linear_select([ + msg361, + msg362, + ]); + + var part382 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ + dup21, + dup22, + setc("event_description","Next-hop resolution requests throttled"), + dup23, + ])); + + var msg363 = msg("PFE_NH_RESOLVE_THROTTLED", part382); + + var part383 = match("MESSAGE#359:PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup21, + dup22, + setc("event_description","PING TEST COMPLETED"), + dup23, + ])); + + var msg364 = msg("PING_TEST_COMPLETED", part383); + + var part384 = match("MESSAGE#360:PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup21, + dup22, + setc("event_description","PING TEST FAILED"), + dup23, + ])); + + var msg365 = msg("PING_TEST_FAILED", part384); + + var part385 = match("MESSAGE#361:process_mode/2", "nwparser.p0", "%{p0}"); + + var part386 = match("MESSAGE#361:process_mode/3_0", "nwparser.p0", "%{event_type}: %{p0}"); + + var part387 = match("MESSAGE#361:process_mode/3_1", "nwparser.p0", "%{event_type->} %{p0}"); + + var select37 = linear_select([ + part386, + part387, + ]); + + var part388 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "mode=%{protocol->} cmd=%{action->} master_mode=%{result}"); + + var all21 = all_match({ + processors: [ + dup39, + dup137, + part385, + select37, + part388, + ], + on_success: processor_chain([ + dup21, + dup22, + dup83, + dup23, + ]), + }); + + var msg366 = msg("process_mode", all21); + + var part389 = match("MESSAGE#362:process_mode:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ + dup21, + dup22, + dup83, + dup23, + ])); + + var msg367 = msg("process_mode:01", part389); + + var select38 = linear_select([ + msg366, + msg367, + ]); + + var part390 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} exiting with status %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","process exit with status"), + dup23, + ])); + + var msg368 = msg("PWC_EXIT", part390); + + var part391 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} released child %{child_pid->} from %{dclass_counter1->} state", processor_chain([ + dup21, + dup22, + setc("event_description","Process released child from state"), + dup23, + ])); + + var msg369 = msg("PWC_HOLD_RELEASE", part391); + + var part392 = match("MESSAGE#365:PWC_INVALID_RUNS_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}, not %{resultcode}", processor_chain([ + dup21, + dup22, + setc("event_description","invalid runs argument"), + dup23, + ])); + + var msg370 = msg("PWC_INVALID_RUNS_ARGUMENT", part392); + + var part393 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","INVALID TIMEOUT ARGUMENT"), + dup23, + ])); + + var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part393); + + var part394 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} received terminating signal", processor_chain([ + dup21, + dup22, + setc("event_description","pwc process received terminating signal"), + dup23, + ])); + + var msg372 = msg("PWC_KILLED_BY_SIGNAL", part394); + + var part395 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode->} to child %{child_pid}", processor_chain([ + dup30, + dup22, + setc("event_description","pwc is sending kill event to child"), + dup23, + ])); + + var msg373 = msg("PWC_KILL_EVENT", part395); + + var part396 = match("MESSAGE#369:PWC_KILL_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to kill process %{child_pid}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to kill process"), + dup23, + ])); + + var msg374 = msg("PWC_KILL_FAILED", part396); + + var part397 = match("MESSAGE#370:PWC_KQUEUE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: kevent failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","kevent failed"), + dup23, + ])); + + var msg375 = msg("PWC_KQUEUE_ERROR", part397); + + var part398 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create kqueue: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to create kqueue"), + dup23, + ])); + + var msg376 = msg("PWC_KQUEUE_INIT", part398); + + var part399 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent->} for purpose: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Failed to register kqueue filter"), + dup23, + ])); + + var msg377 = msg("PWC_KQUEUE_REGISTER_FILTER", part399); + + var part400 = match("MESSAGE#373:PWC_LOCKFILE_BAD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file has bad format: %{agent}", processor_chain([ + dup30, + dup22, + setc("event_description","PID lock file has bad format"), + dup23, + ])); + + var msg378 = msg("PWC_LOCKFILE_BAD_FORMAT", part400); + + var part401 = match("MESSAGE#374:PWC_LOCKFILE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file had error: %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","PID lock file error"), + dup23, + ])); + + var msg379 = msg("PWC_LOCKFILE_ERROR", part401); + + var part402 = match("MESSAGE#375:PWC_LOCKFILE_MISSING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not found: %{agent}", processor_chain([ + dup30, + dup22, + setc("event_description","PID lock file not found"), + dup23, + ])); + + var msg380 = msg("PWC_LOCKFILE_MISSING", part402); + + var part403 = match("MESSAGE#376:PWC_LOCKFILE_NOT_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not locked: %{agent}", processor_chain([ + dup30, + dup22, + setc("event_description","PID lock file not locked"), + dup23, + ])); + + var msg381 = msg("PWC_LOCKFILE_NOT_LOCKED", part403); + + var part404 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No process specified", processor_chain([ + dup30, + dup22, + setc("event_description","No process specified for PWC"), + dup23, + ])); + + var msg382 = msg("PWC_NO_PROCESS", part404); + + var part405 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} child %{child_pid->} exited with status %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","pwc process exited with status"), + dup23, + ])); + + var msg383 = msg("PWC_PROCESS_EXIT", part405); + + var part406 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} forcing hold down of child %{child_pid->} until signal", processor_chain([ + dup21, + dup22, + setc("event_description","Process forcing hold down of child until signalled"), + dup23, + ])); + + var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part406); + + var part407 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} until signal", processor_chain([ + dup21, + dup22, + setc("event_description","Process holding down child until signalled"), + dup23, + ])); + + var msg385 = msg("PWC_PROCESS_HOLD", part407); + + var part408 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} will not down child %{child_pid->} because of %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Process not holding down child"), + dup23, + ])); + + var msg386 = msg("PWC_PROCESS_HOLD_SKIPPED", part408); + + var part409 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create child process with pidpopen: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Failed to create child process with pidpopen"), + dup23, + ])); + + var msg387 = msg("PWC_PROCESS_OPEN", part409); + + var part410 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Process holding down child"), + dup23, + ])); + + var msg388 = msg("PWC_PROCESS_TIMED_HOLD", part410); + + var part411 = match("MESSAGE#384:PWC_PROCESS_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child timed out %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Child process timed out"), + dup23, + ])); + + var msg389 = msg("PWC_PROCESS_TIMEOUT", part411); + + var part412 = match("MESSAGE#385:PWC_SIGNAL_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: signal(%{agent}) failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","signal failure"), + dup23, + ])); + + var msg390 = msg("PWC_SIGNAL_INIT", part412); + + var part413 = match("MESSAGE#386:PWC_SOCKET_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to connect socket to %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to connect socket to service"), + dup23, + ])); + + var msg391 = msg("PWC_SOCKET_CONNECT", part413); + + var part414 = match("MESSAGE#387:PWC_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create socket: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Failed to create socket"), + dup23, + ])); + + var msg392 = msg("PWC_SOCKET_CREATE", part414); + + var part415 = match("MESSAGE#388:PWC_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to set socket option %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to set socket option"), + dup23, + ])); + + var msg393 = msg("PWC_SOCKET_OPTION", part415); + + var part416 = match("MESSAGE#389:PWC_STDOUT_WRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Write to stdout failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Write to stdout failed"), + dup23, + ])); + + var msg394 = msg("PWC_STDOUT_WRITE", part416); + + var part417 = match("MESSAGE#390:PWC_SYSTEM_CALL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","PWC SYSTEM CALL"), + dup23, + ])); + + var msg395 = msg("PWC_SYSTEM_CALL", part417); + + var part418 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown kill option [%{agent}]", processor_chain([ + dup30, + dup22, + setc("event_description","Unknown kill option"), + dup23, + ])); + + var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part418); + + var part419 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed", processor_chain([ + dup30, + dup22, + setc("event_description","Multicast address not allowed"), + dup23, + ])); + + var msg397 = msg("RMOPD_ADDRESS_MULTICAST_INVALID", part419); + + var part420 = match("MESSAGE#393:RMOPD_ADDRESS_SOURCE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Source address invalid: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RMOPD ADDRESS SOURCE INVALID"), + dup23, + ])); + + var msg398 = msg("RMOPD_ADDRESS_SOURCE_INVALID", part420); + + var part421 = match("MESSAGE#394:RMOPD_ADDRESS_STRING_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to convert numeric address to string: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to convert numeric address to string"), + dup23, + ])); + + var msg399 = msg("RMOPD_ADDRESS_STRING_FAILURE", part421); + + var part422 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rmop_util_set_address status message: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","rmop_util_set_address status message invalid"), + dup23, + ])); + + var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part422); + + var msg401 = msg("RMOPD_DUPLICATE", dup141); + + var part423 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([ + dup30, + dup22, + setc("event_description","Only IPv4 source address is supported"), + dup23, + ])); + + var msg402 = msg("RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", part423); + + var part424 = match("MESSAGE#398:RMOPD_ICMP_SENDMSG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{fld1}: No route to host", processor_chain([ + dup30, + dup22, + setc("event_description","No route to host"), + dup23, + ])); + + var msg403 = msg("RMOPD_ICMP_SENDMSG_FAILURE", part424); + + var part425 = match("MESSAGE#399:RMOPD_IFINDEX_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifindex: %{interface}", processor_chain([ + dup30, + dup22, + setc("event_description","IFINDEX NOT ACTIVE"), + dup23, + ])); + + var msg404 = msg("RMOPD_IFINDEX_NOT_ACTIVE", part425); + + var part426 = match("MESSAGE#400:RMOPD_IFINDEX_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","IFINDEX NO INFO"), + dup23, + ])); + + var msg405 = msg("RMOPD_IFINDEX_NO_INFO", part426); + + var part427 = match("MESSAGE#401:RMOPD_IFNAME_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifname: %{interface}", processor_chain([ + dup30, + dup22, + setc("event_description","RMOPD IFNAME NOT ACTIVE"), + dup23, + ])); + + var msg406 = msg("RMOPD_IFNAME_NOT_ACTIVE", part427); + + var part428 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","IFNAME NO INFO"), + dup23, + ])); + + var msg407 = msg("RMOPD_IFNAME_NO_INFO", part428); + + var part429 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, + dup22, + setc("event_description","RMOPD Must be run as root"), + dup23, + ])); + + var msg408 = msg("RMOPD_NOT_ROOT", part429); + + var part430 = match("MESSAGE#404:RMOPD_ROUTING_INSTANCE_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for routing instance %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","No information for routing instance"), + dup23, + ])); + + var msg409 = msg("RMOPD_ROUTING_INSTANCE_NO_INFO", part430); + + var part431 = match("MESSAGE#405:RMOPD_TRACEROUTE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TRACEROUTE ERROR"), + dup23, + ])); + + var msg410 = msg("RMOPD_TRACEROUTE_ERROR", part431); + + var part432 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","RMOPD usage"), + dup23, + ])); + + var msg411 = msg("RMOPD_usage", part432); + + var part433 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RPD ABORT"), + dup23, + ])); + + var msg412 = msg("RPD_ABORT", part433); + + var part434 = match("MESSAGE#408:RPD_ACTIVE_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Exiting with active tasks: %{agent}", processor_chain([ + dup30, + dup22, + setc("event_description","RPD exiting with active tasks"), + dup23, + ])); + + var msg413 = msg("RPD_ACTIVE_TERMINATE", part434); + + var part435 = match("MESSAGE#409:RPD_ASSERT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","RPD Assertion failed"), + dup23, + ])); + + var msg414 = msg("RPD_ASSERT", part435); + + var part436 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Soft assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","RPD Soft assertion failed"), + dup23, + ])); + + var msg415 = msg("RPD_ASSERT_SOFT", part436); + + var part437 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}", processor_chain([ + dup21, + dup22, + setc("event_description","RPD EXIT"), + dup23, + ])); + + var msg416 = msg("RPD_EXIT", part437); + + var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup147); + + var msg418 = msg("RPD_IFL_NAMECOLLISION", dup147); + + var part438 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","IS-IS lost adjacency"), + dup23, + ])); + + var msg419 = msg("RPD_ISIS_ADJDOWN", part438); + + var part439 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface}", processor_chain([ + dup21, + dup22, + setc("event_description","IS-IS new adjacency"), + dup23, + ])); + + var msg420 = msg("RPD_ISIS_ADJUP", part439); + + var part440 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface->} without an address", processor_chain([ + dup30, + dup22, + setc("event_description","IS-IS new adjacency without an address"), + dup23, + ])); + + var msg421 = msg("RPD_ISIS_ADJUPNOIP", part440); + + var part441 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1->} LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([ + dup30, + dup22, + setc("event_description","IS-IS LSP checksum error on iterface"), + dup23, + ])); + + var msg422 = msg("RPD_ISIS_LSPCKSUM", part441); + + var part442 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS database overload", processor_chain([ + dup30, + dup22, + setc("event_description","IS-IS database overload"), + dup23, + ])); + + var msg423 = msg("RPD_ISIS_OVERLOAD", part442); + + var part443 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent->} message with unsupported address family %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","message with unsupported address family received"), + dup23, + ])); + + var msg424 = msg("RPD_KRT_AFUNSUPRT", part443); + + var part444 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, error", processor_chain([ + dup30, + dup22, + setc("event_description","RPD KRT CCC IFL MODIFY"), + dup23, + ])); + + var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part444); + + var part445 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1->} table ID %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","received deleted routing table from kernel"), + dup23, + ])); + + var msg426 = msg("RPD_KRT_DELETED_RTT", part445); + + var part446 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifa generation mismatch -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","ifa generation mismatch"), + dup23, + ])); + + var msg427 = msg("RPD_KRT_IFA_GENERATION", part446); + + var part447 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} CHANGE for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ + dup30, + dup22, + setc("event_description","CHANGE for ifd failed"), + dup23, + ])); + + var msg428 = msg("RPD_KRT_IFDCHANGE", part447); + + var part448 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} SERVICE: %{service->} for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ + dup30, + dup22, + setc("event_description","GET SERVICE failure on interface"), + dup23, + ])); + + var msg429 = msg("RPD_KRT_IFDEST_GET", part448); + + var part449 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} GET index for ifd interface failed, error \"%{result}\"", processor_chain([ + dup30, + dup22, + setc("event_description","GET index for ifd interface failed"), + dup23, + ])); + + var msg430 = msg("RPD_KRT_IFDGET", part449); + + var part450 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1->} generation mismatch -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","ifd generation mismatch"), + dup23, + ])); + + var msg431 = msg("RPD_KRT_IFD_GENERATION", part450); + + var part451 = match("MESSAGE#427:RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","KRT IFL CELL RELAY MODE INVALID"), + dup23, + ])); + + var msg432 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", part451); + + var part452 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","KRT IFL CELL RELAY MODE UNSPECIFIED"), + dup23, + ])); + + var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part452); + + var part453 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface->} generation mismatch -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","ifl generation mismatch"), + dup23, + ])); + + var msg434 = msg("RPD_KRT_IFL_GENERATION", part453); + + var part454 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1->} for route %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","lost interface for route"), + dup23, + ])); + + var msg435 = msg("RPD_KRT_KERNEL_BAD_ROUTE", part454); + + var part455 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: number of next hops (%{dclass_counter1}) exceeded the maximum allowed (%{dclass_counter2}) -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","number of next hops exceeded the maximum"), + dup23, + ])); + + var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part455); + + var part456 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1->} for interface %{interface}", processor_chain([ + dup30, + dup22, + setc("event_description","No device for interface"), + dup23, + ])); + + var msg437 = msg("RPD_KRT_NOIFD", part456); + + var part457 = match("MESSAGE#433:RPD_KRT_UNKNOWN_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received routing table message for unknown table with kernel ID %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","received routing table message for unknown table"), + dup23, + ])); + + var msg438 = msg("RPD_KRT_UNKNOWN_RTT", part457); + + var part458 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket version mismatch (%{info}) -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Routing socket version mismatch"), + dup23, + ])); + + var msg439 = msg("RPD_KRT_VERSION", part458); + + var part459 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info->} -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Routing socket message type not supported by kernel"), + dup23, + ])); + + var msg440 = msg("RPD_KRT_VERSIONNONE", part459); + + var part460 = match("MESSAGE#436:RPD_KRT_VERSIONOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is older than expected (%{info}) -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Routing socket message type version is older than expected"), + dup23, + ])); + + var msg441 = msg("RPD_KRT_VERSIONOLD", part460); + + var part461 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate session ID detected from %{daddr}, interface %{interface}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Duplicate session ID detected"), + dup23, + ])); + + var msg442 = msg("RPD_LDP_INTF_BLOCKED", part461); + + var part462 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface->} is now %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","LDP interface now unblocked"), + dup23, + ])); + + var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part462); + + var part463 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ + setc("eventcategory","1603030000"), + dup22, + setc("event_description","LDP neighbor down"), + dup23, + ])); + + var msg444 = msg("RPD_LDP_NBRDOWN", part463); + + var part464 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","LDP neighbor up"), + dup23, + ])); + + var msg445 = msg("RPD_LDP_NBRUP", part464); + + var part465 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is down, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","LDP session down"), + dup23, + ])); + + var msg446 = msg("RPD_LDP_SESSIONDOWN", part465); + + var part466 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is up", processor_chain([ + dup21, + dup22, + setc("event_description","LDP session up"), + dup23, + ])); + + var msg447 = msg("RPD_LDP_SESSIONUP", part466); + + var part467 = match("MESSAGE#443:RPD_LOCK_FLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to obtain a lock"), + dup23, + ])); + + var msg448 = msg("RPD_LOCK_FLOCKED", part467); + + var part468 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to obtain service lock"), + dup23, + ])); + + var msg449 = msg("RPD_LOCK_LOCKED", part468); + + var part469 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","MPLS LSP CHANGE"), + dup23, + ])); + + var msg450 = msg("RPD_MPLS_LSP_CHANGE", part469); + + var part470 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","MPLS LSP DOWN"), + dup23, + ])); + + var msg451 = msg("RPD_MPLS_LSP_DOWN", part470); + + var part471 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","MPLS LSP SWITCH"), + dup23, + ])); + + var msg452 = msg("RPD_MPLS_LSP_SWITCH", part471); + + var part472 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","MPLS LSP UP"), + dup23, + ])); + + var msg453 = msg("RPD_MPLS_LSP_UP", part472); + + var part473 = match("MESSAGE#449:RPD_MSDP_PEER_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","MSDP PEER DOWN"), + dup23, + ])); + + var msg454 = msg("RPD_MSDP_PEER_DOWN", part473); + + var part474 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","MSDP PEER UP"), + dup23, + ])); + + var msg455 = msg("RPD_MSDP_PEER_UP", part474); + + var part475 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","OSPF neighbor down"), + dup23, + ])); + + var msg456 = msg("RPD_OSPF_NBRDOWN", part475); + + var part476 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","OSPF neighbor up"), + dup23, + ])); + + var msg457 = msg("RPD_OSPF_NBRUP", part476); + + var part477 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1->} KB of memory, %{info}", processor_chain([ + dup51, + dup22, + setc("event_description","OS MEMHIGH"), + dup23, + ])); + + var msg458 = msg("RPD_OS_MEMHIGH", part477); + + var part478 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr->} timeout interface %{interface}", processor_chain([ + dup30, + dup22, + setc("event_description","PIM neighbor down"), + setc("result","timeout"), + dup23, + ])); + + var msg459 = msg("RPD_PIM_NBRDOWN", part478); + + var part479 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr->} interface %{interface}", processor_chain([ + dup21, + dup22, + setc("event_description","PIM neighbor up"), + dup23, + ])); + + var msg460 = msg("RPD_PIM_NBRUP", part479); + + var part480 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, + dup22, + setc("event_description","Bad checksum for router solicitation"), + dup23, + ])); + + var msg461 = msg("RPD_RDISC_CKSUM", part480); + + var part481 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1->} on %{interface->} -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Ignoring interface"), + dup23, + ])); + + var msg462 = msg("RPD_RDISC_NOMULTI", part481); + + var part482 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to locate interface for router"), + dup23, + ])); + + var msg463 = msg("RPD_RDISC_NORECVIF", part482); + + var part483 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, + dup22, + setc("event_description","Expected multicast for router solicitation"), + dup23, + ])); + + var msg464 = msg("RPD_RDISC_SOLICITADDR", part483); + + var part484 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, + dup22, + setc("event_description","Nonzero ICMP code for router solicitation"), + dup23, + ])); + + var msg465 = msg("RPD_RDISC_SOLICITICMP", part484); + + var part485 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, + dup22, + setc("event_description","Insufficient length for router solicitation"), + dup23, + ])); + + var msg466 = msg("RPD_RDISC_SOLICITLEN", part485); + + var part486 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr->} (%{interface})", processor_chain([ + dup30, + dup22, + setc("event_description","RIP update with invalid authentication"), + dup23, + ])); + + var msg467 = msg("RPD_RIP_AUTH", part486); + + var part487 = match("MESSAGE#463:RPD_RIP_JOIN_BROADCAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get broadcast address %{interface}; %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RIP - unable to get broadcast address"), + dup23, + ])); + + var msg468 = msg("RPD_RIP_JOIN_BROADCAST", part487); + + var part488 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to join multicast group %{interface}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RIP - Unable to join multicast group"), + dup23, + ])); + + var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part488); + + var part489 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface->} index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([ + dup21, + dup22, + setc("event_description","RIP interface up"), + dup23, + ])); + + var msg470 = msg("RPD_RT_IFUP", part489); + + var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup148); + + var part490 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([ + dup30, + dup22, + setc("event_description","excessive runtime after action of module"), + dup23, + ])); + + var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part490); + + var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup148); + + var part491 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([ + dup30, + dup22, + setc("event_description","task extended runtime"), + dup23, + ])); + + var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part491); + + var part492 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} termination signal received", processor_chain([ + dup30, + dup22, + setc("event_description","termination signal received for service"), + dup23, + ])); + + var msg475 = msg("RPD_SIGNAL_TERMINATE", part492); + + var part493 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1->} version version built %{dclass_counter2}", processor_chain([ + dup21, + dup22, + setc("event_description","version built"), + dup23, + ])); + + var msg476 = msg("RPD_START", part493); + + var part494 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: detail: %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","system command"), + dup23, + ])); + + var msg477 = msg("RPD_SYSTEM", part494); + + var part495 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2->} by builder", processor_chain([ + dup21, + dup22, + setc("event_description","Commencing routing updates"), + dup23, + ])); + + var msg478 = msg("RPD_TASK_BEGIN", part495); + + var part496 = match("MESSAGE#474:RPD_TASK_CHILDKILLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","task killed by signal"), + dup23, + ])); + + var msg479 = msg("RPD_TASK_CHILDKILLED", part496); + + var part497 = match("MESSAGE#475:RPD_TASK_CHILDSTOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","task stopped by signal"), + dup23, + ])); + + var msg480 = msg("RPD_TASK_CHILDSTOPPED", part497); + + var part498 = match("MESSAGE#476:RPD_TASK_FORK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork task: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to fork task"), + dup23, + ])); + + var msg481 = msg("RPD_TASK_FORK", part498); + + var part499 = match("MESSAGE#477:RPD_TASK_GETWD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: getwd: %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","RPD TASK GETWD"), + dup23, + ])); + + var msg482 = msg("RPD_TASK_GETWD", part499); + + var part500 = match("MESSAGE#478:RPD_TASK_NOREINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialization not possible", processor_chain([ + dup30, + dup22, + setc("event_description","Reinitialization not possible"), + dup23, + ])); + + var msg483 = msg("RPD_TASK_NOREINIT", part500); + + var part501 = match("MESSAGE#479:RPD_TASK_PIDCLOSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to close and remove %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to close and remove task"), + dup23, + ])); + + var msg484 = msg("RPD_TASK_PIDCLOSED", part501); + + var part502 = match("MESSAGE#480:RPD_TASK_PIDFLOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: flock(%{agent}, %{action}): %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RPD TASK PIDFLOCK"), + dup23, + ])); + + var msg485 = msg("RPD_TASK_PIDFLOCK", part502); + + var part503 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to write %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to write"), + dup23, + ])); + + var msg486 = msg("RPD_TASK_PIDWRITE", part503); + + var msg487 = msg("RPD_TASK_REINIT", dup149); + + var part504 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([ + dup21, + dup22, + setc("event_description","ignoring task signal"), + dup23, + ])); + + var msg488 = msg("RPD_TASK_SIGNALIGNORE", part504); + + var part505 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1->} (%{agent}) failed, err %{resultcode->} (%{result})", processor_chain([ + dup30, + dup22, + setc("event_description","COS IPC op failed"), + dup23, + ])); + + var msg489 = msg("RT_COS", part505); + + var part506 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/2", "nwparser.p0", "%{fld5}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); + + var part507 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{fld10}\" dst-nat-rule-%{p0}"); + + var part508 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_0", "nwparser.p0", "type=%{fld21->} dst-nat-rule-name=\"%{p0}"); + + var select39 = linear_select([ + part508, + dup91, + ]); + + var part509 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/6", "nwparser.p0", "\"%{fld11->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{fld13}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); + + var part510 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" encrypted=%{fld8->} %{p0}"); + + var select40 = linear_select([ + part510, + dup45, + ]); + + var all22 = all_match({ + processors: [ + dup87, + dup150, + part506, + dup151, + part507, + select39, + part509, + select40, + dup92, + ], + on_success: processor_chain([ + dup28, + dup53, + dup54, + dup22, + dup52, + ]), + }); + + var msg490 = msg("RT_FLOW_SESSION_CREATE:02", all22); + + var part511 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_0", "nwparser.p0", " service-name=\"%{service}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-type=\"%{fld20}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-type=\"%{fld10}\" dst-nat-rule-name=\"%{rule_template}\"%{p0}"); + + var select41 = linear_select([ + part511, + dup45, + ]); + + var part512 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/2", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\"%{p0}"); + + var part513 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_0", "nwparser.p0", " source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" username=\"%{username}\" roles=\"%{fld50}\" packet-incoming-interface=\"%{dinterface}\" application=\"%{application}\" nested-application=\"%{fld7}\" encrypted=\"%{fld8}\"%{p0}"); + + var select42 = linear_select([ + part513, + dup45, + ]); + + var all23 = all_match({ + processors: [ + dup87, + select41, + part512, + select42, + dup92, + ], + on_success: processor_chain([ + dup28, + dup53, + dup54, + dup22, + dup52, + ]), + }); + + var msg491 = msg("RT_FLOW_SESSION_CREATE", all23); + + var part514 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_0", "nwparser.payload", "%{process}: %{event_type}: session created %{p0}"); + + var part515 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_1", "nwparser.payload", "%{event_type}: session created %{p0}"); + + var select43 = linear_select([ + part514, + part515, + ]); + + var part516 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{p0}"); + + var part517 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_0", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{protocol->} %{fld15->} UNKNOWN UNKNOWN"); + + var part518 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_1", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{fld15}"); + + var part519 = match_copy("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_2", "nwparser.p0", "info"); + + var select44 = linear_select([ + part517, + part518, + part519, + ]); + + var all24 = all_match({ + processors: [ + select43, + part516, + select44, + ], + on_success: processor_chain([ + dup28, + dup53, + dup54, + dup22, + setc("event_description","session created"), + dup23, + ]), + }); + + var msg492 = msg("RT_FLOW_SESSION_CREATE:01", all24); + + var select45 = linear_select([ + msg490, + msg491, + msg492, + ]); + + var part520 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/2", "nwparser.p0", "%{fld5}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); + + var part521 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_0", "nwparser.p0", " encrypted=\"%{fld16}\" reason=\"%{result}\" src-vrf-grp=\"%{fld99}\" dst-vrf-grp=\"%{fld98}\"%{p0}"); + + var part522 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_1", "nwparser.p0", " encrypted=%{fld16->} reason=\"%{result}\"%{p0}"); + + var select46 = linear_select([ + part521, + part522, + dup45, + ]); + + var all25 = all_match({ + processors: [ + dup87, + dup150, + part520, + select46, + dup92, + ], + on_success: processor_chain([ + dup93, + dup53, + dup94, + dup22, + dup52, + ]), + }); + + var msg493 = msg("RT_FLOW_SESSION_DENY:02", all25); + + var part523 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([ + dup93, + dup53, + dup94, + dup22, + dup52, + ])); + + var msg494 = msg("RT_FLOW_SESSION_DENY", part523); + + var part524 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone->} HTTP %{info}"); + + var all26 = all_match({ + processors: [ + dup152, + part524, + ], + on_success: processor_chain([ + dup27, + dup53, + dup94, + dup22, + dup97, + dup23, + ]), + }); + + var msg495 = msg("RT_FLOW_SESSION_DENY:03", all26); + + var part525 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}"); + + var all27 = all_match({ + processors: [ + dup152, + part525, + ], + on_success: processor_chain([ + dup27, + dup53, + dup94, + dup22, + dup97, + dup23, + ]), + }); + + var msg496 = msg("RT_FLOW_SESSION_DENY:01", all27); + + var select47 = linear_select([ + msg493, + msg494, + msg495, + msg496, + ]); + + var select48 = linear_select([ + dup103, + dup45, + ]); + + var all28 = all_match({ + processors: [ + dup98, + dup150, + dup99, + dup151, + dup100, + dup153, + dup102, + select48, + dup92, + ], + on_success: processor_chain([ + dup27, + dup53, + dup55, + dup104, + dup22, + dup52, + ]), + }); + + var msg497 = msg("RT_FLOW_SESSION_CLOSE:01", all28); + + var part526 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup27, + dup53, + dup55, + dup22, + dup52, + ])); + + var msg498 = msg("RT_FLOW_SESSION_CLOSE", part526); + + var part527 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_0", "nwparser.payload", "%{process}: %{event_type}: session closed %{p0}"); + + var part528 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_1", "nwparser.payload", "%{event_type}: session closed %{p0}"); + + var select49 = linear_select([ + part527, + part528, + ]); + + var part529 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/1", "nwparser.p0", "%{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{info}"); + + var all29 = all_match({ + processors: [ + select49, + part529, + ], + on_success: processor_chain([ + dup27, + dup53, + dup55, + dup22, + setc("event_description","session closed"), + dup23, + ]), + }); + + var msg499 = msg("RT_FLOW_SESSION_CLOSE:02", all29); + + var part530 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_1", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\" %{p0}"); + + var select50 = linear_select([ + dup103, + part530, + dup45, + ]); + + var part531 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] session closed %{fld60}: %{fld51}/%{fld52}->%{fld53}/%{fld54->} %{fld55->} %{fld56}/%{fld57}->%{fld58}/%{fld59->} %{info}"); + + var all30 = all_match({ + processors: [ + dup98, + dup150, + dup99, + dup151, + dup100, + dup153, + dup102, + select50, + part531, + ], + on_success: processor_chain([ + dup27, + dup53, + dup55, + dup104, + dup22, + dup52, + dup61, + ]), + }); + + var msg500 = msg("RT_FLOW_SESSION_CLOSE:03", all30); + + var select51 = linear_select([ + msg497, + msg498, + msg499, + msg500, + ]); + + var part532 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: %{event_type}: Fragmented traffic! source:%{saddr}, destination: %{daddr}, protocol-id: %{protocol}, zone name: %{zone}, interface name: %{interface}", processor_chain([ + dup30, + dup22, + setc("event_description","Fragmented traffic"), + dup23, + ])); + + var msg501 = msg("RT_SCREEN_IP", part532); + + var part533 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var msg502 = msg("RT_SCREEN_IP:01", part533); + + var select52 = linear_select([ + msg501, + msg502, + ]); + + var msg503 = msg("RT_SCREEN_TCP", dup154); + + var part534 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part534); + + var msg505 = msg("RT_SCREEN_UDP", dup154); + + var part535 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([ + dup27, + dup22, + setc("event_description","attempt to connect to interface failed"), + dup23, + ])); + + var msg506 = msg("SERVICED_CLIENT_CONNECT", part535); + + var part536 = match("MESSAGE#502:SERVICED_CLIENT_DISCONNECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unexpected termination of connection to interface", processor_chain([ + dup27, + dup22, + setc("event_description","unexpected termination of connection"), + dup23, + ])); + + var msg507 = msg("SERVICED_CLIENT_DISCONNECTED", part536); + + var part537 = match("MESSAGE#503:SERVICED_CLIENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: client interface connection failure: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","client interface connection failure"), + dup23, + ])); + + var msg508 = msg("SERVICED_CLIENT_ERROR", part537); + + var part538 = match("MESSAGE#504:SERVICED_COMMAND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: remote command execution failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","remote command execution failed"), + dup23, + ])); + + var msg509 = msg("SERVICED_COMMAND_FAILED", part538); + + var part539 = match("MESSAGE#505:SERVICED_COMMIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: client failed to commit configuration with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","client commit configuration failed"), + dup23, + ])); + + var msg510 = msg("SERVICED_COMMIT_FAILED", part539); + + var part540 = match("MESSAGE#506:SERVICED_CONFIGURATION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: configuration process failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","configuration process failed"), + dup23, + ])); + + var msg511 = msg("SERVICED_CONFIGURATION_FAILED", part540); + + var part541 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SERVICED CONFIG ERROR"), + dup23, + ])); + + var msg512 = msg("SERVICED_CONFIG_ERROR", part541); + + var part542 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} failed to read path with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","service failed to read path"), + dup23, + ])); + + var msg513 = msg("SERVICED_CONFIG_FILE", part542); + + var part543 = match("MESSAGE#509:SERVICED_CONNECTION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SERVICED CONNECTION ERROR"), + dup23, + ])); + + var msg514 = msg("SERVICED_CONNECTION_ERROR", part543); + + var part544 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: GGSN services disabled: object: %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","GGSN services disabled"), + dup23, + ])); + + var msg515 = msg("SERVICED_DISABLED_GGSN", part544); + + var msg516 = msg("SERVICED_DUPLICATE", dup141); + + var part545 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","event function failed"), + dup23, + ])); + + var msg517 = msg("SERVICED_EVENT_FAILED", part545); + + var part546 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: initialization failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","service initialization failed"), + dup23, + ])); + + var msg518 = msg("SERVICED_INIT_FAILED", part546); + + var part547 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1->} bytes %{bytes}]: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","memory allocation failure"), + dup23, + ])); + + var msg519 = msg("SERVICED_MALLOC_FAILURE", part547); + + var part548 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","NETWORK FAILURE"), + dup23, + ])); + + var msg520 = msg("SERVICED_NETWORK_FAILURE", part548); + + var part549 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, + dup22, + setc("event_description","SERVICED must be run as root"), + dup23, + ])); + + var msg521 = msg("SERVICED_NOT_ROOT", part549); + + var msg522 = msg("SERVICED_PID_FILE_LOCK", dup142); + + var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup143); + + var part550 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","routing socket sequence error"), + dup23, + ])); + + var msg524 = msg("SERVICED_RTSOCK_SEQUENCE", part550); + + var part551 = match("MESSAGE#520:SERVICED_SIGNAL_HANDLER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: set up of signal name handler failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","set up of signal name handler failed"), + dup23, + ])); + + var msg525 = msg("SERVICED_SIGNAL_HANDLER", part551); + + var part552 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket create failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","socket create failed with error"), + dup23, + ])); + + var msg526 = msg("SERVICED_SOCKET_CREATE", part552); + + var part553 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2->} failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","socket function failed"), + dup23, + ])); + + var msg527 = msg("SERVICED_SOCKET_IO", part553); + + var part554 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unable to set socket option %{dclass_counter2}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","unable to set socket option"), + dup23, + ])); + + var msg528 = msg("SERVICED_SOCKET_OPTION", part554); + + var part555 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","STDLIB FAILURE"), + dup23, + ])); + + var msg529 = msg("SERVICED_STDLIB_FAILURE", part555); + + var part556 = match("MESSAGE#525:SERVICED_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Incorrect service usage"), + dup23, + ])); + + var msg530 = msg("SERVICED_USAGE", part556); + + var part557 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: object has unexpected value %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","object has unexpected value"), + dup23, + ])); + + var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part557); + + var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup155); + + var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup155); + + var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup155); + + var part558 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([ + dup21, + dup22, + setc("event_description","AgentX subagent connected"), + dup61, + dup23, + ])); + + var msg535 = msg("SNMP_NS_LOG_INFO", part558); + + var part559 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1->} rows", processor_chain([ + dup21, + dup22, + setc("event_description","ns_subagent registering rows"), + dup61, + dup23, + ])); + + var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part559); + + var part560 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} access group %{group}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD ACCESS GROUP ERROR"), + dup23, + ])); + + var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part560); + + var part561 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to unknown community name (%{pool_name})", processor_chain([ + dup30, + dup22, + dup105, + setc("result","unauthorized SNMP community to unknown community name"), + dup23, + ])); + + var msg538 = msg("SNMPD_AUTH_FAILURE", part561); + + var part562 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr->} to unknown (%{pool_name})", processor_chain([ + dup30, + dup22, + dup105, + setc("result","failed input interface authorization to unknown"), + dup23, + ])); + + var msg539 = msg("SNMPD_AUTH_FAILURE:01", part562); + + var part563 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to %{saddr->} (%{pool_name})", processor_chain([ + dup30, + dup22, + dup105, + setc("result","unauthorized SNMP community "), + dup23, + ])); + + var msg540 = msg("SNMPD_AUTH_FAILURE:02", part563); + + var part564 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([ + dup30, + dup22, + dup105, + dup61, + dup62, + ])); + + var msg541 = msg("SNMPD_AUTH_FAILURE:03", part564); + + var select53 = linear_select([ + msg538, + msg539, + msg540, + msg541, + ]); + + var part565 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: request exceeded community privileges", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP request exceeded community privileges"), + dup23, + ])); + + var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part565); + + var part566 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr->} not allowed", processor_chain([ + dup48, + dup22, + setc("event_description","SNMPD AUTH RESTRICTED ADDRESS"), + setc("result","request not allowed"), + dup23, + ])); + + var msg543 = msg("SNMPD_AUTH_RESTRICTED_ADDRESS", part566); + + var part567 = match("MESSAGE#538:SNMPD_AUTH_WRONG_PDU_TYPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: unauthorized SNMP PDU type: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","unauthorized SNMP PDU type"), + dup23, + ])); + + var msg544 = msg("SNMPD_AUTH_WRONG_PDU_TYPE", part567); + + var part568 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration database has errors", processor_chain([ + dup30, + dup22, + setc("event_description","Configuration database has errors"), + dup23, + ])); + + var msg545 = msg("SNMPD_CONFIG_ERROR", part568); + + var part569 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} context %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD CONTEXT ERROR"), + dup23, + ])); + + var msg546 = msg("SNMPD_CONTEXT_ERROR", part569); + + var part570 = match("MESSAGE#541:SNMPD_ENGINE_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD ENGINE FILE FAILURE"), + dup23, + ])); + + var msg547 = msg("SNMPD_ENGINE_FILE_FAILURE", part570); + + var part571 = match("MESSAGE#542:SNMPD_ENGINE_PROCESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: from-path: undecodable/unmatched subagent response", processor_chain([ + dup30, + dup22, + setc("event_description"," from-path - SNMP undecodable/unmatched subagent response"), + dup23, + ])); + + var msg548 = msg("SNMPD_ENGINE_PROCESS_ERROR", part571); + + var part572 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: fopen %{dclass_counter2}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD FILE FAILURE"), + dup23, + ])); + + var msg549 = msg("SNMPD_FILE_FAILURE", part572); + + var part573 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} group: '%{group}' user '%{username}' model '%{version}'", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD GROUP ERROR"), + dup23, + ])); + + var msg550 = msg("SNMPD_GROUP_ERROR", part573); + + var part574 = match("MESSAGE#545:SNMPD_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: snmpd initialization failure: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","snmpd initialization failure"), + dup23, + ])); + + var msg551 = msg("SNMPD_INIT_FAILED", part574); + + var part575 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system_default_inaddr: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","LIBJUNIPER FAILURE"), + dup23, + ])); + + var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part575); + + var part576 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","LOOPBACK ADDR ERROR"), + dup23, + ])); + + var msg553 = msg("SNMPD_LOOPBACK_ADDR_ERROR", part576); + + var part577 = match("MESSAGE#548:SNMPD_MEMORY_FREED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: called for freed - already freed", processor_chain([ + dup30, + dup22, + setc("event_description","duplicate memory free"), + dup23, + ])); + + var msg554 = msg("SNMPD_MEMORY_FREED", part577); + + var part578 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: radix_add failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","radix_add failed"), + dup23, + ])); + + var msg555 = msg("SNMPD_RADIX_FAILURE", part578); + + var part579 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1->} failure: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD RECEIVE FAILURE"), + dup23, + ])); + + var msg556 = msg("SNMPD_RECEIVE_FAILURE", part579); + + var part580 = match("MESSAGE#551:SNMPD_RMONFILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RMONFILE FAILURE"), + dup23, + ])); + + var msg557 = msg("SNMPD_RMONFILE_FAILURE", part580); + + var part581 = match("MESSAGE#552:SNMPD_RMON_COOKIE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Null cookie", processor_chain([ + dup30, + dup22, + setc("event_description","Null cookie"), + dup23, + ])); + + var msg558 = msg("SNMPD_RMON_COOKIE", part581); + + var part582 = match("MESSAGE#553:SNMPD_RMON_EVENTLOG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","RMON EVENTLOG"), + dup23, + ])); + + var msg559 = msg("SNMPD_RMON_EVENTLOG", part582); + + var part583 = match("MESSAGE#554:SNMPD_RMON_IOERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Received io error, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Received io error"), + dup23, + ])); + + var msg560 = msg("SNMPD_RMON_IOERROR", part583); + + var part584 = match("MESSAGE#555:SNMPD_RMON_MIBERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: internal Get request error: description, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","internal Get request error"), + dup23, + ])); + + var msg561 = msg("SNMPD_RMON_MIBERROR", part584); + + var part585 = match("MESSAGE#556:SNMPD_RTSLIB_ASYNC_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: sequence mismatch %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","sequence mismatch"), + dup23, + ])); + + var msg562 = msg("SNMPD_RTSLIB_ASYNC_EVENT", part585); + + var part586 = match("MESSAGE#557:SNMPD_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send send-type (index1) failure: %{result}", processor_chain([ + dup30, + dup22, + dup106, + dup23, + ])); + + var msg563 = msg("SNMPD_SEND_FAILURE", part586); + + var part587 = match("MESSAGE#558:SNMPD_SEND_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send to (%{saddr}) failure: %{result}", processor_chain([ + dup30, + dup22, + dup106, + dup23, + ])); + + var msg564 = msg("SNMPD_SEND_FAILURE:01", part587); + + var select54 = linear_select([ + msg563, + msg564, + ]); + + var part588 = match("MESSAGE#559:SNMPD_SOCKET_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket failure: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD SOCKET FAILURE"), + dup23, + ])); + + var msg565 = msg("SNMPD_SOCKET_FAILURE", part588); + + var part589 = match("MESSAGE#560:SNMPD_SUBAGENT_NO_BUFFERS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No buffers available for subagent (%{agent})", processor_chain([ + dup30, + dup22, + setc("event_description","No buffers available for subagent"), + dup23, + ])); + + var msg566 = msg("SNMPD_SUBAGENT_NO_BUFFERS", part589); + + var part590 = match("MESSAGE#561:SNMPD_SUBAGENT_SEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Send to subagent failed (%{agent}): %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Send to subagent failed"), + dup23, + ])); + + var msg567 = msg("SNMPD_SUBAGENT_SEND_FAILED", part590); + + var part591 = match("MESSAGE#562:SNMPD_SYSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system function '%{dclass_counter1}' failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","system function failed"), + dup23, + ])); + + var msg568 = msg("SNMPD_SYSLIB_FAILURE", part591); + + var part592 = match("MESSAGE#563:SNMPD_THROTTLE_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: cleared all throttled traps", processor_chain([ + dup21, + dup22, + setc("event_description","cleared all throttled traps"), + dup23, + ])); + + var msg569 = msg("SNMPD_THROTTLE_QUEUE_DRAINED", part592); + + var part593 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: cold start", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP trap: cold start"), + dup23, + ])); + + var msg570 = msg("SNMPD_TRAP_COLD_START", part593); + + var part594 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode->} (%{result})", processor_chain([ + dup30, + dup22, + dup107, + dup23, + ])); + + var msg571 = msg("SNMPD_TRAP_GEN_FAILURE", part594); + + var part595 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{dclass_counter2->} %{result}", processor_chain([ + dup30, + dup22, + dup107, + dup23, + ])); + + var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part595); + + var part596 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result->} (%{dclass_counter2}) received", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD TRAP INVALID DATA"), + dup23, + ])); + + var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part596); + + var part597 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info->} (%{result})", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD TRAP ERROR"), + dup23, + ])); + + var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part597); + + var part598 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2->} to %{obj_name->} queue, %{dclass_counter1->} traps in queue", processor_chain([ + dup21, + dup22, + setc("event_description","Adding trap to queue"), + dup23, + ])); + + var msg575 = msg("SNMPD_TRAP_QUEUED", part598); + + var part599 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name->} sent successfully", processor_chain([ + dup21, + dup22, + setc("event_description","traps queued - sent successfully"), + dup23, + ])); + + var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part599); + + var part600 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1->} attempts, deleting %{dclass_counter2->} traps queued to %{obj_name}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"), + dup23, + ])); + + var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part600); + + var part601 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2->} from %{obj_name->} queue", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP TRAP maximum queue size exceeded"), + dup23, + ])); + + var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part601); + + var part602 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1->} traps", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP traps throttled"), + dup23, + ])); + + var msg579 = msg("SNMPD_TRAP_THROTTLED", part602); + + var part603 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type->} )", processor_chain([ + dup30, + dup22, + setc("event_description","unknown SNMP trap type requested"), + dup23, + ])); + + var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part603); + + var part604 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1->} varbind to be VT_NUMBER (%{resultcode->} )", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"), + dup23, + ])); + + var msg581 = msg("SNMPD_TRAP_VARBIND_TYPE_ERROR", part604); + + var part605 = match("MESSAGE#576:SNMPD_TRAP_VERSION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: invalid version signature (%{result})", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD TRAP ERROR - invalid version signature"), + dup23, + ])); + + var msg582 = msg("SNMPD_TRAP_VERSION_ERROR", part605); + + var part606 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: warm start", processor_chain([ + dup21, + dup22, + setc("event_description","SNMPD TRAP WARM START"), + dup23, + ])); + + var msg583 = msg("SNMPD_TRAP_WARM_START", part606); + + var part607 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} user '%{username}' %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD USER ERROR"), + dup23, + ])); + + var msg584 = msg("SNMPD_USER_ERROR", part607); + + var part608 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: deleting view %{dclass_counter2->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP deleting view"), + dup23, + ])); + + var msg585 = msg("SNMPD_VIEW_DELETE", part608); + + var part609 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} installing default %{dclass_counter1->} view %{dclass_counter2}", processor_chain([ + dup21, + dup22, + setc("event_description","installing default SNMP view"), + dup23, + ])); + + var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part609); + + var part610 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2->} oid %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","oid parsing failed for SNMP view"), + dup23, + ])); + + var msg587 = msg("SNMPD_VIEW_OID_PARSE", part610); + + var part611 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP_GET_ERROR 1"), + dup23, + ])); + + var msg588 = msg("SNMP_GET_ERROR1", part611); + + var part612 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP GET ERROR 2"), + dup23, + ])); + + var msg589 = msg("SNMP_GET_ERROR2", part612); + + var part613 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP GET ERROR 3"), + dup23, + ])); + + var msg590 = msg("SNMP_GET_ERROR3", part613); + + var part614 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP GET ERROR 4"), + dup23, + ])); + + var msg591 = msg("SNMP_GET_ERROR4", part614); + + var part615 = match("MESSAGE#586:SNMP_RTSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: rtslib-error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP RTSLIB FAILURE"), + dup23, + ])); + + var msg592 = msg("SNMP_RTSLIB_FAILURE", part615); + + var part616 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ + dup30, + dup22, + dup108, + dup23, + ])); + + var msg593 = msg("SNMP_TRAP_LINK_DOWN", part616); + + var part617 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([ + dup30, + dup22, + dup108, + dup61, + dup62, + ])); + + var msg594 = msg("SNMP_TRAP_LINK_DOWN:01", part617); + + var select55 = linear_select([ + msg593, + msg594, + ]); + + var part618 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ + dup21, + dup22, + dup109, + dup23, + ])); + + var msg595 = msg("SNMP_TRAP_LINK_UP", part618); + + var part619 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([ + dup21, + dup22, + dup109, + dup61, + dup62, + ])); + + var msg596 = msg("SNMP_TRAP_LINK_UP:01", part619); + + var select56 = linear_select([ + msg595, + msg596, + ]); + + var part620 = match("MESSAGE#589:SNMP_TRAP_PING_PROBE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP TRAP PING PROBE FAILED"), + dup23, + ])); + + var msg597 = msg("SNMP_TRAP_PING_PROBE_FAILED", part620); + + var part621 = match("MESSAGE#590:SNMP_TRAP_PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP TRAP PING TEST COMPLETED"), + dup23, + ])); + + var msg598 = msg("SNMP_TRAP_PING_TEST_COMPLETED", part621); + + var part622 = match("MESSAGE#591:SNMP_TRAP_PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP TRAP PING TEST FAILED"), + dup23, + ])); + + var msg599 = msg("SNMP_TRAP_PING_TEST_FAILED", part622); + + var part623 = match("MESSAGE#592:SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP TRAP TRACE ROUTE PATH CHANGE"), + dup23, + ])); + + var msg600 = msg("SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", part623); + + var part624 = match("MESSAGE#593:SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP TRAP TRACE ROUTE TEST COMPLETED"), + dup23, + ])); + + var msg601 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", part624); + + var part625 = match("MESSAGE#594:SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP TRAP TRACE ROUTE TEST FAILED"), + dup23, + ])); + + var msg602 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", part625); + + var part626 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{process}: %{event_type}: Login failed for user '%{username}' from host '%{saddr}'", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup110, + dup23, + ])); + + var msg603 = msg("SSHD_LOGIN_FAILED", part626); + + var part627 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup110, + dup61, + dup52, + setf("process","hfld33"), + ])); + + var msg604 = msg("SSHD_LOGIN_FAILED:01", part627); + + var select57 = linear_select([ + msg603, + msg604, + ]); + + var part628 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent->} addr %{daddr}+%{dport}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","task connect failure"), + dup23, + ])); + + var msg605 = msg("task_connect", part628); + + var msg606 = msg("TASK_TASK_REINIT", dup149); + + var part629 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Unexpected address family"), + dup23, + ])); + + var msg607 = msg("TFTPD_AF_ERR", part629); + + var part630 = match("MESSAGE#603:TFTPD_BIND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: bind: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD BIND ERROR"), + dup23, + ])); + + var msg608 = msg("TFTPD_BIND_ERR", part630); + + var part631 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD CONNECT ERROR"), + dup23, + ])); + + var msg609 = msg("TFTPD_CONNECT_ERR", part631); + + var part632 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol->} from address %{daddr->} port %{dport->} file %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","TFTPD CONNECT INFO"), + dup23, + ])); + + var msg610 = msg("TFTPD_CONNECT_INFO", part632); + + var part633 = match("MESSAGE#606:TFTPD_CREATE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: check_space %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD CREATE ERROR"), + dup23, + ])); + + var msg611 = msg("TFTPD_CREATE_ERR", part633); + + var part634 = match("MESSAGE#607:TFTPD_FIO_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD FIO ERR"), + dup23, + ])); + + var msg612 = msg("TFTPD_FIO_ERR", part634); + + var part635 = match("MESSAGE#608:TFTPD_FORK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fork: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD FORK ERROR"), + dup23, + ])); + + var msg613 = msg("TFTPD_FORK_ERR", part635); + + var part636 = match("MESSAGE#609:TFTPD_NAK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: nak error %{resultcode}, %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD NAK ERROR"), + dup23, + ])); + + var msg614 = msg("TFTPD_NAK_ERR", part636); + + var part637 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}', error: %{result}", processor_chain([ + dup30, + dup22, + dup78, + dup23, + ])); + + var msg615 = msg("TFTPD_OPEN_ERR", part637); + + var part638 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1->} blocks of %{dclass_counter2->} size for file '%{filename}'", processor_chain([ + dup21, + dup22, + setc("event_description","TFTPD RECVCOMPLETE INFO"), + dup23, + ])); + + var msg616 = msg("TFTPD_RECVCOMPLETE_INFO", part638); + + var part639 = match("MESSAGE#612:TFTPD_RECVFROM_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recvfrom: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD RECVFROM ERROR"), + dup23, + ])); + + var msg617 = msg("TFTPD_RECVFROM_ERR", part639); + + var part640 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recv: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD RECV ERROR"), + dup23, + ])); + + var msg618 = msg("TFTPD_RECV_ERR", part640); + + var part641 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1->} blocks of %{dclass_counter2->} and %{info->} for file '%{filename}'", processor_chain([ + dup21, + dup22, + setc("event_description","TFTPD SENDCOMPLETE INFO"), + dup23, + ])); + + var msg619 = msg("TFTPD_SENDCOMPLETE_INFO", part641); + + var part642 = match("MESSAGE#615:TFTPD_SEND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: send: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD SEND ERROR"), + dup23, + ])); + + var msg620 = msg("TFTPD_SEND_ERR", part642); + + var part643 = match("MESSAGE#616:TFTPD_SOCKET_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: socket: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD SOCKET ERROR"), + dup23, + ])); + + var msg621 = msg("TFTPD_SOCKET_ERR", part643); + + var part644 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: statfs %{agent}, error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD STATFS ERROR"), + dup23, + ])); + + var msg622 = msg("TFTPD_STATFS_ERR", part644); + + var part645 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1->} to interface %{interface}", processor_chain([ + dup21, + dup22, + setc("event_description","adding neighbor to interface"), + dup23, + ])); + + var msg623 = msg("TNP", part645); + + var part646 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33->} started", processor_chain([ + dup21, + dup22, + setc("event_description","tracing to file"), + dup23, + call({ + dest: "nwparser.filename", + fn: RMQ, + args: [ + field("fld33"), + ], + }), + ])); + + var msg624 = msg("trace_on", part646); + + var part647 = match("MESSAGE#620:trace_rotate", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rotating %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","trace rotating file"), + dup23, + ])); + + var msg625 = msg("trace_rotate", part647); + + var part648 = match("MESSAGE#621:transfer-file", "nwparser.payload", "%{process}: %{event_type}: Transferred %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","transfered file"), + dup23, + ])); + + var msg626 = msg("transfer-file", part648); + + var part649 = match("MESSAGE#622:ttloop", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer died: %{result}: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","ttloop - peer died"), + dup23, + ])); + + var msg627 = msg("ttloop", part649); + + var part650 = match("MESSAGE#623:UI_AUTH_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated user '%{username}' at permission level '%{privilege}'", processor_chain([ + dup80, + dup34, + dup35, + dup37, + dup22, + setc("event_description","Authenticated user"), + dup23, + ])); + + var msg628 = msg("UI_AUTH_EVENT", part650); + + var part651 = match("MESSAGE#624:UI_AUTH_INVALID_CHALLENGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received invalid authentication challenge for user '%{username}': response", processor_chain([ + dup30, + dup22, + setc("event_description","Received invalid authentication challenge for user response"), + dup23, + ])); + + var msg629 = msg("UI_AUTH_INVALID_CHALLENGE", part651); + + var part652 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch boot time: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to fetch boot time"), + dup23, + ])); + + var msg630 = msg("UI_BOOTTIME_FAILED", part652); + + var part653 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} path unknown", processor_chain([ + dup30, + dup22, + setc("event_description","user path unknown"), + dup23, + ])); + + var msg631 = msg("UI_CFG_AUDIT_NEW", part653); + + var part654 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename->} security policies %{policyname}] %{info}", processor_chain([ + dup42, + dup22, + setc("event_description"," user Inserted Security Policies in config"), + dup23, + ])); + + var msg632 = msg("UI_CFG_AUDIT_NEW:01", part654); + + var select58 = linear_select([ + msg631, + msg632, + ]); + + var part655 = match("MESSAGE#628:UI_CFG_AUDIT_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' delete: [%{filename}]", processor_chain([ + dup21, + dup22, + setc("event_description","User deleted file"), + setc("action","delete"), + dup23, + ])); + + var msg633 = msg("UI_CFG_AUDIT_OTHER", part655); + + var part656 = match("MESSAGE#629:UI_CFG_AUDIT_OTHER:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' rollback: %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","User rollback file"), + dup23, + ])); + + var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part656); + + var part657 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\""); + + var select59 = linear_select([ + part657, + dup112, + ]); + + var all31 = all_match({ + processors: [ + dup111, + select59, + ], + on_success: processor_chain([ + dup21, + dup22, + setc("event_description","User set"), + dup23, + ]), + }); + + var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31); + + var part658 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([ + dup21, + dup22, + setc("event_description","User config replace"), + setc("action","replace"), + dup23, + ])); + + var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part658); + + var part659 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}]", processor_chain([ + setc("eventcategory","1701070000"), + dup22, + setc("event_description","User deactivating group(s)"), + setc("action","deactivate"), + dup23, + ])); + + var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part659); + + var part660 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([ + dup113, + dup22, + setc("event_description","User updates config file"), + setc("action","update"), + dup23, + ])); + + var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part660); + + var select60 = linear_select([ + msg633, + msg634, + msg635, + msg636, + msg637, + msg638, + ]); + + var part661 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}"); + + var select61 = linear_select([ + part661, + dup114, + ]); + + var all32 = all_match({ + processors: [ + dup111, + select61, + dup115, + ], + on_success: processor_chain([ + dup21, + dup22, + dup116, + dup23, + ]), + }); + + var msg639 = msg("UI_CFG_AUDIT_SET:01", all32); + + var part662 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}"); + + var select62 = linear_select([ + part662, + dup114, + ]); + + var all33 = all_match({ + processors: [ + dup111, + select62, + dup115, + ], + on_success: processor_chain([ + dup21, + dup22, + dup116, + dup23, + ]), + }); + + var msg640 = msg("UI_CFG_AUDIT_SET:02", all33); + + var part663 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ + dup21, + dup22, + setc("event_description","User replace config application(s)"), + dup23, + ])); + + var msg641 = msg("UI_CFG_AUDIT_SET", part663); + + var select63 = linear_select([ + msg639, + msg640, + msg641, + ]); + + var part664 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]"); + + var all34 = all_match({ + processors: [ + dup117, + dup156, + part664, + ], + on_success: processor_chain([ + dup113, + dup22, + dup120, + dup23, + ]), + }); + + var msg642 = msg("UI_CFG_AUDIT_SET_SECRET:01", all34); + + var part665 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]"); + + var all35 = all_match({ + processors: [ + dup117, + dup156, + part665, + ], + on_success: processor_chain([ + dup113, + dup22, + dup120, + dup23, + ]), + }); + + var msg643 = msg("UI_CFG_AUDIT_SET_SECRET:02", all35); + + var part666 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([ + dup21, + dup22, + setc("event_description","UI CFG AUDIT SET SECRET"), + dup23, + ])); + + var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part666); + + var select64 = linear_select([ + msg642, + msg643, + msg644, + ]); + + var part667 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([ + dup30, + dup22, + setc("event_description","Too many arguments for child process"), + dup23, + ])); + + var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part667); + + var part668 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to switch to local user"), + dup23, + ])); + + var msg646 = msg("UI_CHILD_CHANGE_USER", part668); + + var part669 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Child exec failed"), + dup23, + ])); + + var msg647 = msg("UI_CHILD_EXEC", part669); + + var part670 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ + dup30, + dup22, + setc("event_description","Child exited"), + dup23, + ])); + + var msg648 = msg("UI_CHILD_EXITED", part670); + + var part671 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to append to log"), + dup23, + ])); + + var msg649 = msg("UI_CHILD_FOPEN", part671); + + var part672 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to create pipe for command"), + dup23, + ])); + + var msg650 = msg("UI_CHILD_PIPE_FAILED", part672); + + var part673 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([ + dup21, + dup22, + dup61, + setc("event_description","Child received signal"), + dup23, + ])); + + var msg651 = msg("UI_CHILD_SIGNALED", part673); + + var part674 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([ + dup21, + dup22, + setc("event_description","Child stopped"), + dup23, + ])); + + var msg652 = msg("UI_CHILD_STOPPED", part674); + + var part675 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([ + dup21, + dup22, + setc("event_description","Starting child"), + dup23, + ])); + + var msg653 = msg("UI_CHILD_START", part675); + + var part676 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Cleanup child"), + dup23, + ])); + + var msg654 = msg("UI_CHILD_STATUS", part676); + + var part677 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","waitpid failed"), + dup23, + ])); + + var msg655 = msg("UI_CHILD_WAITPID", part677); + + var part678 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Idle timeout for user exceeded"), + dup23, + ])); + + var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part678); + + var part679 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([ + dup21, + dup22, + dup121, + dup23, + ])); + + var msg657 = msg("UI_CMDLINE_READ_LINE", part679); + + var part680 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Command execution failed"), + dup23, + ])); + + var msg658 = msg("UI_CMDSET_EXEC_FAILED", part680); + + var part681 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to fork command"), + dup23, + ])); + + var msg659 = msg("UI_CMDSET_FORK_FAILED", part681); + + var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup144); + + var part682 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([ + dup30, + dup22, + dup70, + dup23, + ])); + + var msg661 = msg("UI_CMDSET_STOPPED", part682); + + var part683 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([ + dup30, + dup22, + dup72, + dup23, + ])); + + var msg662 = msg("UI_CMDSET_WEXITED", part683); + + var part684 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Invalid regexp command"), + dup23, + ])); + + var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part684); + + var part685 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info})"); + + var part686 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action}"); + + var select65 = linear_select([ + part685, + part686, + ]); + + var all36 = all_match({ + processors: [ + dup117, + select65, + ], + on_success: processor_chain([ + dup21, + dup22, + dup122, + dup23, + ]), + }); + + var msg664 = msg("UI_COMMIT", all36); + + var part687 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([ + dup21, + dup22, + dup122, + dup23, + ])); + + var msg665 = msg("UI_COMMIT_AT", part687); + + var part688 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([ + dup21, + dup22, + setc("event_description","User commit successful"), + dup23, + ])); + + var msg666 = msg("UI_COMMIT_AT_COMPLETED", part688); + + var part689 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([ + dup30, + dup22, + setc("event_description","User commit failed"), + dup23, + ])); + + var msg667 = msg("UI_COMMIT_AT_FAILED", part689); + + var part690 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to compress file"), + dup23, + ])); + + var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part690); + + var part691 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([ + dup21, + dup22, + setc("event_description","UI COMMIT CONFIRMED"), + dup23, + ])); + + var msg669 = msg("UI_COMMIT_CONFIRMED", part691); + + var part692 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}"); + + var part693 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1}"); + + var part694 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes"); + + var select66 = linear_select([ + part693, + part694, + ]); + + var all37 = all_match({ + processors: [ + part692, + select66, + ], + on_success: processor_chain([ + dup21, + dup22, + setc("event_description","COMMIT must be confirmed within # minutes"), + dup23, + ]), + }); + + var msg670 = msg("UI_COMMIT_CONFIRMED_REMINDER", all37); + + var part695 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "'%{username}' performed '%{action}'"); + + var all38 = all_match({ + processors: [ + dup50, + dup145, + part695, + ], + on_success: processor_chain([ + dup21, + dup22, + setc("event_description","user performed commit confirm"), + dup23, + ]), + }); + + var msg671 = msg("UI_COMMIT_CONFIRMED_TIMED", all38); + + var part696 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Skipped empty object"), + dup23, + ])); + + var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part696); + + var part697 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","COMMIT NOT CONFIRMED"), + dup23, + ])); + + var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part697); + + var part698 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}"); + + var part699 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}"); + + var select67 = linear_select([ + part698, + part699, + ]); + + var part700 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}"); + + var all39 = all_match({ + processors: [ + dup50, + select67, + part700, + ], + on_success: processor_chain([ + dup21, + dup22, + setc("event_description","Commit operation in progress"), + dup23, + ]), + }); + + var msg674 = msg("UI_COMMIT_PROGRESS", all39); + + var part701 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","COMMIT QUIT"), + dup23, + ])); + + var msg675 = msg("UI_COMMIT_QUIT", part701); + + var part702 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([ + dup30, + dup22, + setc("event_description","Automatic rollback failed"), + dup23, + ])); + + var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part702); + + var part703 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","COMMIT SYNC"), + dup23, + ])); + + var msg677 = msg("UI_COMMIT_SYNC", part703); + + var part704 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","All logins to local configuration database were terminated"), + dup23, + ])); + + var msg678 = msg("UI_COMMIT_SYNC_FORCE", part704); + + var part705 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}"); + + var part706 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}"); + + var part707 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}"); + + var select68 = linear_select([ + part706, + part707, + ]); + + var part708 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "statement: %{info->} %{p0}"); + + var part709 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} "); + + var select69 = linear_select([ + part709, + dup112, + ]); + + var all40 = all_match({ + processors: [ + part705, + select68, + part708, + select69, + ], + on_success: processor_chain([ + dup30, + dup22, + setc("event_description","CONFIGURATION ERROR"), + dup23, + ]), + }); + + var msg679 = msg("UI_CONFIGURATION_ERROR", all40); + + var part710 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "socket connection accept failed: %{result}"); + + var all41 = all_match({ + processors: [ + dup50, + dup157, + part710, + ], + on_success: processor_chain([ + dup30, + dup22, + setc("event_description","socket connection accept failed"), + dup23, + ]), + }); + + var msg680 = msg("UI_DAEMON_ACCEPT_FAILED", all41); + + var part711 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to create session child"), + dup23, + ])); + + var msg681 = msg("UI_DAEMON_FORK_FAILED", part711); + + var part712 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","DAEMON SELECT FAILED"), + dup23, + ])); + + var msg682 = msg("UI_DAEMON_SELECT_FAILED", part712); + + var part713 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "socket create failed: %{result}"); + + var all42 = all_match({ + processors: [ + dup50, + dup157, + part713, + ], + on_success: processor_chain([ + dup30, + dup22, + setc("event_description","socket create failed"), + dup23, + ]), + }); + + var msg683 = msg("UI_DAEMON_SOCKET_FAILED", all42); + + var part714 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to reaccess database file"), + dup23, + ])); + + var msg684 = msg("UI_DBASE_ACCESS_FAILED", part714); + + var part715 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([ + dup30, + dup22, + setc("event_description","Database is out of data"), + dup23, + ])); + + var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part715); + + var part716 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to extend database file"), + dup23, + ])); + + var msg686 = msg("UI_DBASE_EXTEND_FAILED", part716); + + var part717 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + setc("event_description","User entering configuration mode"), + dup23, + ])); + + var msg687 = msg("UI_DBASE_LOGIN_EVENT", part717); + + var part718 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([ + dup125, + dup34, + dup35, + dup126, + dup37, + dup22, + setc("event_description","User exiting configuration mode"), + dup23, + ])); + + var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part718); + + var part719 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Database header extent mismatch"), + dup23, + ])); + + var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part719); + + var part720 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Database header major version number mismatch"), + dup23, + ])); + + var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part720); + + var part721 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Database header minor version number mismatch"), + dup23, + ])); + + var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part721); + + var part722 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([ + dup30, + dup22, + setc("event_description","Database header sequence numbers mismatch"), + dup23, + ])); + + var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part722); + + var part723 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Database header size mismatch"), + dup23, + ])); + + var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part723); + + var part724 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Database open failed"), + dup23, + ])); + + var msg694 = msg("UI_DBASE_OPEN_FAILED", part724); + + var part725 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([ + dup30, + dup22, + setc("event_description","DBASE REBUILD FAILED"), + dup23, + ])); + + var msg695 = msg("UI_DBASE_REBUILD_FAILED", part725); + + var part726 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([ + dup30, + dup22, + setc("event_description","Automatic rebuild of the database failed"), + dup23, + ])); + + var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part726); + + var part727 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}"); + + var select70 = linear_select([ + dup76, + part727, + ]); + + var part728 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{username->} rebuild/rollback of the database '%{filename}' started"); + + var all43 = all_match({ + processors: [ + dup50, + select70, + part728, + ], + on_success: processor_chain([ + dup21, + dup22, + setc("event_description","DBASE REBUILD STARTED"), + dup23, + ]), + }); + + var msg697 = msg("UI_DBASE_REBUILD_STARTED", all43); + + var part729 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([ + dup21, + dup22, + setc("event_description","user attempting database re-creation"), + dup23, + ])); + + var msg698 = msg("UI_DBASE_RECREATE", part729); + + var part730 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([ + dup30, + dup22, + setc("event_description","Reopen of the database failed"), + dup23, + ])); + + var msg699 = msg("UI_DBASE_REOPEN_FAILED", part730); + + var part731 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([ + dup30, + dup22, + setc("event_description","Users have the same UID"), + dup23, + ])); + + var msg700 = msg("UI_DUPLICATE_UID", part731); + + var part732 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([ + setc("eventcategory","1401050100"), + dup22, + setc("event_description","User used JUNOScript client to run command"), + dup23, + ])); + + var msg701 = msg("UI_JUNOSCRIPT_CMD", part732); + + var part733 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","JUNOScript error"), + dup23, + ])); + + var msg702 = msg("UI_JUNOSCRIPT_ERROR", part733); + + var part734 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([ + dup21, + dup22, + setc("event_description","User command"), + dup23, + ])); + + var msg703 = msg("UI_LOAD_EVENT", part734); + + var part735 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([ + setc("eventcategory","1701040000"), + dup22, + setc("event_description","Loading default config from file"), + dup23, + ])); + + var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part735); + + var part736 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + dup127, + dup128, + dup23, + ])); + + var msg705 = msg("UI_LOGIN_EVENT:01", part736); + + var part737 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + dup127, + dup23, + ])); + + var msg706 = msg("UI_LOGIN_EVENT", part737); + + var select71 = linear_select([ + msg705, + msg706, + ]); + + var part738 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([ + dup125, + dup34, + dup35, + dup126, + dup37, + dup22, + setc("event_description","User logout"), + dup23, + ])); + + var msg707 = msg("UI_LOGOUT_EVENT", part738); + + var part739 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([ + dup30, + dup22, + setc("event_description","Lost connection to daemon"), + dup23, + ])); + + var msg708 = msg("UI_LOST_CONN", part739); + + var part740 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([ + dup21, + dup22, + setc("event_description","MASTERSHIP EVENT"), + dup23, + ])); + + var msg709 = msg("UI_MASTERSHIP_EVENT", part740); + + var part741 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([ + dup21, + dup22, + setc("event_description","Terminating operation"), + dup23, + ])); + + var msg710 = msg("UI_MGD_TERMINATE", part741); + + var part742 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([ + dup29, + dup22, + setc("event_description","User used NETCONF client to run command"), + dup23, + ])); + + var msg711 = msg("UI_NETCONF_CMD", part742); + + var part743 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","read failed for peer"), + dup23, + ])); + + var msg712 = msg("UI_READ_FAILED", part743); + + var part744 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([ + dup30, + dup22, + setc("event_description","Timeout on read of peer"), + dup23, + ])); + + var msg713 = msg("UI_READ_TIMEOUT", part744); + + var part745 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([ + dup60, + dup22, + setc("event_description","System reboot or halt"), + dup23, + ])); + + var msg714 = msg("UI_REBOOT_EVENT", part745); + + var part746 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([ + dup29, + dup22, + setc("event_description","user restarting daemon"), + dup23, + ])); + + var msg715 = msg("UI_RESTART_EVENT", part746); + + var part747 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Schema is out of date"), + dup23, + ])); + + var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part747); + + var part748 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Schema major version mismatch"), + dup23, + ])); + + var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part748); + + var part749 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Schema minor version mismatch"), + dup23, + ])); + + var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part749); + + var part750 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([ + dup30, + dup22, + setc("event_description","Schema header sequence numbers mismatch"), + dup23, + ])); + + var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part750); + + var part751 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([ + dup30, + dup22, + setc("event_description","Schema sequence number mismatch"), + dup23, + ])); + + var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part751); + + var part752 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Configuration synchronization with remote Routing Engine"), + dup23, + ])); + + var msg721 = msg("UI_SYNC_OTHER_RE", part752); + + var part753 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([ + dup30, + dup22, + dup129, + dup23, + ])); + + var msg722 = msg("UI_TACPLUS_ERROR", part753); + + var part754 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to fetch system version"), + dup23, + ])); + + var msg723 = msg("UI_VERSION_FAILED", part754); + + var part755 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([ + dup21, + dup22, + setc("event_description","Re-establishing connection to peer"), + dup23, + ])); + + var msg724 = msg("UI_WRITE_RECONNECT", part755); + + var part756 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([ + dup21, + dup22, + setc("event_description","Interface new master for User"), + dup23, + ])); + + var msg725 = msg("VRRPD_NEWMASTER_TRAP", part756); + + var part757 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([ + dup69, + dup34, + dup35, + dup43, + dup22, + setc("event_description","Unable to authenticate client"), + dup23, + ])); + + var msg726 = msg("WEB_AUTH_FAIL", part757); + + var part758 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([ + dup80, + dup34, + dup35, + dup37, + dup22, + setc("event_description","Authenticated client"), + dup23, + ])); + + var msg727 = msg("WEB_AUTH_SUCCESS", part758); + + var part759 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([ + setc("eventcategory","1001030300"), + dup22, + setc("event_description","web request from unauthorized interface"), + dup23, + ])); + + var msg728 = msg("WEB_INTERFACE_UNAUTH", part759); + + var part760 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([ + dup74, + dup22, + setc("event_description","Unable to read from client"), + dup23, + ])); + + var msg729 = msg("WEB_READ", part760); + + var part761 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([ + setc("eventcategory","1204020100"), + dup22, + setc("event_description","failed to check web request"), + dup23, + ])); + + var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part761); + + var part762 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ + dup74, + dup53, + dup43, + dup22, + dup52, + ])); + + var msg731 = msg("FLOW_REASSEMBLE_FAIL", part762); + + var part763 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([ + dup29, + dup22, + setc("event_description","Bridge Address"), + dup23, + ])); + + var msg732 = msg("eswd", part763); + + var part764 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([ + dup29, + dup22, + setc("event_description","ESWD STP State Change Info"), + dup23, + ])); + + var msg733 = msg("eswd:01", part764); + + var select72 = linear_select([ + msg732, + msg733, + ]); + + var part765 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([ + dup29, + dup22, + dup26, + dup23, + ])); + + var msg734 = msg("/usr/sbin/cron", part765); + + var part766 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([ + dup29, + dup22, + setc("event_description","Link status change event"), + dup23, + ])); + + var msg735 = msg("chassism:02", part766); + + var part767 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([ + dup29, + dup22, + setc("event_description","ifd process flaps"), + dup23, + ])); + + var msg736 = msg("chassism:01", part767); + + var part768 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([ + dup29, + dup22, + setc("event_description","IFCM "), + dup23, + ])); + + var msg737 = msg("chassism", part768); + + var select73 = linear_select([ + msg735, + msg736, + msg737, + ]); + + var msg738 = msg("WEBFILTER_URL_PERMITTED", dup158); + + var part769 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part769); + + var part770 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part770); + + var part771 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part771); + + var select74 = linear_select([ + msg738, + msg739, + msg740, + msg741, + ]); + + var msg742 = msg("WEBFILTER_URL_BLOCKED", dup158); + + var part772 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part772); + + var select75 = linear_select([ + msg742, + msg743, + ]); + + var part773 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([ + dup46, + dup47, + dup23, + dup22, + dup128, + ])); + + var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part773); + + var part774 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([ + dup46, + dup47, + dup23, + ])); + + var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part774); + + var part775 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([ + dup46, + dup47, + dup23, + dup22, + dup128, + ])); + + var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part775); + + var part776 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([ + dup46, + dup47, + dup23, + dup22, + dup128, + ])); + + var msg747 = msg("SECINTEL_ERROR_OTHERS", part776); + + var part777 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([ + dup48, + dup47, + dup23, + dup22, + dup128, + ])); + + var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part777); + + var part778 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([ + dup46, + dup47, + dup23, + dup22, + dup128, + ])); + + var msg749 = msg("LACPD_TIMEOUT", part778); + + var msg750 = msg("cli", dup159); + + var msg751 = msg("pfed", dup159); + + var msg752 = msg("idpinfo", dup159); + + var msg753 = msg("kmd", dup159); + + var part779 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg754 = msg("node:01", part779); + + var part780 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg755 = msg("node:02", part780); + + var part781 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg756 = msg("node:03", part781); + + var part782 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg757 = msg("node:04", part782); + + var select76 = linear_select([ + dup131, + dup132, + ]); + + var part783 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}"); + + var select77 = linear_select([ + dup132, + dup131, + ]); + + var part784 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}"); + + var all44 = all_match({ + processors: [ + dup130, + select76, + part783, + select77, + part784, + ], + on_success: processor_chain([ + dup21, + dup23, + dup22, + ]), + }); + + var msg758 = msg("node:05", all44); + + var part785 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}"); + + var part786 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}"); + + var select78 = linear_select([ + part785, + part786, + ]); + + var all45 = all_match({ + processors: [ + dup130, + select78, + ], + on_success: processor_chain([ + dup21, + dup23, + dup22, + ]), + }); + + var msg759 = msg("node:06", all45); + + var part787 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg760 = msg("node:07", part787); + + var part788 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg761 = msg("node:08", part788); + + var part789 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg762 = msg("node:09", part789); + + var select79 = linear_select([ + msg754, + msg755, + msg756, + msg757, + msg758, + msg759, + msg760, + msg761, + msg762, + ]); + + var part790 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([ + dup21, + dup23, + dup22, + dup24, + ])); + + var msg763 = msg("(FPC:01", part790); + + var part791 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([ + dup21, + dup23, + dup22, + dup24, + ])); + + var msg764 = msg("(FPC:02", part791); + + var part792 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}"); + + var part793 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}"); + + var part794 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}"); + + var select80 = linear_select([ + part793, + part794, + ]); + + var part795 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "received for interface %{interface}, member of %{fld4}"); + + var all46 = all_match({ + processors: [ + part792, + select80, + part795, + ], + on_success: processor_chain([ + dup21, + dup23, + dup22, + dup24, + ]), + }); + + var msg765 = msg("(FPC:03", all46); + + var part796 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ + dup21, + dup23, + dup22, + dup24, + ])); + + var msg766 = msg("(FPC:04", part796); + + var part797 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([ + dup21, + dup23, + dup22, + dup24, + ])); + + var msg767 = msg("(FPC:05", part797); + + var part798 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([ + dup21, + dup23, + dup22, + dup24, + ])); + + var msg768 = msg("(FPC", part798); + + var select81 = linear_select([ + msg763, + msg764, + msg765, + msg766, + msg767, + msg768, + ]); + + var part799 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([ + dup48, + dup23, + dup22, + dup24, + ])); + + var msg769 = msg("tnp.bootpd", part799); + + var part800 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ + dup48, + dup52, + dup22, + dup61, + ])); + + var msg770 = msg("AAMW_ACTION_LOG", part800); + + var part801 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ + dup133, + dup52, + dup22, + dup61, + ])); + + var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part801); + + var part802 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ + dup133, + dup52, + dup22, + ])); + + var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part802); + + var part803 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ + dup81, + dup52, + dup22, + dup61, + ])); + + var msg773 = msg("IDP_ATTACK_LOG_EVENT", part803); + + var part804 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ + dup81, + dup52, + dup22, + dup61, + ])); + + var msg774 = msg("RT_SCREEN_ICMP", part804); + + var part805 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ + dup46, + dup52, + dup22, + dup61, + ])); + + var msg775 = msg("SECINTEL_ACTION_LOG", part805); + + var part806 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{fld2->} %{p0}"); + + var part807 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld3->} %{process}: qsfp-%{p0}"); + + var part808 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "qsfp-%{p0}"); + + var select82 = linear_select([ + part807, + part808, + ]); + + var part809 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{}Chan# %{interface->} %{fld5}:%{event_description}"); + + var all47 = all_match({ + processors: [ + part806, + select82, + part809, + ], + on_success: processor_chain([ + dup21, + dup22, + dup23, + ]), + }); + + var msg776 = msg("qsfp", all47); + + var part810 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([ + dup21, + dup22, + dup121, + dup23, + ])); + + var msg777 = msg("JUNOSROUTER_GENERIC:03", part810); + + var part811 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([ + dup125, + dup34, + dup35, + dup126, + dup37, + dup22, + setc("event_description","LOGOUT"), + dup23, + ])); + + var msg778 = msg("JUNOSROUTER_GENERIC:04", part811); + + var part812 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([ + dup30, + dup22, + dup129, + dup23, + ])); + + var msg779 = msg("JUNOSROUTER_GENERIC:05", part812); + + var part813 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ + dup30, + dup22, + dup57, + dup23, + ])); + + var msg780 = msg("JUNOSROUTER_GENERIC:06", part813); + + var part814 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ + dup21, + dup22, + dup38, + dup23, + ])); + + var msg781 = msg("JUNOSROUTER_GENERIC:07", part814); + + var part815 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{daddr->} (%{dhost}): code %{resultcode->} (%{action})%{p0}"); + + var part816 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", ", socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8}"); + + var part817 = match_copy("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", ""); + + var select83 = linear_select([ + part816, + part817, + ]); + + var all48 = all_match({ + processors: [ + part815, + select83, + ], + on_success: processor_chain([ + dup21, + dup22, + dup38, + dup23, + ]), + }); + + var msg782 = msg("JUNOSROUTER_GENERIC:08", all48); + + var part818 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([ + dup21, + dup22, + dup23, + ])); + + var msg783 = msg("JUNOSROUTER_GENERIC:09", part818); + + var part819 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([ + dup134, + dup23, + dup22, + setc("event_description","Interface Monitor failed "), + dup24, + ])); + + var msg784 = msg("JUNOSROUTER_GENERIC:01", part819); + + var part820 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([ + dup134, + dup23, + dup22, + setc("event_description","Interface Monitor failure recovered"), + dup24, + ])); + + var msg785 = msg("JUNOSROUTER_GENERIC:02", part820); + + var part821 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([ + dup134, + dup23, + dup22, + dup24, + ])); + + var msg786 = msg("JUNOSROUTER_GENERIC", part821); + + var select84 = linear_select([ + msg777, + msg778, + msg779, + msg780, + msg781, + msg782, + msg783, + msg784, + msg785, + msg786, + ]); + + var chain1 = processor_chain([ + select5, + msgid_select({ + "(FPC": select81, + "/usr/libexec/telnetd": msg2, + "/usr/sbin/cron": msg734, + "/usr/sbin/sshd": msg1, + "AAMWD_NETWORK_CONNECT_FAILED": msg745, + "AAMW_ACTION_LOG": msg770, + "AAMW_HOST_INFECTED_EVENT_LOG": msg771, + "AAMW_MALWARE_EVENT_LOG": msg772, + "ACCT_ACCOUNTING_FERROR": msg114, + "ACCT_ACCOUNTING_FOPEN_ERROR": msg115, + "ACCT_ACCOUNTING_SMALL_FILE_SIZE": msg116, + "ACCT_BAD_RECORD_FORMAT": msg117, + "ACCT_CU_RTSLIB_error": msg118, + "ACCT_GETHOSTNAME_error": msg119, + "ACCT_MALLOC_FAILURE": msg120, + "ACCT_UNDEFINED_COUNTER_NAME": msg121, + "ACCT_XFER_FAILED": msg122, + "ACCT_XFER_POPEN_FAIL": msg123, + "APPQOS_LOG_EVENT": msg124, + "APPTRACK_SESSION_CLOSE": select30, + "APPTRACK_SESSION_CREATE": msg125, + "APPTRACK_SESSION_VOL_UPDATE": select31, + "BCHIP": msg106, + "BFDD_TRAP_STATE_DOWN": msg130, + "BFDD_TRAP_STATE_UP": msg131, + "BOOTPD_ARG_ERR": msg143, + "BOOTPD_BAD_ID": msg144, + "BOOTPD_BOOTSTRING": msg145, + "BOOTPD_CONFIG_ERR": msg146, + "BOOTPD_CONF_OPEN": msg147, + "BOOTPD_DUP_REV": msg148, + "BOOTPD_DUP_SLOT": msg149, + "BOOTPD_MODEL_CHK": msg150, + "BOOTPD_MODEL_ERR": msg151, + "BOOTPD_NEW_CONF": msg152, + "BOOTPD_NO_BOOTSTRING": msg153, + "BOOTPD_NO_CONFIG": msg154, + "BOOTPD_PARSE_ERR": msg155, + "BOOTPD_REPARSE": msg156, + "BOOTPD_SELECT_ERR": msg157, + "BOOTPD_TIMEOUT": msg158, + "BOOTPD_VERSION": msg159, + "CHASSISD": msg160, + "CHASSISD_ARGUMENT_ERROR": msg161, + "CHASSISD_BLOWERS_SPEED": msg162, + "CHASSISD_BLOWERS_SPEED_FULL": msg163, + "CHASSISD_CB_READ": msg164, + "CHASSISD_COMMAND_ACK_ERROR": msg165, + "CHASSISD_COMMAND_ACK_SF_ERROR": msg166, + "CHASSISD_CONCAT_MODE_ERROR": msg167, + "CHASSISD_CONFIG_INIT_ERROR": msg168, + "CHASSISD_CONFIG_WARNING": msg169, + "CHASSISD_EXISTS": msg170, + "CHASSISD_EXISTS_TERM_OTHER": msg171, + "CHASSISD_FILE_OPEN": msg172, + "CHASSISD_FILE_STAT": msg173, + "CHASSISD_FRU_EVENT": msg174, + "CHASSISD_FRU_IPC_WRITE_ERROR_EXT": msg175, + "CHASSISD_FRU_STEP_ERROR": msg176, + "CHASSISD_GETTIMEOFDAY": msg177, + "CHASSISD_HIGH_TEMP_CONDITION": msg214, + "CHASSISD_HOST_TEMP_READ": msg178, + "CHASSISD_IFDEV_DETACH_ALL_PSEUDO": msg179, + "CHASSISD_IFDEV_DETACH_FPC": msg180, + "CHASSISD_IFDEV_DETACH_PIC": msg181, + "CHASSISD_IFDEV_DETACH_PSEUDO": msg182, + "CHASSISD_IFDEV_DETACH_TLV_ERROR": msg183, + "CHASSISD_IFDEV_GET_BY_INDEX_FAIL": msg184, + "CHASSISD_IPC_MSG_QFULL_ERROR": msg185, + "CHASSISD_IPC_UNEXPECTED_RECV": msg186, + "CHASSISD_IPC_WRITE_ERR_NO_PIPE": msg187, + "CHASSISD_IPC_WRITE_ERR_NULL_ARGS": msg188, + "CHASSISD_MAC_ADDRESS_ERROR": msg189, + "CHASSISD_MAC_DEFAULT": msg190, + "CHASSISD_MBUS_ERROR": msg191, + "CHASSISD_PARSE_COMPLETE": msg192, + "CHASSISD_PARSE_ERROR": msg193, + "CHASSISD_PARSE_INIT": msg194, + "CHASSISD_PIDFILE_OPEN": msg195, + "CHASSISD_PIPE_WRITE_ERROR": msg196, + "CHASSISD_POWER_CHECK": msg197, + "CHASSISD_RECONNECT_SUCCESSFUL": msg198, + "CHASSISD_RELEASE_MASTERSHIP": msg199, + "CHASSISD_RE_INIT_INVALID_RE_SLOT": msg200, + "CHASSISD_ROOT_MOUNT_ERROR": msg201, + "CHASSISD_RTS_SEQ_ERROR": msg202, + "CHASSISD_SBOARD_VERSION_MISMATCH": msg203, + "CHASSISD_SERIAL_ID": msg204, + "CHASSISD_SMB_ERROR": msg205, + "CHASSISD_SNMP_TRAP10": msg208, + "CHASSISD_SNMP_TRAP6": msg206, + "CHASSISD_SNMP_TRAP7": msg207, + "CHASSISD_TERM_SIGNAL": msg209, + "CHASSISD_TRACE_PIC_OFFLINE": msg210, + "CHASSISD_UNEXPECTED_EXIT": msg211, + "CHASSISD_UNSUPPORTED_MODEL": msg212, + "CHASSISD_VERSION_MISMATCH": msg213, + "CM": msg107, + "CM_JAVA": msg216, + "COS": msg108, + "COSFPC": msg109, + "COSMAN": msg110, + "CRON": msg16, + "CROND": select11, + "Cmerror": msg17, + "DCD_AS_ROOT": msg217, + "DCD_FILTER_LIB_ERROR": msg218, + "DCD_MALLOC_FAILED_INIT": msg219, + "DCD_PARSE_EMERGENCY": msg220, + "DCD_PARSE_FILTER_EMERGENCY": msg221, + "DCD_PARSE_MINI_EMERGENCY": msg222, + "DCD_PARSE_STATE_EMERGENCY": msg223, + "DCD_POLICER_PARSE_EMERGENCY": msg224, + "DCD_PULL_LOG_FAILURE": msg225, + "DFWD_ARGUMENT_ERROR": msg226, + "DFWD_MALLOC_FAILED_INIT": msg227, + "DFWD_PARSE_FILTER_EMERGENCY": msg228, + "DFWD_PARSE_STATE_EMERGENCY": msg229, + "ECCD_DAEMONIZE_FAILED": msg230, + "ECCD_DUPLICATE": msg231, + "ECCD_LOOP_EXIT_FAILURE": msg232, + "ECCD_NOT_ROOT": msg233, + "ECCD_PCI_FILE_OPEN_FAILED": msg234, + "ECCD_PCI_READ_FAILED": msg235, + "ECCD_PCI_WRITE_FAILED": msg236, + "ECCD_PID_FILE_LOCK": msg237, + "ECCD_PID_FILE_UPDATE": msg238, + "ECCD_TRACE_FILE_OPEN_FAILED": msg239, + "ECCD_usage": msg240, + "EVENT": msg23, + "EVENTD_AUDIT_SHOW": msg241, + "FLOW_REASSEMBLE_FAIL": msg731, + "FLOW_REASSEMBLE_SUCCEED": msg242, + "FSAD_CHANGE_FILE_OWNER": msg243, + "FSAD_CONFIG_ERROR": msg244, + "FSAD_CONNTIMEDOUT": msg245, + "FSAD_FAILED": msg246, + "FSAD_FETCHTIMEDOUT": msg247, + "FSAD_FILE_FAILED": msg248, + "FSAD_FILE_REMOVE": msg249, + "FSAD_FILE_RENAME": msg250, + "FSAD_FILE_STAT": msg251, + "FSAD_FILE_SYNC": msg252, + "FSAD_MAXCONN": msg253, + "FSAD_MEMORYALLOC_FAILED": msg254, + "FSAD_NOT_ROOT": msg255, + "FSAD_PARENT_DIRECTORY": msg256, + "FSAD_PATH_IS_DIRECTORY": msg257, + "FSAD_PATH_IS_SPECIAL": msg258, + "FSAD_RECVERROR": msg259, + "FSAD_TERMINATED_CONNECTION": msg260, + "FSAD_TERMINATING_SIGNAL": msg261, + "FSAD_TRACEOPEN_FAILED": msg262, + "FSAD_USAGE": msg263, + "Failed": select25, + "GGSN_ALARM_TRAP_FAILED": msg264, + "GGSN_ALARM_TRAP_SEND": msg265, + "GGSN_TRAP_SEND": msg266, + "IDP_ATTACK_LOG_EVENT": msg773, + "JADE_AUTH_ERROR": msg267, + "JADE_EXEC_ERROR": msg268, + "JADE_NO_LOCAL_USER": msg269, + "JADE_PAM_ERROR": msg270, + "JADE_PAM_NO_LOCAL_USER": msg271, + "JSRPD_HA_CONTROL_LINK_UP": msg748, + "JUNOSROUTER_GENERIC": select84, + "KERN_ARP_ADDR_CHANGE": msg272, + "KMD_PM_SA_ESTABLISHED": msg273, + "L2CPD_TASK_REINIT": msg274, + "LACPD_TIMEOUT": msg749, + "LIBJNX_EXEC_EXITED": msg275, + "LIBJNX_EXEC_FAILED": msg276, + "LIBJNX_EXEC_PIPE": msg277, + "LIBJNX_EXEC_SIGNALED": msg278, + "LIBJNX_EXEC_WEXIT": msg279, + "LIBJNX_FILE_COPY_FAILED": msg280, + "LIBJNX_PRIV_LOWER_FAILED": msg281, + "LIBJNX_PRIV_RAISE_FAILED": msg282, + "LIBJNX_REPLICATE_RCP_EXEC_FAILED": msg283, + "LIBJNX_ROTATE_COMPRESS_EXEC_FAILED": msg284, + "LIBSERVICED_CLIENT_CONNECTION": msg285, + "LIBSERVICED_OUTBOUND_REQUEST": msg286, + "LIBSERVICED_SNMP_LOST_CONNECTION": msg287, + "LIBSERVICED_SOCKET_BIND": msg288, + "LIBSERVICED_SOCKET_PRIVATIZE": msg289, + "LICENSE_EXPIRED": msg290, + "LICENSE_EXPIRED_KEY_DELETED": msg291, + "LICENSE_NEARING_EXPIRY": msg292, + "LOGIN_ABORTED": msg293, + "LOGIN_FAILED": msg294, + "LOGIN_FAILED_INCORRECT_PASSWORD": msg295, + "LOGIN_FAILED_SET_CONTEXT": msg296, + "LOGIN_FAILED_SET_LOGIN": msg297, + "LOGIN_HOSTNAME_UNRESOLVED": msg298, + "LOGIN_INFORMATION": msg299, + "LOGIN_INVALID_LOCAL_USER": msg300, + "LOGIN_MALFORMED_USER": msg301, + "LOGIN_PAM_AUTHENTICATION_ERROR": msg302, + "LOGIN_PAM_ERROR": msg303, + "LOGIN_PAM_MAX_RETRIES": msg304, + "LOGIN_PAM_NONLOCAL_USER": msg305, + "LOGIN_PAM_STOP": msg306, + "LOGIN_PAM_USER_UNKNOWN": msg307, + "LOGIN_PASSWORD_EXPIRED": msg308, + "LOGIN_REFUSED": msg309, + "LOGIN_ROOT": msg310, + "LOGIN_TIMED_OUT": msg311, + "MIB2D_ATM_ERROR": msg312, + "MIB2D_CONFIG_CHECK_FAILED": msg313, + "MIB2D_FILE_OPEN_FAILURE": msg314, + "MIB2D_IFD_IFINDEX_FAILURE": msg315, + "MIB2D_IFL_IFINDEX_FAILURE": msg316, + "MIB2D_INIT_FAILURE": msg317, + "MIB2D_KVM_FAILURE": msg318, + "MIB2D_RTSLIB_READ_FAILURE": msg319, + "MIB2D_RTSLIB_SEQ_MISMATCH": msg320, + "MIB2D_SYSCTL_FAILURE": msg321, + "MIB2D_TRAP_HEADER_FAILURE": msg322, + "MIB2D_TRAP_SEND_FAILURE": msg323, + "MRVL-L2": msg56, + "Multiuser": msg324, + "NASD_AUTHENTICATION_CREATE_FAILED": msg325, + "NASD_CHAP_AUTHENTICATION_IN_PROGRESS": msg326, + "NASD_CHAP_GETHOSTNAME_FAILED": msg327, + "NASD_CHAP_INVALID_CHAP_IDENTIFIER": msg328, + "NASD_CHAP_INVALID_OPCODE": msg329, + "NASD_CHAP_LOCAL_NAME_UNAVAILABLE": msg330, + "NASD_CHAP_MESSAGE_UNEXPECTED": msg331, + "NASD_CHAP_REPLAY_ATTACK_DETECTED": msg332, + "NASD_CONFIG_GET_LAST_MODIFIED_FAILED": msg333, + "NASD_DAEMONIZE_FAILED": msg334, + "NASD_DB_ALLOC_FAILURE": msg335, + "NASD_DB_TABLE_CREATE_FAILURE": msg336, + "NASD_DUPLICATE": msg337, + "NASD_EVLIB_CREATE_FAILURE": msg338, + "NASD_EVLIB_EXIT_FAILURE": msg339, + "NASD_LOCAL_CREATE_FAILED": msg340, + "NASD_NOT_ROOT": msg341, + "NASD_PID_FILE_LOCK": msg342, + "NASD_PID_FILE_UPDATE": msg343, + "NASD_POST_CONFIGURE_EVENT_FAILED": msg344, + "NASD_PPP_READ_FAILURE": msg345, + "NASD_PPP_SEND_FAILURE": msg346, + "NASD_PPP_SEND_PARTIAL": msg347, + "NASD_PPP_UNRECOGNIZED": msg348, + "NASD_RADIUS_ALLOCATE_PASSWORD_FAILED": msg349, + "NASD_RADIUS_CONFIG_FAILED": msg350, + "NASD_RADIUS_CREATE_FAILED": msg351, + "NASD_RADIUS_CREATE_REQUEST_FAILED": msg352, + "NASD_RADIUS_GETHOSTNAME_FAILED": msg353, + "NASD_RADIUS_MESSAGE_UNEXPECTED": msg354, + "NASD_RADIUS_OPEN_FAILED": msg355, + "NASD_RADIUS_SELECT_FAILED": msg356, + "NASD_RADIUS_SET_TIMER_FAILED": msg357, + "NASD_TRACE_FILE_OPEN_FAILED": msg358, + "NASD_usage": msg359, + "NOTICE": msg360, + "PFEMAN": msg61, + "PFE_FW_SYSLOG_IP": select36, + "PFE_NH_RESOLVE_THROTTLED": msg363, + "PING_TEST_COMPLETED": msg364, + "PING_TEST_FAILED": msg365, + "PKID_UNABLE_TO_GET_CRL": msg746, + "PWC_EXIT": msg368, + "PWC_HOLD_RELEASE": msg369, + "PWC_INVALID_RUNS_ARGUMENT": msg370, + "PWC_INVALID_TIMEOUT_ARGUMENT": msg371, + "PWC_KILLED_BY_SIGNAL": msg372, + "PWC_KILL_EVENT": msg373, + "PWC_KILL_FAILED": msg374, + "PWC_KQUEUE_ERROR": msg375, + "PWC_KQUEUE_INIT": msg376, + "PWC_KQUEUE_REGISTER_FILTER": msg377, + "PWC_LOCKFILE_BAD_FORMAT": msg378, + "PWC_LOCKFILE_ERROR": msg379, + "PWC_LOCKFILE_MISSING": msg380, + "PWC_LOCKFILE_NOT_LOCKED": msg381, + "PWC_NO_PROCESS": msg382, + "PWC_PROCESS_EXIT": msg383, + "PWC_PROCESS_FORCED_HOLD": msg384, + "PWC_PROCESS_HOLD": msg385, + "PWC_PROCESS_HOLD_SKIPPED": msg386, + "PWC_PROCESS_OPEN": msg387, + "PWC_PROCESS_TIMED_HOLD": msg388, + "PWC_PROCESS_TIMEOUT": msg389, + "PWC_SIGNAL_INIT": msg390, + "PWC_SOCKET_CONNECT": msg391, + "PWC_SOCKET_CREATE": msg392, + "PWC_SOCKET_OPTION": msg393, + "PWC_STDOUT_WRITE": msg394, + "PWC_SYSTEM_CALL": msg395, + "PWC_UNKNOWN_KILL_OPTION": msg396, + "RDP": msg111, + "RMOPD_ADDRESS_MULTICAST_INVALID": msg397, + "RMOPD_ADDRESS_SOURCE_INVALID": msg398, + "RMOPD_ADDRESS_STRING_FAILURE": msg399, + "RMOPD_ADDRESS_TARGET_INVALID": msg400, + "RMOPD_DUPLICATE": msg401, + "RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED": msg402, + "RMOPD_ICMP_SENDMSG_FAILURE": msg403, + "RMOPD_IFINDEX_NOT_ACTIVE": msg404, + "RMOPD_IFINDEX_NO_INFO": msg405, + "RMOPD_IFNAME_NOT_ACTIVE": msg406, + "RMOPD_IFNAME_NO_INFO": msg407, + "RMOPD_NOT_ROOT": msg408, + "RMOPD_ROUTING_INSTANCE_NO_INFO": msg409, + "RMOPD_TRACEROUTE_ERROR": msg410, + "RMOPD_usage": msg411, + "RPD_ABORT": msg412, + "RPD_ACTIVE_TERMINATE": msg413, + "RPD_ASSERT": msg414, + "RPD_ASSERT_SOFT": msg415, + "RPD_EXIT": msg416, + "RPD_IFL_INDEXCOLLISION": msg417, + "RPD_IFL_NAMECOLLISION": msg418, + "RPD_ISIS_ADJDOWN": msg419, + "RPD_ISIS_ADJUP": msg420, + "RPD_ISIS_ADJUPNOIP": msg421, + "RPD_ISIS_LSPCKSUM": msg422, + "RPD_ISIS_OVERLOAD": msg423, + "RPD_KRT_AFUNSUPRT": msg424, + "RPD_KRT_CCC_IFL_MODIFY": msg425, + "RPD_KRT_DELETED_RTT": msg426, + "RPD_KRT_IFA_GENERATION": msg427, + "RPD_KRT_IFDCHANGE": msg428, + "RPD_KRT_IFDEST_GET": msg429, + "RPD_KRT_IFDGET": msg430, + "RPD_KRT_IFD_GENERATION": msg431, + "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID": msg432, + "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED": msg433, + "RPD_KRT_IFL_GENERATION": msg434, + "RPD_KRT_KERNEL_BAD_ROUTE": msg435, + "RPD_KRT_NEXTHOP_OVERFLOW": msg436, + "RPD_KRT_NOIFD": msg437, + "RPD_KRT_UNKNOWN_RTT": msg438, + "RPD_KRT_VERSION": msg439, + "RPD_KRT_VERSIONNONE": msg440, + "RPD_KRT_VERSIONOLD": msg441, + "RPD_LDP_INTF_BLOCKED": msg442, + "RPD_LDP_INTF_UNBLOCKED": msg443, + "RPD_LDP_NBRDOWN": msg444, + "RPD_LDP_NBRUP": msg445, + "RPD_LDP_SESSIONDOWN": msg446, + "RPD_LDP_SESSIONUP": msg447, + "RPD_LOCK_FLOCKED": msg448, + "RPD_LOCK_LOCKED": msg449, + "RPD_MPLS_LSP_CHANGE": msg450, + "RPD_MPLS_LSP_DOWN": msg451, + "RPD_MPLS_LSP_SWITCH": msg452, + "RPD_MPLS_LSP_UP": msg453, + "RPD_MSDP_PEER_DOWN": msg454, + "RPD_MSDP_PEER_UP": msg455, + "RPD_OSPF_NBRDOWN": msg456, + "RPD_OSPF_NBRUP": msg457, + "RPD_OS_MEMHIGH": msg458, + "RPD_PIM_NBRDOWN": msg459, + "RPD_PIM_NBRUP": msg460, + "RPD_RDISC_CKSUM": msg461, + "RPD_RDISC_NOMULTI": msg462, + "RPD_RDISC_NORECVIF": msg463, + "RPD_RDISC_SOLICITADDR": msg464, + "RPD_RDISC_SOLICITICMP": msg465, + "RPD_RDISC_SOLICITLEN": msg466, + "RPD_RIP_AUTH": msg467, + "RPD_RIP_JOIN_BROADCAST": msg468, + "RPD_RIP_JOIN_MULTICAST": msg469, + "RPD_RT_IFUP": msg470, + "RPD_SCHED_CALLBACK_LONGRUNTIME": msg471, + "RPD_SCHED_CUMULATIVE_LONGRUNTIME": msg472, + "RPD_SCHED_MODULE_LONGRUNTIME": msg473, + "RPD_SCHED_TASK_LONGRUNTIME": msg474, + "RPD_SIGNAL_TERMINATE": msg475, + "RPD_START": msg476, + "RPD_SYSTEM": msg477, + "RPD_TASK_BEGIN": msg478, + "RPD_TASK_CHILDKILLED": msg479, + "RPD_TASK_CHILDSTOPPED": msg480, + "RPD_TASK_FORK": msg481, + "RPD_TASK_GETWD": msg482, + "RPD_TASK_NOREINIT": msg483, + "RPD_TASK_PIDCLOSED": msg484, + "RPD_TASK_PIDFLOCK": msg485, + "RPD_TASK_PIDWRITE": msg486, + "RPD_TASK_REINIT": msg487, + "RPD_TASK_SIGNALIGNORE": msg488, + "RT_COS": msg489, + "RT_FLOW_SESSION_CLOSE": select51, + "RT_FLOW_SESSION_CREATE": select45, + "RT_FLOW_SESSION_DENY": select47, + "RT_SCREEN_ICMP": msg774, + "RT_SCREEN_IP": select52, + "RT_SCREEN_SESSION_LIMIT": msg504, + "RT_SCREEN_TCP": msg503, + "RT_SCREEN_UDP": msg505, + "Resolve": msg63, + "SECINTEL_ACTION_LOG": msg775, + "SECINTEL_ERROR_OTHERS": msg747, + "SECINTEL_NETWORK_CONNECT_FAILED": msg744, + "SERVICED_CLIENT_CONNECT": msg506, + "SERVICED_CLIENT_DISCONNECTED": msg507, + "SERVICED_CLIENT_ERROR": msg508, + "SERVICED_COMMAND_FAILED": msg509, + "SERVICED_COMMIT_FAILED": msg510, + "SERVICED_CONFIGURATION_FAILED": msg511, + "SERVICED_CONFIG_ERROR": msg512, + "SERVICED_CONFIG_FILE": msg513, + "SERVICED_CONNECTION_ERROR": msg514, + "SERVICED_DISABLED_GGSN": msg515, + "SERVICED_DUPLICATE": msg516, + "SERVICED_EVENT_FAILED": msg517, + "SERVICED_INIT_FAILED": msg518, + "SERVICED_MALLOC_FAILURE": msg519, + "SERVICED_NETWORK_FAILURE": msg520, + "SERVICED_NOT_ROOT": msg521, + "SERVICED_PID_FILE_LOCK": msg522, + "SERVICED_PID_FILE_UPDATE": msg523, + "SERVICED_RTSOCK_SEQUENCE": msg524, + "SERVICED_SIGNAL_HANDLER": msg525, + "SERVICED_SOCKET_CREATE": msg526, + "SERVICED_SOCKET_IO": msg527, + "SERVICED_SOCKET_OPTION": msg528, + "SERVICED_STDLIB_FAILURE": msg529, + "SERVICED_USAGE": msg530, + "SERVICED_WORK_INCONSISTENCY": msg531, + "SNMPD_ACCESS_GROUP_ERROR": msg537, + "SNMPD_AUTH_FAILURE": select53, + "SNMPD_AUTH_PRIVILEGES_EXCEEDED": msg542, + "SNMPD_AUTH_RESTRICTED_ADDRESS": msg543, + "SNMPD_AUTH_WRONG_PDU_TYPE": msg544, + "SNMPD_CONFIG_ERROR": msg545, + "SNMPD_CONTEXT_ERROR": msg546, + "SNMPD_ENGINE_FILE_FAILURE": msg547, + "SNMPD_ENGINE_PROCESS_ERROR": msg548, + "SNMPD_FILE_FAILURE": msg549, + "SNMPD_GROUP_ERROR": msg550, + "SNMPD_INIT_FAILED": msg551, + "SNMPD_LIBJUNIPER_FAILURE": msg552, + "SNMPD_LOOPBACK_ADDR_ERROR": msg553, + "SNMPD_MEMORY_FREED": msg554, + "SNMPD_RADIX_FAILURE": msg555, + "SNMPD_RECEIVE_FAILURE": msg556, + "SNMPD_RMONFILE_FAILURE": msg557, + "SNMPD_RMON_COOKIE": msg558, + "SNMPD_RMON_EVENTLOG": msg559, + "SNMPD_RMON_IOERROR": msg560, + "SNMPD_RMON_MIBERROR": msg561, + "SNMPD_RTSLIB_ASYNC_EVENT": msg562, + "SNMPD_SEND_FAILURE": select54, + "SNMPD_SOCKET_FAILURE": msg565, + "SNMPD_SUBAGENT_NO_BUFFERS": msg566, + "SNMPD_SUBAGENT_SEND_FAILED": msg567, + "SNMPD_SYSLIB_FAILURE": msg568, + "SNMPD_THROTTLE_QUEUE_DRAINED": msg569, + "SNMPD_TRAP_COLD_START": msg570, + "SNMPD_TRAP_GEN_FAILURE": msg571, + "SNMPD_TRAP_GEN_FAILURE2": msg572, + "SNMPD_TRAP_INVALID_DATA": msg573, + "SNMPD_TRAP_NOT_ENOUGH_VARBINDS": msg574, + "SNMPD_TRAP_QUEUED": msg575, + "SNMPD_TRAP_QUEUE_DRAINED": msg576, + "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS": msg577, + "SNMPD_TRAP_QUEUE_MAX_SIZE": msg578, + "SNMPD_TRAP_THROTTLED": msg579, + "SNMPD_TRAP_TYPE_ERROR": msg580, + "SNMPD_TRAP_VARBIND_TYPE_ERROR": msg581, + "SNMPD_TRAP_VERSION_ERROR": msg582, + "SNMPD_TRAP_WARM_START": msg583, + "SNMPD_USER_ERROR": msg584, + "SNMPD_VIEW_DELETE": msg585, + "SNMPD_VIEW_INSTALL_DEFAULT": msg586, + "SNMPD_VIEW_OID_PARSE": msg587, + "SNMP_GET_ERROR1": msg588, + "SNMP_GET_ERROR2": msg589, + "SNMP_GET_ERROR3": msg590, + "SNMP_GET_ERROR4": msg591, + "SNMP_NS_LOG_INFO": msg535, + "SNMP_RTSLIB_FAILURE": msg592, + "SNMP_SUBAGENT_IPC_REG_ROWS": msg536, + "SNMP_TRAP_LINK_DOWN": select55, + "SNMP_TRAP_LINK_UP": select56, + "SNMP_TRAP_PING_PROBE_FAILED": msg597, + "SNMP_TRAP_PING_TEST_COMPLETED": msg598, + "SNMP_TRAP_PING_TEST_FAILED": msg599, + "SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE": msg600, + "SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED": msg601, + "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED": msg602, + "SNTPD": msg112, + "SSB": msg113, + "SSHD_LOGIN_FAILED": select57, + "SSL_PROXY_SESSION_IGNORE": msg534, + "SSL_PROXY_SSL_SESSION_ALLOW": msg532, + "SSL_PROXY_SSL_SESSION_DROP": msg533, + "TASK_TASK_REINIT": msg606, + "TFTPD_AF_ERR": msg607, + "TFTPD_BIND_ERR": msg608, + "TFTPD_CONNECT_ERR": msg609, + "TFTPD_CONNECT_INFO": msg610, + "TFTPD_CREATE_ERR": msg611, + "TFTPD_FIO_ERR": msg612, + "TFTPD_FORK_ERR": msg613, + "TFTPD_NAK_ERR": msg614, + "TFTPD_OPEN_ERR": msg615, + "TFTPD_RECVCOMPLETE_INFO": msg616, + "TFTPD_RECVFROM_ERR": msg617, + "TFTPD_RECV_ERR": msg618, + "TFTPD_SENDCOMPLETE_INFO": msg619, + "TFTPD_SEND_ERR": msg620, + "TFTPD_SOCKET_ERR": msg621, + "TFTPD_STATFS_ERR": msg622, + "TNP": msg623, + "UI_AUTH_EVENT": msg628, + "UI_AUTH_INVALID_CHALLENGE": msg629, + "UI_BOOTTIME_FAILED": msg630, + "UI_CFG_AUDIT_NEW": select58, + "UI_CFG_AUDIT_OTHER": select60, + "UI_CFG_AUDIT_SET": select63, + "UI_CFG_AUDIT_SET_SECRET": select64, + "UI_CHILD_ARGS_EXCEEDED": msg645, + "UI_CHILD_CHANGE_USER": msg646, + "UI_CHILD_EXEC": msg647, + "UI_CHILD_EXITED": msg648, + "UI_CHILD_FOPEN": msg649, + "UI_CHILD_PIPE_FAILED": msg650, + "UI_CHILD_SIGNALED": msg651, + "UI_CHILD_START": msg653, + "UI_CHILD_STATUS": msg654, + "UI_CHILD_STOPPED": msg652, + "UI_CHILD_WAITPID": msg655, + "UI_CLI_IDLE_TIMEOUT": msg656, + "UI_CMDLINE_READ_LINE": msg657, + "UI_CMDSET_EXEC_FAILED": msg658, + "UI_CMDSET_FORK_FAILED": msg659, + "UI_CMDSET_PIPE_FAILED": msg660, + "UI_CMDSET_STOPPED": msg661, + "UI_CMDSET_WEXITED": msg662, + "UI_CMD_AUTH_REGEX_INVALID": msg663, + "UI_COMMIT": msg664, + "UI_COMMIT_AT": msg665, + "UI_COMMIT_AT_COMPLETED": msg666, + "UI_COMMIT_AT_FAILED": msg667, + "UI_COMMIT_COMPRESS_FAILED": msg668, + "UI_COMMIT_CONFIRMED": msg669, + "UI_COMMIT_CONFIRMED_REMINDER": msg670, + "UI_COMMIT_CONFIRMED_TIMED": msg671, + "UI_COMMIT_EMPTY_CONTAINER": msg672, + "UI_COMMIT_NOT_CONFIRMED": msg673, + "UI_COMMIT_PROGRESS": msg674, + "UI_COMMIT_QUIT": msg675, + "UI_COMMIT_ROLLBACK_FAILED": msg676, + "UI_COMMIT_SYNC": msg677, + "UI_COMMIT_SYNC_FORCE": msg678, + "UI_CONFIGURATION_ERROR": msg679, + "UI_DAEMON_ACCEPT_FAILED": msg680, + "UI_DAEMON_FORK_FAILED": msg681, + "UI_DAEMON_SELECT_FAILED": msg682, + "UI_DAEMON_SOCKET_FAILED": msg683, + "UI_DBASE_ACCESS_FAILED": msg684, + "UI_DBASE_CHECKOUT_FAILED": msg685, + "UI_DBASE_EXTEND_FAILED": msg686, + "UI_DBASE_LOGIN_EVENT": msg687, + "UI_DBASE_LOGOUT_EVENT": msg688, + "UI_DBASE_MISMATCH_EXTENT": msg689, + "UI_DBASE_MISMATCH_MAJOR": msg690, + "UI_DBASE_MISMATCH_MINOR": msg691, + "UI_DBASE_MISMATCH_SEQUENCE": msg692, + "UI_DBASE_MISMATCH_SIZE": msg693, + "UI_DBASE_OPEN_FAILED": msg694, + "UI_DBASE_REBUILD_FAILED": msg695, + "UI_DBASE_REBUILD_SCHEMA_FAILED": msg696, + "UI_DBASE_REBUILD_STARTED": msg697, + "UI_DBASE_RECREATE": msg698, + "UI_DBASE_REOPEN_FAILED": msg699, + "UI_DUPLICATE_UID": msg700, + "UI_JUNOSCRIPT_CMD": msg701, + "UI_JUNOSCRIPT_ERROR": msg702, + "UI_LOAD_EVENT": msg703, + "UI_LOAD_JUNOS_DEFAULT_FILE_EVENT": msg704, + "UI_LOGIN_EVENT": select71, + "UI_LOGOUT_EVENT": msg707, + "UI_LOST_CONN": msg708, + "UI_MASTERSHIP_EVENT": msg709, + "UI_MGD_TERMINATE": msg710, + "UI_NETCONF_CMD": msg711, + "UI_READ_FAILED": msg712, + "UI_READ_TIMEOUT": msg713, + "UI_REBOOT_EVENT": msg714, + "UI_RESTART_EVENT": msg715, + "UI_SCHEMA_CHECKOUT_FAILED": msg716, + "UI_SCHEMA_MISMATCH_MAJOR": msg717, + "UI_SCHEMA_MISMATCH_MINOR": msg718, + "UI_SCHEMA_MISMATCH_SEQUENCE": msg719, + "UI_SCHEMA_SEQUENCE_ERROR": msg720, + "UI_SYNC_OTHER_RE": msg721, + "UI_TACPLUS_ERROR": msg722, + "UI_VERSION_FAILED": msg723, + "UI_WRITE_RECONNECT": msg724, + "VRRPD_NEWMASTER_TRAP": msg725, + "Version": msg99, + "WEBFILTER_REQUEST_NOT_CHECKED": msg730, + "WEBFILTER_URL_BLOCKED": select75, + "WEBFILTER_URL_PERMITTED": select74, + "WEB_AUTH_FAIL": msg726, + "WEB_AUTH_SUCCESS": msg727, + "WEB_INTERFACE_UNAUTH": msg728, + "WEB_READ": msg729, + "alarmd": msg3, + "bgp_connect_start": msg132, + "bgp_event": msg133, + "bgp_listen_accept": msg134, + "bgp_listen_reset": msg135, + "bgp_nexthop_sanity": msg136, + "bgp_pp_recv": select33, + "bgp_process_caps": select32, + "bgp_send": msg141, + "bgp_traffic_timeout": msg142, + "bigd": select6, + "bigpipe": select7, + "bigstart": msg9, + "cgatool": msg10, + "chassisd": msg11, + "chassism": select73, + "checkd": select8, + "clean_process": msg215, + "cli": msg750, + "cosd": msg14, + "craftd": msg15, + "cron": msg18, + "crond": msg21, + "dcd": msg22, + "eswd": select72, + "ftpd": msg24, + "ha_rto_stats_handler": msg25, + "hostinit": msg26, + "idpinfo": msg752, + "ifinfo": select13, + "ifp_ifl_anydown_change_event": msg30, + "ifp_ifl_config_event": msg31, + "ifp_ifl_ext_chg": msg32, + "inetd": select14, + "init": select15, + "ipc_msg_write": msg40, + "kernel": select17, + "kmd": msg753, + "last": select28, + "login": select18, + "lsys_ssam_handler": msg53, + "mcsn": msg54, + "mgd": msg62, + "mrvl_dfw_log_effuse_status": msg55, + "node": select79, + "pfed": msg751, + "process_mode": select38, + "profile_ssam_handler": msg57, + "pst_nat_binding_set_profile": msg58, + "qsfp": msg776, + "respawn": msg64, + "root": msg65, + "rpd": select20, + "rshd": msg70, + "sfd": msg71, + "sshd": select21, + "syslogd": msg92, + "task_connect": msg605, + "task_reconfigure": msg59, + "tnetd": msg60, + "tnp.bootpd": msg769, + "trace_on": msg624, + "trace_rotate": msg625, + "transfer-file": msg626, + "ttloop": msg627, + "ucd-snmp": select26, + "usp_ipc_client_reconnect": msg95, + "usp_trace_ipc_disconnect": msg96, + "usp_trace_ipc_reconnect": msg97, + "uspinfo": msg98, + "xntpd": select27, + }), + ]); + + var hdr43 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}"); + + var part822 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); + + var part823 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); + + var part824 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); + + var part825 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); + + var part826 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); + + var part827 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); + + var part828 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); + + var part829 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); + + var part830 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); + + var part831 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); + + var part832 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); + + var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); + + var part833 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); + + var part834 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); + + var part835 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); + + var part836 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); + + var part837 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); + + var part838 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); + + var part839 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); + + var part840 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); + + var part841 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); + + var part842 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); + + var part843 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); + + var part844 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); + + var part845 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); + + var part846 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); + + var part847 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); + + var part848 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); + + var part849 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); + + var part850 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); + + var part851 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); + + var part852 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); + + var part853 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); + + var part854 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); + + var part855 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); + + var part856 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); + + var part857 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); + + var part858 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); + + var part859 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); + + var part860 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); + + var part861 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); + + var part862 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); + + var part863 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); + + var part864 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); + + var part865 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); + + var select85 = linear_select([ + dup14, + dup15, + dup16, + dup17, + ]); + + var part866 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ + dup13, + ])); + + var select86 = linear_select([ + dup40, + dup41, + ]); + + var part867 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ + dup21, + dup22, + dup56, + dup23, + ])); + + var part868 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ + dup51, + dup22, + dup64, + dup23, + ])); + + var part869 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ + dup30, + dup22, + dup65, + dup23, + ])); + + var part870 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ + dup30, + dup22, + dup66, + dup23, + ])); + + var part871 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ + dup30, + dup22, + dup67, + dup23, + ])); + + var part872 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ + dup30, + dup22, + dup68, + dup23, + ])); + + var part873 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ + dup30, + dup22, + dup71, + dup23, + ])); + + var select87 = linear_select([ + dup76, + dup77, + ]); + + var part874 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ + dup30, + dup22, + dup79, + dup23, + ])); + + var part875 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ + dup30, + dup22, + dup84, + dup23, + ])); + + var part876 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ + dup30, + dup22, + dup85, + dup23, + ])); + + var part877 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ + dup21, + dup22, + dup86, + dup23, + ])); + + var select88 = linear_select([ + dup88, + dup89, + ]); + + var select89 = linear_select([ + dup90, + dup45, + ]); + + var select90 = linear_select([ + dup95, + dup96, + ]); + + var select91 = linear_select([ + dup101, + dup91, + ]); + + var part878 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var part879 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ + dup27, + dup22, + dup52, + ])); + + var select92 = linear_select([ + dup118, + dup119, + ]); + + var select93 = linear_select([ + dup123, + dup124, + ]); + + var part880 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var part881 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ + dup48, + dup47, + dup23, + dup22, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/juniper/1.1.1/data_stream/junos/agent/stream/tcp.yml.hbs b/packages/juniper/1.1.1/data_stream/junos/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..1d71b4b9f8 --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/junos/agent/stream/tcp.yml.hbs @@ -0,0 +1,12569 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Juniper" + product: "Junos" + type: "Routers" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{day->} %{time->} %{p0}"); + + var dup2 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); + + var dup3 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); + + var dup4 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); + + var dup5 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); + + var dup6 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); + + var dup7 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); + + var dup8 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); + + var dup9 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": "), + field("p0"), + ], + }); + + var dup10 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("p0"), + ], + }); + + var dup11 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("messageid"), + constant(": "), + field("p0"), + ], + }); + + var dup12 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("["), + field("pid"), + constant("]: "), + field("messageid"), + constant(": "), + field("p0"), + ], + }); + + var dup13 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" ["), + field("p0"), + ], + }); + + var dup14 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); + + var dup15 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); + + var dup16 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); + + var dup17 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); + + var dup18 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); + + var dup19 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("pid"), + constant("]: "), + field("p0"), + ], + }); + + var dup20 = setc("messageid","JUNOSROUTER_GENERIC"); + + var dup21 = setc("eventcategory","1605000000"); + + var dup22 = setf("msg","$MSG"); + + var dup23 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dF,dH,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup24 = setf("hostname","hhost"); + + var dup25 = setc("event_description","AUDIT"); + + var dup26 = setc("event_description","CRON command"); + + var dup27 = setc("eventcategory","1801030000"); + + var dup28 = setc("eventcategory","1801020000"); + + var dup29 = setc("eventcategory","1605010000"); + + var dup30 = setc("eventcategory","1603000000"); + + var dup31 = setc("event_description","Process mode"); + + var dup32 = setc("event_description","NTP Server Unreachable"); + + var dup33 = setc("eventcategory","1401060000"); + + var dup34 = setc("ec_theme","Authentication"); + + var dup35 = setc("ec_subject","User"); + + var dup36 = setc("ec_activity","Logon"); + + var dup37 = setc("ec_outcome","Success"); + + var dup38 = setc("event_description","rpd proceeding"); + + var dup39 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); + + var dup40 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); + + var dup41 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); + + var dup42 = setc("eventcategory","1701010000"); + + var dup43 = setc("ec_outcome","Failure"); + + var dup44 = setc("eventcategory","1401030000"); + + var dup45 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); + + var dup46 = setc("eventcategory","1803000000"); + + var dup47 = setc("event_type","VPN"); + + var dup48 = setc("eventcategory","1605020000"); + + var dup49 = setc("eventcategory","1602020000"); + + var dup50 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); + + var dup51 = setc("eventcategory","1603020000"); + + var dup52 = date_time({ + dest: "event_time", + args: ["hfld32"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup53 = setc("ec_subject","NetworkComm"); + + var dup54 = setc("ec_activity","Create"); + + var dup55 = setc("ec_activity","Stop"); + + var dup56 = setc("event_description","Trap state change"); + + var dup57 = setc("event_description","peer NLRI mismatch"); + + var dup58 = setc("eventcategory","1605030000"); + + var dup59 = setc("eventcategory","1603010000"); + + var dup60 = setc("eventcategory","1606000000"); + + var dup61 = setf("hostname","hhostname"); + + var dup62 = date_time({ + dest: "event_time", + args: ["hfld6"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup63 = setc("eventcategory","1401050200"); + + var dup64 = setc("event_description","Memory allocation failed during initialization for configuration load"); + + var dup65 = setc("event_description","unable to run in the background as a daemon"); + + var dup66 = setc("event_description","Another copy of this program is running"); + + var dup67 = setc("event_description","Unable to lock PID file"); + + var dup68 = setc("event_description","Unable to update process PID file"); + + var dup69 = setc("eventcategory","1301000000"); + + var dup70 = setc("event_description","Command stopped"); + + var dup71 = setc("event_description","Unable to create pipes for command"); + + var dup72 = setc("event_description","Command exited"); + + var dup73 = setc("eventcategory","1603050000"); + + var dup74 = setc("eventcategory","1801010000"); + + var dup75 = setc("event_description","Login failure"); + + var dup76 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); + + var dup77 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); + + var dup78 = setc("event_description","Unable to open file"); + + var dup79 = setc("event_description","SNMP index assigned changed"); + + var dup80 = setc("eventcategory","1302000000"); + + var dup81 = setc("eventcategory","1001020300"); + + var dup82 = setc("event_description","PFE FW SYSLOG_IP"); + + var dup83 = setc("event_description","process_mode"); + + var dup84 = setc("event_description","Logical interface collision"); + + var dup85 = setc("event_description","excessive runtime time during action of module"); + + var dup86 = setc("event_description","Reinitializing"); + + var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); + + var dup88 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); + + var dup89 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); + + var dup90 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); + + var dup91 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); + + var dup92 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); + + var dup93 = setc("eventcategory","1803010000"); + + var dup94 = setc("ec_activity","Deny"); + + var dup95 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); + + var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); + + var dup97 = setc("event_description","session denied"); + + var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); + + var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); + + var dup100 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); + + var dup101 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); + + var dup102 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); + + var dup103 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); + + var dup104 = setc("dclass_counter1_string","No.of packets from client"); + + var dup105 = setc("event_description","SNMPD AUTH FAILURE"); + + var dup106 = setc("event_description","send send-type (index1) failure"); + + var dup107 = setc("event_description","SNMP trap error"); + + var dup108 = setc("event_description","SNMP TRAP LINK DOWN"); + + var dup109 = setc("event_description","SNMP TRAP LINK UP"); + + var dup110 = setc("event_description","Login Failure"); + + var dup111 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); + + var dup112 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); + + var dup113 = setc("eventcategory","1701020000"); + + var dup114 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); + + var dup115 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); + + var dup116 = setc("event_description","User set command"); + + var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); + + var dup118 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); + + var dup119 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); + + var dup120 = setc("event_description","User set groups to secret"); + + var dup121 = setc("event_description","UI CMDLINE READ LINE"); + + var dup122 = setc("event_description","User commit"); + + var dup123 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); + + var dup124 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); + + var dup125 = setc("eventcategory","1401070000"); + + var dup126 = setc("ec_activity","Logoff"); + + var dup127 = setc("event_description","Successful login"); + + var dup128 = setf("hostname","hostip"); + + var dup129 = setc("event_description","TACACS+ failure"); + + var dup130 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); + + var dup131 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); + + var dup132 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); + + var dup133 = setc("eventcategory","1003010000"); + + var dup134 = setc("eventcategory","1901000000"); + + var dup135 = linear_select([ + dup14, + dup15, + dup16, + dup17, + ]); + + var dup136 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ + dup13, + ])); + + var dup137 = linear_select([ + dup40, + dup41, + ]); + + var dup138 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ + dup21, + dup22, + dup56, + dup23, + ])); + + var dup139 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ + dup51, + dup22, + dup64, + dup23, + ])); + + var dup140 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ + dup30, + dup22, + dup65, + dup23, + ])); + + var dup141 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ + dup30, + dup22, + dup66, + dup23, + ])); + + var dup142 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ + dup30, + dup22, + dup67, + dup23, + ])); + + var dup143 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ + dup30, + dup22, + dup68, + dup23, + ])); + + var dup144 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ + dup30, + dup22, + dup71, + dup23, + ])); + + var dup145 = linear_select([ + dup76, + dup77, + ]); + + var dup146 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ + dup30, + dup22, + dup79, + dup23, + ])); + + var dup147 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ + dup30, + dup22, + dup84, + dup23, + ])); + + var dup148 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ + dup30, + dup22, + dup85, + dup23, + ])); + + var dup149 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ + dup21, + dup22, + dup86, + dup23, + ])); + + var dup150 = linear_select([ + dup88, + dup89, + ]); + + var dup151 = linear_select([ + dup90, + dup45, + ]); + + var dup152 = linear_select([ + dup95, + dup96, + ]); + + var dup153 = linear_select([ + dup101, + dup91, + ]); + + var dup154 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var dup155 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ + dup27, + dup22, + dup52, + ])); + + var dup156 = linear_select([ + dup118, + dup119, + ]); + + var dup157 = linear_select([ + dup123, + dup124, + ]); + + var dup158 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var dup159 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ + dup48, + dup47, + dup23, + dup22, + ])); + + var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{messageid}: restart %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": restart "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid->} message repeated %{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" message repeated "), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb %{messageid}(%{hfld1}): %{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("("), + field("hfld1"), + constant("): "), + field("p0"), + ], + }), + ])); + + var part1 = match("HEADER#3:0004/1_6", "nwparser.p0", "fpc6 %{p0}"); + + var part2 = match("HEADER#3:0004/1_7", "nwparser.p0", "fpc7 %{p0}"); + + var part3 = match("HEADER#3:0004/1_8", "nwparser.p0", "fpc8 %{p0}"); + + var part4 = match("HEADER#3:0004/1_9", "nwparser.p0", "fpc9 %{p0}"); + + var part5 = match("HEADER#3:0004/1_10", "nwparser.p0", "cfeb %{p0}"); + + var select1 = linear_select([ + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + part1, + part2, + part3, + part4, + part5, + dup8, + ]); + + var part6 = match("HEADER#3:0004/2", "nwparser.p0", "%{} %{messageid}: %{p0}", processor_chain([ + dup9, + ])); + + var all1 = all_match({ + processors: [ + dup1, + select1, + part6, + ], + on_success: processor_chain([ + setc("header_id","0004"), + ]), + }); + + var select2 = linear_select([ + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + ]); + + var part7 = match("HEADER#4:0005/2", "nwparser.p0", "%{} %{messageid->} %{p0}", processor_chain([ + dup10, + ])); + + var all2 = all_match({ + processors: [ + dup1, + select2, + part7, + ], + on_success: processor_chain([ + setc("header_id","0005"), + ]), + }); + + var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}[%{hpid}]: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0007"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant("["), + field("hpid"), + constant("]: "), + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}[%{hpid}]: %{p0}", processor_chain([ + setc("header_id","0008"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hpid"), + constant("]: "), + field("p0"), + ], + }), + ])); + + var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} IFP trace> %{messageid}: %{p0}", processor_chain([ + setc("header_id","0009"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" IFP trace> "), + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr7 = match("HEADER#8:0010", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} %{messageid}: %{p0}", processor_chain([ + setc("header_id","0010"), + dup11, + ])); + + var hdr8 = match("HEADER#9:0029", "message", "%{month->} %{day->} %{time->} %{hostip->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0029"), + dup12, + ])); + + var hdr9 = match("HEADER#10:0015", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0015"), + dup12, + ])); + + var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{messageid}: %{p0}", processor_chain([ + setc("header_id","0011"), + dup11, + ])); + + var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname->} RT_FLOW: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0027"), + dup9, + ])); + + var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0012"), + dup9, + ])); + + var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname->} RT_FLOW - %{messageid->} [%{p0}", processor_chain([ + setc("header_id","0013"), + dup13, + ])); + + var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time->} %{hfld32->} %{hhostname->} %{p0}"); + + var all3 = all_match({ + processors: [ + hdr14, + dup135, + dup136, + ], + on_success: processor_chain([ + setc("header_id","0026.upd.a"), + ]), + }); + + var all4 = all_match({ + processors: [ + dup18, + dup135, + dup136, + ], + on_success: processor_chain([ + setc("header_id","0026.upd.b"), + ]), + }); + + var all5 = all_match({ + processors: [ + dup18, + dup135, + dup136, + ], + on_success: processor_chain([ + setc("header_id","0026"), + ]), + }); + + var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}[%{hpid}]: %{p0}", processor_chain([ + setc("header_id","0014"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("["), + field("pid"), + constant("]: "), + field("messageid"), + constant("["), + field("hpid"), + constant("]: "), + field("p0"), + ], + }), + ])); + + var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0016"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant(": "), + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid->} %{p0}", processor_chain([ + setc("header_id","0017"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("["), + field("pid"), + constant("]: "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr18 = match("HEADER#21:0018", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}[%{pid}]: %{p0}", processor_chain([ + setc("header_id","0018"), + dup19, + ])); + + var hdr19 = match("HEADER#22:0028", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}[%{pid}]: %{p0}", processor_chain([ + setc("header_id","0028"), + dup19, + ])); + + var hdr20 = match("HEADER#23:0019", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0019"), + dup9, + ])); + + var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{messageid}[%{pid}]: %{p0}", processor_chain([ + setc("header_id","0020"), + dup19, + ])); + + var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time->} /%{messageid}: %{p0}", processor_chain([ + setc("header_id","0021"), + dup9, + ])); + + var hdr23 = match("HEADER#26:0022", "message", "%{month->} %{day->} %{time->} %{messageid}: %{p0}", processor_chain([ + setc("header_id","0022"), + dup9, + ])); + + var hdr24 = match("HEADER#27:0023", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}[%{pid}]: %{p0}", processor_chain([ + setc("header_id","0023"), + dup19, + ])); + + var hdr25 = match("HEADER#28:0024", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0024"), + dup9, + ])); + + var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{hfld2->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","0025"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid->} %{p0}", processor_chain([ + setc("header_id","0031"), + dup10, + ])); + + var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip->} (%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{p0}", processor_chain([ + setc("header_id","0032"), + dup19, + ])); + + var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname->} %{messageid}: %{p0}", processor_chain([ + setc("header_id","0033"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant(" "), + field("hhostname"), + constant(" "), + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr30 = match("HEADER#33:3336", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","3336"), + ])); + + var hdr31 = match("HEADER#34:3339", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid->} %{payload}", processor_chain([ + setc("header_id","3339"), + ])); + + var hdr32 = match("HEADER#35:3337", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","3337"), + ])); + + var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostname->} %{hfld2->} %{hfld3->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","3341"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr34 = match("HEADER#37:3338", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","3338"), + ])); + + var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost->} node%{hfld1}.fpc%{p0}", processor_chain([ + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hhost"), + constant(" node"), + field("hfld1"), + constant(".fpc"), + field("p0"), + ], + }), + ])); + + var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld2}.pic%{hfld3->} %{p0}"); + + var part9 = match("HEADER#38:3340/1_1", "nwparser.p0", "%{hfld2->} %{p0}"); + + var select3 = linear_select([ + part8, + part9, + ]); + + var part10 = match("HEADER#38:3340/2", "nwparser.p0", "%{} %{p0}"); + + var all6 = all_match({ + processors: [ + hdr35, + select3, + part10, + ], + on_success: processor_chain([ + setc("header_id","3340"), + setc("messageid","node"), + ]), + }); + + var hdr36 = match("HEADER#39:9997/0_0", "message", "mgd[%{p0}"); + + var hdr37 = match("HEADER#39:9997/0_1", "message", "rpd[%{p0}"); + + var hdr38 = match("HEADER#39:9997/0_2", "message", "dcd[%{p0}"); + + var select4 = linear_select([ + hdr36, + hdr37, + hdr38, + ]); + + var part11 = match("HEADER#39:9997/1", "nwparser.p0", "%{process_id}]:%{payload}"); + + var all7 = all_match({ + processors: [ + select4, + part11, + ], + on_success: processor_chain([ + setc("header_id","9997"), + dup20, + ]), + }); + + var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{hhost->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{p0}", processor_chain([ + setc("header_id","9995"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld3"), + constant("]:"), + field("p0"), + ], + }), + ])); + + var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1->} qsfp %{p0}", processor_chain([ + setc("header_id","9994"), + setc("messageid","qsfp"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("hfld1"), + constant(" qsfp "), + field("p0"), + ], + }), + ])); + + var hdr41 = match("HEADER#42:9999", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{hevent_type}: %{p0}", processor_chain([ + setc("header_id","9999"), + dup20, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hevent_type"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{process}: %{p0}", processor_chain([ + setc("header_id","9998"), + dup20, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("process"), + constant(": "), + field("p0"), + ], + }), + ])); + + var select5 = linear_select([ + hdr1, + hdr2, + hdr3, + all1, + all2, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, + hdr13, + all3, + all4, + all5, + hdr15, + hdr16, + hdr17, + hdr18, + hdr19, + hdr20, + hdr21, + hdr22, + hdr23, + hdr24, + hdr25, + hdr26, + hdr27, + hdr28, + hdr29, + hdr30, + hdr31, + hdr32, + hdr33, + hdr34, + all6, + all7, + hdr39, + hdr40, + hdr41, + hdr42, + ]); + + var part12 = match("MESSAGE#0:/usr/sbin/sshd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","sshd exit status"), + dup23, + ])); + + var msg1 = msg("/usr/sbin/sshd", part12); + + var part13 = match("MESSAGE#1:/usr/libexec/telnetd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","telnetd exit status"), + dup23, + ])); + + var msg2 = msg("/usr/libexec/telnetd", part13); + + var part14 = match("MESSAGE#2:alarmd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License color=%{severity}, class=%{device}, reason=%{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Alarm Set or Cleared"), + dup23, + ])); + + var msg3 = msg("alarmd", part14); + + var part15 = match("MESSAGE#3:bigd", "nwparser.payload", "%{process}: Node detected UP for %{node}", processor_chain([ + dup21, + dup22, + setc("event_description","Node detected UP"), + dup23, + ])); + + var msg4 = msg("bigd", part15); + + var part16 = match("MESSAGE#4:bigd:01", "nwparser.payload", "%{process}: Monitor template id is %{id}", processor_chain([ + dup21, + dup22, + setc("event_description","Monitor template id"), + dup23, + ])); + + var msg5 = msg("bigd:01", part16); + + var select6 = linear_select([ + msg4, + msg5, + ]); + + var part17 = match("MESSAGE#5:bigpipe", "nwparser.payload", "%{process}: Loading the configuration file %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","Loading configuration file"), + dup23, + ])); + + var msg6 = msg("bigpipe", part17); + + var part18 = match("MESSAGE#6:bigpipe:01", "nwparser.payload", "%{process}: Begin config install operation %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","Begin config install operation"), + dup23, + ])); + + var msg7 = msg("bigpipe:01", part18); + + var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ + dup21, + dup22, + setc("event_description","Audit"), + dup23, + ])); + + var msg8 = msg("bigpipe:02", part19); + + var select7 = linear_select([ + msg6, + msg7, + msg8, + ]); + + var part20 = match("MESSAGE#8:bigstart", "nwparser.payload", "%{process}: shutdown %{service}", processor_chain([ + dup21, + dup22, + setc("event_description","portal shutdown"), + dup23, + ])); + + var msg9 = msg("bigstart", part20); + + var part21 = match("MESSAGE#9:cgatool", "nwparser.payload", "%{process}: %{event_type}: generated address is %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","cga address genration"), + dup23, + ])); + + var msg10 = msg("cgatool", part21); + + var part22 = match("MESSAGE#10:chassisd:01", "nwparser.payload", "%{process}[%{process_id}]:%{fld12}", processor_chain([ + dup21, + dup22, + dup23, + dup24, + ])); + + var msg11 = msg("chassisd:01", part22); + + var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ + dup21, + dup22, + dup25, + dup23, + ])); + + var msg12 = msg("checkd", part23); + + var part24 = match("MESSAGE#12:checkd:01", "nwparser.payload", "%{process}: exiting", processor_chain([ + dup21, + dup22, + setc("event_description","checkd exiting"), + dup23, + ])); + + var msg13 = msg("checkd:01", part24); + + var select8 = linear_select([ + msg12, + msg13, + ]); + + var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1->} for intf %{interface}", processor_chain([ + dup21, + dup22, + setc("event_description","link protection for interface"), + dup23, + ])); + + var msg14 = msg("cosd", part25); + + var part26 = match("MESSAGE#14:craftd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}, %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","License expiration warning"), + dup23, + ])); + + var msg15 = msg("craftd", part26); + + var part27 = match("MESSAGE#15:CRON/0", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{p0}"); + + var part28 = match("MESSAGE#15:CRON/1_0", "nwparser.p0", "CMD (%{result})"); + + var part29 = match("MESSAGE#15:CRON/1_1", "nwparser.p0", "cmd='%{result}'"); + + var select9 = linear_select([ + part28, + part29, + ]); + + var all8 = all_match({ + processors: [ + part27, + select9, + ], + on_success: processor_chain([ + dup21, + dup22, + dup26, + dup23, + ]), + }); + + var msg16 = msg("CRON", all8); + + var part30 = match("MESSAGE#16:Cmerror/0_0", "nwparser.payload", "%{hostname->} %{node}Cmerror: Level%{level}count increment %{dclass_counter1->} %{fld1}"); + + var part31 = match_copy("MESSAGE#16:Cmerror/0_1", "nwparser.payload", "fld2"); + + var select10 = linear_select([ + part30, + part31, + ]); + + var all9 = all_match({ + processors: [ + select10, + ], + on_success: processor_chain([ + dup21, + dup23, + dup22, + ]), + }); + + var msg17 = msg("Cmerror", all9); + + var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action->} (%{filename})", processor_chain([ + dup21, + dup22, + setc("event_description","cron RELOAD"), + dup23, + ])); + + var msg18 = msg("cron", part32); + + var part33 = match("MESSAGE#18:CROND", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ + dup21, + dup22, + dup23, + dup24, + ])); + + var msg19 = msg("CROND", part33); + + var part34 = match("MESSAGE#20:CROND:02", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session closed for user %{username}", processor_chain([ + dup27, + dup22, + dup23, + dup24, + ])); + + var msg20 = msg("CROND:02", part34); + + var select11 = linear_select([ + msg19, + msg20, + ]); + + var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username->} by (uid=%{uid})", processor_chain([ + dup28, + dup22, + dup23, + dup24, + ])); + + var msg21 = msg("crond:01", part35); + + var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result->} Setting ignored, %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","Setting ignored"), + dup23, + ])); + + var msg22 = msg("dcd", part36); + + var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface->} index %{resultcode->} %{p0}"); + + var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{p0}"); + + var part39 = match("MESSAGE#22:EVENT/1_1", "nwparser.p0", "\u003c\u003c%{p0}"); + + var select12 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#22:EVENT/2", "nwparser.p0", ">%{result}"); + + var all10 = all_match({ + processors: [ + part37, + select12, + part40, + ], + on_success: processor_chain([ + dup21, + dup22, + setc("event_description","EVENT"), + dup23, + ]), + }); + + var msg23 = msg("EVENT", all10); + + var part41 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr->} (%{shost})", processor_chain([ + setc("eventcategory","1802000000"), + dup22, + setc("event_description","ftpd connection"), + dup23, + ])); + + var msg24 = msg("ftpd", part41); + + var part42 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hostname->} %{node}ha_rto_stats_handler:%{fld12}", processor_chain([ + dup29, + dup23, + dup22, + ])); + + var msg25 = msg("ha_rto_stats_handler", part42); + + var part43 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name->} -- LDAP Connection not bound correctly. %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","LDAP Connection not bound correctly"), + dup23, + ])); + + var msg26 = msg("hostinit", part43); + + var part44 = match("MESSAGE#26:ifinfo", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Added entry - %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","PIC_INFO debug - Added entry"), + dup23, + ])); + + var msg27 = msg("ifinfo", part44); + + var part45 = match("MESSAGE#27:ifinfo:01", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Initializing spu listtype %{resultcode}", processor_chain([ + dup21, + dup22, + setc("event_description","PIC_INFO debug Initializing spu"), + dup23, + ])); + + var msg28 = msg("ifinfo:01", part45); + + var part46 = match("MESSAGE#28:ifinfo:02", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","PIC_INFO debug delete from list"), + dup23, + ])); + + var msg29 = msg("ifinfo:02", part46); + + var select13 = linear_select([ + msg27, + msg28, + msg29, + ]); + + var part47 = match("MESSAGE#29:ifp_ifl_anydown_change_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL anydown change event: \"%{event_type}\"", processor_chain([ + dup21, + dup22, + setc("event_description","IFL anydown change event"), + dup23, + ])); + + var msg30 = msg("ifp_ifl_anydown_change_event", part47); + + var part48 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL config: \"%{filename}\"", processor_chain([ + dup21, + dup22, + setc("event_description","ifp ifl config_event"), + dup23, + ])); + + var msg31 = msg("ifp_ifl_config_event", part48); + + var part49 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid->} zone_id %{zone}", processor_chain([ + dup21, + dup22, + setc("event_description","ifp_ifl_ext_chg"), + dup23, + ])); + + var msg32 = msg("ifp_ifl_ext_chg", part49); + + var part50 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol->} from %{saddr->} exceeded counts/min (%{result})", processor_chain([ + dup30, + dup22, + setc("event_description","connection exceeded count limit"), + dup23, + ])); + + var msg33 = msg("inetd", part50); + + var part51 = match("MESSAGE#33:inetd:01", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exited, status %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","exited"), + dup23, + ])); + + var msg34 = msg("inetd:01", part51); + + var select14 = linear_select([ + msg33, + msg34, + ]); + + var part52 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type->} current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ + dup21, + dup22, + dup31, + dup23, + ])); + + var msg35 = msg("init:04", part52); + + var part53 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type->} mode=%{protocol->} cmd=%{action->} master_mode=%{result}", processor_chain([ + dup21, + dup22, + dup31, + dup23, + ])); + + var msg36 = msg("init", part53); + + var part54 = match("MESSAGE#36:init:01", "nwparser.payload", "%{process}: failure target for routing set to %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","failure target for routing set"), + dup23, + ])); + + var msg37 = msg("init:01", part54); + + var part55 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (PID %{child_pid}) started", processor_chain([ + dup21, + dup22, + setc("event_description","ntp started"), + dup23, + ])); + + var msg38 = msg("init:02", part55); + + var part56 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info->} model %{dclass_counter1}", processor_chain([ + dup21, + dup22, + setc("event_description","product mask and model info"), + dup23, + ])); + + var msg39 = msg("init:03", part56); + + var select15 = linear_select([ + msg35, + msg36, + msg37, + msg38, + msg39, + ]); + + var part57 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode->} exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","IPC message exceeds MTU"), + dup23, + ])); + + var msg40 = msg("ipc_msg_write", part57); + + var part58 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}", processor_chain([ + dup28, + dup22, + setc("event_description","listener connection established"), + dup23, + ])); + + var msg41 = msg("connection_established", part58); + + var part59 = match("MESSAGE#41:connection_dropped/0", "nwparser.payload", "%{process}: %{p0}"); + + var part60 = match("MESSAGE#41:connection_dropped/1_0", "nwparser.p0", "%{result}, connection dropped - src %{saddr}:%{sport->} dest %{daddr}:%{dport}"); + + var part61 = match("MESSAGE#41:connection_dropped/1_1", "nwparser.p0", "%{result}: conn dropped: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}"); + + var select16 = linear_select([ + part60, + part61, + ]); + + var all11 = all_match({ + processors: [ + part59, + select16, + ], + on_success: processor_chain([ + dup27, + dup22, + setc("event_description","connection dropped"), + dup23, + ]), + }); + + var msg42 = msg("connection_dropped", all11); + + var part62 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{interface}: Asserting SONET alarm(s) %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","Asserting SONET alarm(s)"), + dup23, + ])); + + var msg43 = msg("kernel", part62); + + var part63 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface->} down: %{result}.", processor_chain([ + dup21, + dup22, + setc("event_description","interface down"), + dup23, + ])); + + var msg44 = msg("kernel:01", part63); + + var part64 = match("MESSAGE#44:kernel:02", "nwparser.payload", "%{process}: %{interface}: loopback suspected; %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","loopback suspected om interface"), + dup23, + ])); + + var msg45 = msg("kernel:02", part64); + + var part65 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{service}: soreceive() error %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","soreceive error"), + dup23, + ])); + + var msg46 = msg("kernel:03", part65); + + var part66 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service->} !VALID(state 4)->%{result}", processor_chain([ + dup21, + dup22, + setc("event_description","pfe_peer_alloc state 4"), + dup23, + ])); + + var msg47 = msg("kernel:04", part66); + + var part67 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip->} (%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ + dup21, + dup22, + dup32, + dup23, + ])); + + var msg48 = msg("kernel:05", part67); + + var part68 = match("MESSAGE#48:kernel:06", "nwparser.payload", "%{fld1->} %{hostip->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ + dup21, + dup22, + dup32, + dup23, + ])); + + var msg49 = msg("kernel:06", part68); + + var select17 = linear_select([ + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, + ]); + + var part69 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr->} on %{interface->} as %{username}", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + setc("event_description","successful user login"), + dup23, + ])); + + var msg50 = msg("successful_login", part69); + + var part70 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username->} from host %{hostip}", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup22, + setc("event_description","user login attempt"), + dup23, + ])); + + var msg51 = msg("login_attempt", part70); + + var part71 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup33, + dup34, + dup37, + dup22, + setc("event_description","PAM module return from login"), + dup23, + ])); + + var msg52 = msg("login", part71); + + var select18 = linear_select([ + msg50, + msg51, + msg52, + ]); + + var part72 = match("MESSAGE#52:lsys_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing lsys root-logical-system %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","processing lsys root-logical-system"), + dup23, + ])); + + var msg53 = msg("lsys_ssam_handler", part72); + + var part73 = match("MESSAGE#53:mcsn", "nwparser.payload", "%{process}[%{process_id}]: Removing mif from group [%{group}] %{space->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Removing mif from group"), + dup23, + ])); + + var msg54 = msg("mcsn", part73); + + var part74 = match("MESSAGE#54:mrvl_dfw_log_effuse_status", "nwparser.payload", "%{process}: Firewall rows could not be redirected on device %{device}.", processor_chain([ + dup30, + dup22, + setc("event_description","Firewall rows could not be redirected on device"), + dup23, + ])); + + var msg55 = msg("mrvl_dfw_log_effuse_status", part74); + + var part75 = match("MESSAGE#55:MRVL-L2", "nwparser.payload", "%{process}:%{action}(),%{process_id}:MFilter (%{filter}) already exists", processor_chain([ + dup30, + dup22, + setc("event_description","mfilter already exists for add"), + dup23, + ])); + + var msg56 = msg("MRVL-L2", part75); + + var part76 = match("MESSAGE#56:profile_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing profile SP-root %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","processing profile SP-root"), + dup23, + ])); + + var msg57 = msg("profile_ssam_handler", part76); + + var part77 = match("MESSAGE#57:pst_nat_binding_set_profile", "nwparser.payload", "%{node->} %{process}: %{event_source}: can't get resource bucket %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","can't get resource bucket"), + dup23, + ])); + + var msg58 = msg("pst_nat_binding_set_profile", part77); + + var part78 = match("MESSAGE#58:task_reconfigure", "nwparser.payload", "%{process}[%{process_id}]: task_reconfigure %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","reinitializing done"), + dup23, + ])); + + var msg59 = msg("task_reconfigure", part78); + + var part79 = match("MESSAGE#59:tnetd/0_0", "nwparser.payload", "%{process}[%{process_id}]:%{service}[%{fld1}]: exit status%{resultcode}"); + + var part80 = match_copy("MESSAGE#59:tnetd/0_1", "nwparser.payload", "fld3"); + + var select19 = linear_select([ + part79, + part80, + ]); + + var all12 = all_match({ + processors: [ + select19, + ], + on_success: processor_chain([ + dup21, + dup22, + dup23, + dup24, + ]), + }); + + var msg60 = msg("tnetd", all12); + + var part81 = match("MESSAGE#60:PFEMAN", "nwparser.payload", "%{process}: Session manager active", processor_chain([ + dup21, + dup22, + setc("event_description","Session manager active"), + dup23, + ])); + + var msg61 = msg("PFEMAN", part81); + + var part82 = match("MESSAGE#61:mgd", "nwparser.payload", "%{process}[%{process_id}]: Could not send message to %{service}", processor_chain([ + dup30, + dup22, + setc("event_description","Could not send message to service"), + dup23, + ])); + + var msg62 = msg("mgd", part82); + + var part83 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request came for an address matching on Wrong nh nh:%{result}, %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","Resolve request came for an address matching on Wrong nh"), + dup23, + ])); + + var msg63 = msg("Resolve", part83); + + var part84 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service->} exited with status = %{resultcode}", processor_chain([ + dup21, + dup22, + setc("event_description","service exited with status"), + dup23, + ])); + + var msg64 = msg("respawn", part84); + + var part85 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: This system does not have 3-DNS or Link Controller enabled", processor_chain([ + dup30, + dup22, + setc("event_description","system does not have 3-DNS or Link Controller enabled"), + dup23, + ])); + + var msg65 = msg("root", part85); + + var part86 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result->} for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([ + dup21, + dup22, + setc("event_description","Received data for interface"), + dup23, + ])); + + var msg66 = msg("rpd", part86); + + var part87 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr->} up on interface %{interface}", processor_chain([ + dup21, + dup22, + setc("event_description","RSVP neighbor up on interface "), + dup23, + ])); + + var msg67 = msg("rpd:01", part87); + + var part88 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr->} (%{shost}): reseting pending active connection", processor_chain([ + dup21, + dup22, + setc("event_description","reseting pending active connection"), + dup23, + ])); + + var msg68 = msg("rpd:02", part88); + + var part89 = match("MESSAGE#68:rpd_proceeding", "nwparser.payload", "%{process}: proceeding. %{param}", processor_chain([ + dup21, + dup22, + dup38, + dup23, + ])); + + var msg69 = msg("rpd_proceeding", part89); + + var select20 = linear_select([ + msg66, + msg67, + msg68, + msg69, + ]); + + var part90 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}'", processor_chain([ + dup21, + dup22, + setc("event_description","user issuing command as root"), + dup23, + ])); + + var msg70 = msg("rshd", part90); + + var part91 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on accept", processor_chain([ + dup21, + dup22, + setc("event_description","sfd waiting on accept"), + dup23, + ])); + + var msg71 = msg("sfd", part91); + + var part92 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol}", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + setc("event_description","Accepted password"), + dup23, + ])); + + var msg72 = msg("sshd", part92); + + var part93 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result}", processor_chain([ + dup27, + dup22, + setc("event_description","Received disconnect"), + dup23, + ])); + + var msg73 = msg("sshd:02", part93); + + var part94 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr}", processor_chain([ + dup30, + dup22, + setc("result","no identification string"), + setc("event_description","Did not receive identification string from peer"), + dup23, + ])); + + var msg74 = msg("sshd:03", part94); + + var part95 = match("MESSAGE#75:sshd:04", "nwparser.payload", "%{process}[%{process_id}]: Could not write ident string to %{dhost}", processor_chain([ + dup30, + dup22, + setc("event_description","Could not write ident string"), + dup23, + ])); + + var msg75 = msg("sshd:04", part95); + + var part96 = match("MESSAGE#76:sshd:05", "nwparser.payload", "%{process}[%{process_id}]: subsystem request for netconf", processor_chain([ + dup21, + dup22, + setc("event_description","subsystem request for netconf"), + dup23, + ])); + + var msg76 = msg("sshd:05", part96); + + var part97 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "sendmsg to %{saddr}(%{shost}).%{sport}: %{info}"); + + var all13 = all_match({ + processors: [ + dup39, + dup137, + part97, + ], + on_success: processor_chain([ + dup29, + dup22, + setc("event_description","send message stats"), + dup23, + ]), + }); + + var msg77 = msg("sshd:06", all13); + + var part98 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "Added radius server %{saddr}(%{shost})"); + + var all14 = all_match({ + processors: [ + dup39, + dup137, + part98, + ], + on_success: processor_chain([ + dup42, + setc("ec_theme","Configuration"), + setc("ec_activity","Modify"), + dup37, + dup22, + setc("event_description","Added radius server"), + dup23, + ]), + }); + + var msg78 = msg("sshd:07", all14); + + var part99 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space->} [%{resultcode}]authentication error", processor_chain([ + setc("eventcategory","1301020000"), + dup34, + dup43, + dup22, + setc("event_description","authentication error"), + dup23, + ])); + + var msg79 = msg("sshd:08", part99); + + var part100 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute}", processor_chain([ + dup30, + dup22, + setc("event_description","unrecognized attribute in policy"), + dup23, + ])); + + var msg80 = msg("sshd:09", part100); + + var part101 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup44, + dup34, + dup43, + dup22, + setc("event_description","PAM module return from sshd"), + dup23, + ])); + + var msg81 = msg("sshd:10", part101); + + var part102 = match("MESSAGE#82:sshd:11", "nwparser.payload", "%{process}: PAM authentication chain returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup44, + dup34, + dup43, + dup22, + setc("event_description","PAM authentication chain return"), + dup23, + ])); + + var msg82 = msg("sshd:11", part102); + + var part103 = match("MESSAGE#83:sshd:12", "nwparser.payload", "%{process}: %{severity}: can't get client address: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","can't get client address"), + dup23, + ])); + + var msg83 = msg("sshd:12", part103); + + var part104 = match("MESSAGE#84:sshd:13", "nwparser.payload", "%{process}: auth server unresponsive", processor_chain([ + dup30, + dup22, + setc("event_description","auth server unresponsive"), + dup23, + ])); + + var msg84 = msg("sshd:13", part104); + + var part105 = match("MESSAGE#85:sshd:14", "nwparser.payload", "%{process}: %{service}: No valid RADIUS responses received", processor_chain([ + dup30, + dup22, + setc("event_description","No valid RADIUS responses received"), + dup23, + ])); + + var msg85 = msg("sshd:14", part105); + + var part106 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Moving to next server: %{saddr}(%{shost}).%{sport}", processor_chain([ + dup21, + dup22, + setc("event_description","Moving to next server"), + dup23, + ])); + + var msg86 = msg("sshd:15", part106); + + var part107 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1->} sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([ + dup44, + dup34, + dup43, + dup22, + setc("event_description","Login failed for user"), + dup23, + ])); + + var msg87 = msg("sshd:16", part107); + + var select21 = linear_select([ + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + ]); + + var part108 = match("MESSAGE#72:Failed:05/0", "nwparser.payload", "%{process}[%{process_id}]: Failed password for %{p0}"); + + var part109 = match("MESSAGE#72:Failed:05/1_0", "nwparser.p0", "illegal user %{p0}"); + + var part110 = match("MESSAGE#72:Failed:05/1_1", "nwparser.p0", "invalid user %{p0}"); + + var select22 = linear_select([ + part109, + part110, + dup45, + ]); + + var part111 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{username->} from %{saddr->} port %{sport->} %{protocol}"); + + var all15 = all_match({ + processors: [ + part108, + select22, + part111, + ], + on_success: processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + setc("event_description","authentication failure"), + dup23, + ]), + }); + + var msg88 = msg("Failed:05", all15); + + var part112 = match("MESSAGE#746:Failed/0", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: Failed to resolve ipv%{p0}"); + + var part113 = match("MESSAGE#746:Failed/1_0", "nwparser.p0", "4%{p0}"); + + var part114 = match("MESSAGE#746:Failed/1_1", "nwparser.p0", "6%{p0}"); + + var select23 = linear_select([ + part113, + part114, + ]); + + var part115 = match("MESSAGE#746:Failed/2", "nwparser.p0", "%{}addresses for domain name %{sdomain}"); + + var all16 = all_match({ + processors: [ + part112, + select23, + part115, + ], + on_success: processor_chain([ + dup46, + dup47, + dup23, + dup22, + ]), + }); + + var msg89 = msg("Failed", all16); + + var part116 = match("MESSAGE#767:Failed:01", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: %{fld1}", processor_chain([ + dup46, + dup23, + dup22, + ])); + + var msg90 = msg("Failed:01", part116); + + var part117 = match("MESSAGE#768:Failed:02/0_0", "nwparser.payload", "%{fld1->} to create a route if table for Multiservice"); + + var part118 = match_copy("MESSAGE#768:Failed:02/0_1", "nwparser.payload", "fld10"); + + var select24 = linear_select([ + part117, + part118, + ]); + + var all17 = all_match({ + processors: [ + select24, + ], + on_success: processor_chain([ + dup46, + dup23, + dup22, + setf("hostname","hfld1"), + ]), + }); + + var msg91 = msg("Failed:02", all17); + + var select25 = linear_select([ + msg88, + msg89, + msg90, + msg91, + ]); + + var part119 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: restart", processor_chain([ + dup21, + dup22, + setc("event_description","syslog daemon restart"), + dup23, + ])); + + var msg92 = msg("syslogd", part119); + + var part120 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action->} User: %{username}", processor_chain([ + dup21, + dup22, + dup25, + dup23, + ])); + + var msg93 = msg("ucd-snmp", part120); + + var part121 = match("MESSAGE#90:ucd-snmp:01", "nwparser.payload", "%{process}[%{process_id}]: Received TERM or STOP signal %{space->} %{result}.", processor_chain([ + dup21, + dup22, + setc("event_description","Received TERM or STOP signal"), + dup23, + ])); + + var msg94 = msg("ucd-snmp:01", part121); + + var select26 = linear_select([ + msg93, + msg94, + ]); + + var part122 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result->} (%{resultcode})", processor_chain([ + dup27, + dup22, + setc("event_description","failed to connect to the server"), + dup23, + ])); + + var msg95 = msg("usp_ipc_client_reconnect", part122); + + var part123 = match("MESSAGE#92:usp_trace_ipc_disconnect", "nwparser.payload", "%{node->} %{process}:Trace client disconnected. %{result}", processor_chain([ + dup27, + dup22, + setc("event_description","Trace client disconnected"), + dup23, + ])); + + var msg96 = msg("usp_trace_ipc_disconnect", part123); + + var part124 = match("MESSAGE#93:usp_trace_ipc_reconnect", "nwparser.payload", "%{node->} %{process}:USP trace client cannot reconnect to server", processor_chain([ + dup30, + dup22, + setc("event_description","USP trace client cannot reconnect to server"), + dup23, + ])); + + var msg97 = msg("usp_trace_ipc_reconnect", part124); + + var part125 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_print_session_summary_output received %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","flow_print_session_summary_output received"), + dup23, + ])); + + var msg98 = msg("uspinfo", part125); + + var part126 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version->} by builder on %{event_time_string}", processor_chain([ + dup21, + dup22, + setc("event_description","Version build date"), + dup23, + ])); + + var msg99 = msg("Version", part126); + + var part127 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result->} from %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","frequency initialized from file"), + dup23, + ])); + + var msg100 = msg("xntpd", part127); + + var part128 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string->} (%{resultcode})", processor_chain([ + dup21, + dup22, + setc("event_description","nptd version build"), + dup23, + ])); + + var msg101 = msg("xntpd:01", part128); + + var part129 = match("MESSAGE#98:xntpd:02", "nwparser.payload", "%{process}: kernel time sync enabled %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","kernel time sync enabled"), + dup23, + ])); + + var msg102 = msg("xntpd:02", part129); + + var part130 = match("MESSAGE#99:xntpd:03", "nwparser.payload", "%{process}[%{process_id}]: NTP Server %{result}", processor_chain([ + dup21, + dup22, + dup32, + dup23, + ])); + + var msg103 = msg("xntpd:03", part130); + + var select27 = linear_select([ + msg100, + msg101, + msg102, + msg103, + ]); + + var part131 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1->} times", processor_chain([ + dup21, + dup22, + setc("event_description","last message repeated"), + dup23, + ])); + + var msg104 = msg("last", part131); + + var part132 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1->} times", processor_chain([ + dup48, + dup47, + dup23, + dup22, + dup24, + ])); + + var msg105 = msg("last:01", part132); + + var select28 = linear_select([ + msg104, + msg105, + ]); + + var part133 = match("MESSAGE#101:BCHIP", "nwparser.payload", "%{process->} %{device}: cannot write ucode mask reg", processor_chain([ + dup30, + dup22, + setc("event_description","cannot write ucode mask reg"), + dup23, + ])); + + var msg106 = msg("BCHIP", part133); + + var part134 = match("MESSAGE#102:CM", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}: On-line", processor_chain([ + dup21, + dup22, + setc("event_description","Slot on-line"), + dup23, + ])); + + var msg107 = msg("CM", part134); + + var part135 = match("MESSAGE#103:COS", "nwparser.payload", "%{process}: Received FC->Q map, %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","Received FC Q map"), + dup23, + ])); + + var msg108 = msg("COS", part135); + + var part136 = match("MESSAGE#104:COSFPC", "nwparser.payload", "%{process}: ifd %{resultcode}: %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","ifd error"), + dup23, + ])); + + var msg109 = msg("COSFPC", part136); + + var part137 = match("MESSAGE#105:COSMAN", "nwparser.payload", "%{process}: %{service}: delete class_to_ifl table %{dclass_counter1}, ifl %{dclass_counter2}", processor_chain([ + dup21, + dup22, + setc("event_description","delete class to ifl link"), + dup23, + ])); + + var msg110 = msg("COSMAN", part137); + + var part138 = match("MESSAGE#106:RDP", "nwparser.payload", "%{process}: Keepalive timeout for rdp.(%{interface}).(%{device}) (%{result})", processor_chain([ + dup30, + dup22, + setc("event_description","Keepalive timeout"), + dup23, + ])); + + var msg111 = msg("RDP", part138); + + var part139 = match("MESSAGE#107:SNTPD", "nwparser.payload", "%{process}: Initial time of day set", processor_chain([ + dup30, + dup22, + setc("event_description","Initial time of day set"), + dup23, + ])); + + var msg112 = msg("SNTPD", part139); + + var part140 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}, serial number S/N %{serial_number}.", processor_chain([ + dup21, + dup22, + setc("event_description","Slot serial number"), + dup23, + ])); + + var msg113 = msg("SSB", part140); + + var part141 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result->} from file %{filename}", processor_chain([ + dup30, + dup22, + setc("event_description","Unexpected error"), + dup23, + ])); + + var msg114 = msg("ACCT_ACCOUNTING_FERROR", part141); + + var part142 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to open file %{filename}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Failed to open file"), + dup23, + ])); + + var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part142); + + var part143 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename->} size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([ + dup49, + dup22, + setc("event_description","File size mismatch"), + dup23, + ])); + + var msg116 = msg("ACCT_ACCOUNTING_SMALL_FILE_SIZE", part143); + + var part144 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid statistics record: %{result}", processor_chain([ + dup49, + dup22, + setc("event_description","Invalid statistics record"), + dup23, + ])); + + var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part144); + + var part145 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} getting class usage statistics for interface %{interface}: %{result}", processor_chain([ + dup49, + dup22, + setc("event_description","Class usage statistics error for interface"), + dup23, + ])); + + var msg118 = msg("ACCT_CU_RTSLIB_error", part145); + + var part146 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_0", "nwparser.p0", "Error %{resultcode->} trying %{p0}"); + + var part147 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_1", "nwparser.p0", "trying %{p0}"); + + var select29 = linear_select([ + part146, + part147, + ]); + + var part148 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/2", "nwparser.p0", "to get hostname%{}"); + + var all18 = all_match({ + processors: [ + dup50, + select29, + part148, + ], + on_success: processor_chain([ + dup49, + dup22, + setc("event_description","error trying to get hostname"), + dup23, + ]), + }); + + var msg119 = msg("ACCT_GETHOSTNAME_error", all18); + + var part149 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed while reallocating %{obj_name}", processor_chain([ + dup51, + dup22, + setc("event_description","Memory allocation failure"), + dup23, + ])); + + var msg120 = msg("ACCT_MALLOC_FAILURE", part149); + + var part150 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} in accounting profile %{dclass_counter1->} is not defined in a firewall using this filter profile", processor_chain([ + dup30, + dup22, + setc("event_description","Accounting profile counter not defined in firewall"), + dup23, + ])); + + var msg121 = msg("ACCT_UNDEFINED_COUNTER_NAME", part150); + + var part151 = match("MESSAGE#117:ACCT_XFER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: %{disposition}", processor_chain([ + dup30, + dup22, + setc("event_description","ACCT_XFER_FAILED"), + dup23, + ])); + + var msg122 = msg("ACCT_XFER_FAILED", part151); + + var part152 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: in invoking command command to transfer file %{filename}", processor_chain([ + dup30, + dup22, + setc("event_description","POPEN FAIL invoking command command to transfer file"), + dup23, + ])); + + var msg123 = msg("ACCT_XFER_POPEN_FAIL", part152); + + var part153 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([ + dup28, + dup22, + dup52, + ])); + + var msg124 = msg("APPQOS_LOG_EVENT", part153); + + var part154 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", "%{event_type}: AppTrack session created %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username->} %{fld10}", processor_chain([ + dup28, + dup53, + dup54, + dup22, + setc("result","AppTrack session created"), + dup23, + ])); + + var msg125 = msg("APPTRACK_SESSION_CREATE", part154); + + var part155 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup28, + dup53, + dup55, + dup22, + dup52, + ])); + + var msg126 = msg("APPTRACK_SESSION_CLOSE", part155); + + var part156 = match("MESSAGE#122:APPTRACK_SESSION_CLOSE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ + dup28, + dup53, + dup55, + dup22, + dup23, + ])); + + var msg127 = msg("APPTRACK_SESSION_CLOSE:01", part156); + + var select30 = linear_select([ + msg126, + msg127, + ]); + + var part157 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup28, + dup53, + dup22, + dup52, + ])); + + var msg128 = msg("APPTRACK_SESSION_VOL_UPDATE", part157); + + var part158 = match("MESSAGE#124:APPTRACK_SESSION_VOL_UPDATE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ + dup28, + dup53, + dup22, + dup23, + ])); + + var msg129 = msg("APPTRACK_SESSION_VOL_UPDATE:01", part158); + + var select31 = linear_select([ + msg128, + msg129, + ]); + + var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup138); + + var msg131 = msg("BFDD_TRAP_STATE_UP", dup138); + + var part159 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","bgp connect error"), + dup23, + ])); + + var msg132 = msg("bgp_connect_start", part159); + + var part160 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new}", processor_chain([ + dup21, + dup22, + setc("event_description","bgp peer state change"), + dup23, + ])); + + var msg133 = msg("bgp_event", part160); + + var part161 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Connection attempt from unconfigured neighbor"), + dup23, + ])); + + var msg134 = msg("bgp_listen_accept", part161); + + var part162 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","bgp reset"), + dup23, + ])); + + var msg135 = msg("bgp_listen_reset", part162); + + var part163 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) next hop %{saddr->} local, %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","peer next hop local"), + dup23, + ])); + + var msg136 = msg("bgp_nexthop_sanity", part163); + + var part164 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{severity->} (%{action}) subcode %{version->} (%{result}) value %{disposition}", processor_chain([ + dup30, + dup22, + setc("event_description","code RED error NOTIFICATION sent"), + dup23, + ])); + + var msg137 = msg("bgp_process_caps", part164); + + var part165 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ + dup30, + dup22, + dup57, + dup23, + ])); + + var msg138 = msg("bgp_process_caps:01", part165); + + var select32 = linear_select([ + msg137, + msg138, + ]); + + var part166 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr->} (%{dhost}), %{info->} (%{protocol})", processor_chain([ + dup30, + dup22, + setc("event_description","connection collision"), + setc("result","dropping connection to peer"), + dup23, + ])); + + var msg139 = msg("bgp_pp_recv", part166); + + var part167 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}): received unexpected EOF", processor_chain([ + dup30, + dup22, + setc("event_description","peer received unexpected EOF"), + dup23, + ])); + + var msg140 = msg("bgp_pp_recv:01", part167); + + var select33 = linear_select([ + msg139, + msg140, + ]); + + var part168 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","bgp send blocked error"), + dup23, + ])); + + var msg141 = msg("bgp_send", part168); + + var part169 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","bgp timeout NOTIFICATION sent"), + dup23, + ])); + + var msg142 = msg("bgp_traffic_timeout", part169); + + var part170 = match("MESSAGE#138:BOOTPD_ARG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring unknown option %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","boot argument error"), + dup23, + ])); + + var msg143 = msg("BOOTPD_ARG_ERR", part170); + + var part171 = match("MESSAGE#139:BOOTPD_BAD_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","boot unexpected Id value"), + dup23, + ])); + + var msg144 = msg("BOOTPD_BAD_ID", part171); + + var part172 = match("MESSAGE#140:BOOTPD_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Boot string: %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","Invalid boot string"), + dup23, + ])); + + var msg145 = msg("BOOTPD_BOOTSTRING", part172); + + var part173 = match("MESSAGE#141:BOOTPD_CONFIG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file '%{filename}', %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","configuration file error"), + dup23, + ])); + + var msg146 = msg("BOOTPD_CONFIG_ERR", part173); + + var part174 = match("MESSAGE#142:BOOTPD_CONF_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open configuration file '%{filename}'", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to open configuration file"), + dup23, + ])); + + var msg147 = msg("BOOTPD_CONF_OPEN", part174); + + var part175 = match("MESSAGE#143:BOOTPD_DUP_REV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate revision: %{version}", processor_chain([ + dup30, + dup22, + setc("event_description","boot - Duplicate revision"), + dup23, + ])); + + var msg148 = msg("BOOTPD_DUP_REV", part175); + + var part176 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate slot default: %{ssid}", processor_chain([ + dup30, + dup22, + setc("event_description","boot - duplicate slot"), + dup23, + ])); + + var msg149 = msg("BOOTPD_DUP_SLOT", part176); + + var part177 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id->} for model %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","Unexpected ID for model"), + dup23, + ])); + + var msg150 = msg("BOOTPD_MODEL_CHK", part177); + + var part178 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unsupported model %{dclass_counter1}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unsupported model"), + dup23, + ])); + + var msg151 = msg("BOOTPD_MODEL_ERR", part178); + + var part179 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed", processor_chain([ + dup21, + dup22, + setc("event_description","New configuration installed"), + dup23, + ])); + + var msg152 = msg("BOOTPD_NEW_CONF", part179); + + var part180 = match("MESSAGE#148:BOOTPD_NO_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No boot string found for type %{filename}", processor_chain([ + dup30, + dup22, + setc("event_description","No boot string found"), + dup23, + ])); + + var msg153 = msg("BOOTPD_NO_BOOTSTRING", part180); + + var part181 = match("MESSAGE#149:BOOTPD_NO_CONFIG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No configuration file '%{filename}', %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","No configuration file found"), + dup23, + ])); + + var msg154 = msg("BOOTPD_NO_CONFIG", part181); + + var part182 = match("MESSAGE#150:BOOTPD_PARSE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: number parse errors on SIGHUP", processor_chain([ + dup30, + dup22, + setc("event_description","parse errors on SIGHUP"), + dup23, + ])); + + var msg155 = msg("BOOTPD_PARSE_ERR", part182); + + var part183 = match("MESSAGE#151:BOOTPD_REPARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reparsing configuration file '%{filename}'", processor_chain([ + dup21, + dup22, + setc("event_description","Reparsing configuration file"), + dup23, + ])); + + var msg156 = msg("BOOTPD_REPARSE", part183); + + var part184 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","select error"), + dup23, + ])); + + var msg157 = msg("BOOTPD_SELECT_ERR", part184); + + var part185 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result->} unreasonable", processor_chain([ + dup30, + dup22, + setc("event_description","timeout unreasonable"), + dup23, + ])); + + var msg158 = msg("BOOTPD_TIMEOUT", part185); + + var part186 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string}", processor_chain([ + dup21, + dup22, + setc("event_description","boot version built"), + dup23, + ])); + + var msg159 = msg("BOOTPD_VERSION", part186); + + var part187 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version->} built by builder on %{event_time_string}", processor_chain([ + dup58, + dup22, + setc("event_description","CHASSISD release built"), + dup23, + ])); + + var msg160 = msg("CHASSISD", part187); + + var part188 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD Unknown option"), + dup23, + ])); + + var msg161 = msg("CHASSISD_ARGUMENT_ERROR", part188); + + var part189 = match("MESSAGE#157:CHASSISD_BLOWERS_SPEED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers are now running at normal speed", processor_chain([ + dup21, + dup22, + setc("event_description","Fans and impellers are now running at normal speed"), + dup23, + ])); + + var msg162 = msg("CHASSISD_BLOWERS_SPEED", part189); + + var part190 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers being set to full speed [%{result}]", processor_chain([ + dup21, + dup22, + setc("event_description","Fans and impellers being set to full speed"), + dup23, + ])); + + var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part190); + + var part191 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([ + dup21, + dup22, + setc("event_description","reading midplane ID EEPROM"), + dup23, + ])); + + var msg164 = msg("CHASSISD_CB_READ", part191); + + var part192 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} online ack code %{dclass_counter1->} - - %{result}, %{interface}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD COMMAND ACK ERROR"), + dup23, + ])); + + var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part192); + + var part193 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition->} - %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD COMMAND ACK SF ERROR"), + dup23, + ])); + + var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part193); + + var part194 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2->} PIC %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","Cannot set no-concatenated mode for FPC"), + dup23, + ])); + + var msg167 = msg("CHASSISD_CONCAT_MODE_ERROR", part194); + + var part195 = match("MESSAGE#163:CHASSISD_CONFIG_INIT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file %{filename}; %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","CONFIG File Problem"), + dup23, + ])); + + var msg168 = msg("CHASSISD_CONFIG_INIT_ERROR", part195); + + var part196 = match("MESSAGE#164:CHASSISD_CONFIG_WARNING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: %{result}, FPC %{dclass_counter2->} %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD CONFIG WARNING"), + dup23, + ])); + + var msg169 = msg("CHASSISD_CONFIG_WARNING", part196); + + var part197 = match("MESSAGE#165:CHASSISD_EXISTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd already running; %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","chassisd already running"), + dup23, + ])); + + var msg170 = msg("CHASSISD_EXISTS", part197); + + var part198 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Killing existing chassisd and exiting", processor_chain([ + dup21, + dup22, + setc("event_description","Killing existing chassisd and exiting"), + dup23, + ])); + + var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part198); + + var part199 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","file open error"), + dup23, + ])); + + var msg172 = msg("CHASSISD_FILE_OPEN", part199); + + var part200 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD file statistics error"), + dup23, + ])); + + var msg173 = msg("CHASSISD_FILE_STAT", part200); + + var part201 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD received restart EVENT"), + dup23, + ])); + + var msg174 = msg("CHASSISD_FRU_EVENT", part201); + + var part202 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD restart WRITE_ERROR"), + dup23, + ])); + + var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part202); + + var part203 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode->} at step %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD FRU STEP ERROR"), + dup23, + ])); + + var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part203); + + var part204 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode->} - %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","Unexpected error from gettimeofday"), + dup23, + ])); + + var msg177 = msg("CHASSISD_GETTIMEOFDAY", part204); + + var part205 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading host temperature sensor", processor_chain([ + dup21, + dup22, + setc("event_description","reading host temperature sensor"), + dup23, + ])); + + var msg178 = msg("CHASSISD_HOST_TEMP_READ", part205); + + var part206 = match("MESSAGE#174:CHASSISD_IFDEV_DETACH_ALL_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ + dup21, + dup22, + setc("event_description","detaching all pseudo devices"), + dup23, + ])); + + var msg179 = msg("CHASSISD_IFDEV_DETACH_ALL_PSEUDO", part206); + + var part207 = match("MESSAGE#175:CHASSISD_IFDEV_DETACH_FPC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ + dup21, + dup22, + setc("event_description","CHASSISD IFDEV DETACH FPC"), + dup23, + ])); + + var msg180 = msg("CHASSISD_IFDEV_DETACH_FPC", part207); + + var part208 = match("MESSAGE#176:CHASSISD_IFDEV_DETACH_PIC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ + dup21, + dup22, + setc("event_description","CHASSISD IFDEV DETACH PIC"), + dup23, + ])); + + var msg181 = msg("CHASSISD_IFDEV_DETACH_PIC", part208); + + var part209 = match("MESSAGE#177:CHASSISD_IFDEV_DETACH_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ + dup21, + dup22, + setc("event_description","CHASSISD IFDEV DETACH PSEUDO"), + dup23, + ])); + + var msg182 = msg("CHASSISD_IFDEV_DETACH_PSEUDO", part209); + + var part210 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD IFDEV DETACH TLV ERROR"), + dup23, + ])); + + var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part210); + + var part211 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode->} - %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","rtslib_ifdm_get_by_index failed"), + dup23, + ])); + + var msg184 = msg("CHASSISD_IFDEV_GET_BY_INDEX_FAIL", part211); + + var part212 = match("MESSAGE#180:CHASSISD_IPC_MSG_QFULL_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Message Queue full"), + dup23, + ])); + + var msg185 = msg("CHASSISD_IPC_MSG_QFULL_ERROR", part212); + + var part213 = match("MESSAGE#181:CHASSISD_IPC_UNEXPECTED_RECV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received unexpected message from %{service}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Received unexpected message"), + dup23, + ])); + + var msg186 = msg("CHASSISD_IPC_UNEXPECTED_RECV", part213); + + var part214 = match("MESSAGE#182:CHASSISD_IPC_WRITE_ERR_NO_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection pipe %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","FRU has no connection pipe"), + dup23, + ])); + + var msg187 = msg("CHASSISD_IPC_WRITE_ERR_NO_PIPE", part214); + + var part215 = match("MESSAGE#183:CHASSISD_IPC_WRITE_ERR_NULL_ARGS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection arguments %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","FRU has no connection arguments"), + dup23, + ])); + + var msg188 = msg("CHASSISD_IPC_WRITE_ERR_NULL_ARGS", part215); + + var part216 = match("MESSAGE#184:CHASSISD_MAC_ADDRESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd MAC address allocation error", processor_chain([ + dup30, + dup22, + setc("event_description","chassisd MAC address allocation error"), + dup23, + ])); + + var msg189 = msg("CHASSISD_MAC_ADDRESS_ERROR", part216); + + var part217 = match("MESSAGE#185:CHASSISD_MAC_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using default MAC address base", processor_chain([ + dup21, + dup22, + setc("event_description","Using default MAC address base"), + dup23, + ])); + + var msg190 = msg("CHASSISD_MAC_DEFAULT", part217); + + var part218 = match("MESSAGE#186:CHASSISD_MBUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} %{resultcode}: management bus failed sanity test", processor_chain([ + dup30, + dup22, + setc("event_description","management bus failed sanity test"), + dup23, + ])); + + var msg191 = msg("CHASSISD_MBUS_ERROR", part218); + + var part219 = match("MESSAGE#187:CHASSISD_PARSE_COMPLETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using new configuration", processor_chain([ + dup21, + dup22, + setc("event_description","Using new configuration"), + dup23, + ])); + + var msg192 = msg("CHASSISD_PARSE_COMPLETE", part219); + + var part220 = match("MESSAGE#188:CHASSISD_PARSE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{resultcode->} %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD PARSE ERROR"), + dup23, + ])); + + var msg193 = msg("CHASSISD_PARSE_ERROR", part220); + + var part221 = match("MESSAGE#189:CHASSISD_PARSE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Parsing configuration file '%{filename}'", processor_chain([ + dup21, + dup22, + setc("event_description","Parsing configuration file"), + dup23, + ])); + + var msg194 = msg("CHASSISD_PARSE_INIT", part221); + + var part222 = match("MESSAGE#190:CHASSISD_PIDFILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open PID file '%{filename}': %{result->} %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to open PID file"), + dup23, + ])); + + var msg195 = msg("CHASSISD_PIDFILE_OPEN", part222); + + var part223 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Pipe error: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","Pipe error"), + dup23, + ])); + + var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part223); + + var part224 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1->} not powering up", processor_chain([ + dup59, + dup22, + setc("event_description","device not powering up"), + dup23, + ])); + + var msg197 = msg("CHASSISD_POWER_CHECK", part224); + + var part225 = match("MESSAGE#193:CHASSISD_RECONNECT_SUCCESSFUL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Successfully reconnected on soft restart", processor_chain([ + dup21, + dup22, + setc("event_description","Successful reconnect on soft restart"), + dup23, + ])); + + var msg198 = msg("CHASSISD_RECONNECT_SUCCESSFUL", part225); + + var part226 = match("MESSAGE#194:CHASSISD_RELEASE_MASTERSHIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Release mastership notification", processor_chain([ + dup21, + dup22, + setc("event_description","Release mastership notification"), + dup23, + ])); + + var msg199 = msg("CHASSISD_RELEASE_MASTERSHIP", part226); + + var part227 = match("MESSAGE#195:CHASSISD_RE_INIT_INVALID_RE_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: re_init: re %{resultcode}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","re_init Invalid RE slot"), + dup23, + ])); + + var msg200 = msg("CHASSISD_RE_INIT_INVALID_RE_SLOT", part227); + + var part228 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine the mount point for root directory: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to determine mount point for root directory"), + dup23, + ])); + + var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part228); + + var part229 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","ifmsg sequence gap"), + dup23, + ])); + + var msg202 = msg("CHASSISD_RTS_SEQ_ERROR", part229); + + var part230 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ + setc("eventcategory","1603040000"), + dup22, + setc("event_description","Version mismatch"), + dup23, + ])); + + var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part230); + + var part231 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","Serial ID read error"), + dup23, + ])); + + var msg204 = msg("CHASSISD_SERIAL_ID", part231); + + var part232 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: fpga download not complete: val %{resultcode}, %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","fpga download not complete"), + dup23, + ])); + + var msg205 = msg("CHASSISD_SMB_ERROR", part232); + + var part233 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result->} (%{info})", processor_chain([ + dup58, + dup22, + setc("event_description","SNMP Trap6 generated"), + dup23, + ])); + + var msg206 = msg("CHASSISD_SNMP_TRAP6", part233); + + var part234 = match("MESSAGE#202:CHASSISD_SNMP_TRAP7", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP Trap7 generated"), + dup23, + ])); + + var msg207 = msg("CHASSISD_SNMP_TRAP7", part234); + + var part235 = match("MESSAGE#203:CHASSISD_SNMP_TRAP10", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP trap - FRU power on"), + dup23, + ])); + + var msg208 = msg("CHASSISD_SNMP_TRAP10", part235); + + var part236 = match("MESSAGE#204:CHASSISD_TERM_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received SIGTERM request, %{result}", processor_chain([ + dup60, + dup22, + setc("event_description","Received SIGTERM request"), + dup23, + ])); + + var msg209 = msg("CHASSISD_TERM_SIGNAL", part236); + + var part237 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Taking PIC offline - - FPC slot %{dclass_counter1}, PIC slot %{dclass_counter2}", processor_chain([ + dup21, + dup22, + setc("event_description","Taking PIC offline"), + dup23, + ])); + + var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part237); + + var part238 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} returned %{resultcode}: %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","UNEXPECTED EXIT"), + dup23, + ])); + + var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part238); + + var part239 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1->} unsupported with this version of chassisd", processor_chain([ + dup59, + dup22, + setc("event_description","Model number unsupported with this version of chassisd"), + dup23, + ])); + + var msg212 = msg("CHASSISD_UNSUPPORTED_MODEL", part239); + + var part240 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ + dup59, + dup22, + setc("event_description","Chassisd Version mismatch"), + dup23, + ])); + + var msg213 = msg("CHASSISD_VERSION_MISMATCH", part240); + + var part241 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([ + dup59, + dup22, + setc("event_description","CHASSISD HIGH TEMP CONDITION"), + dup61, + dup62, + ])); + + var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part241); + + var part242 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent->} RESTART mode %{event_state->} new master=%{obj_name->} old failover=%{change_old->} new failover = %{change_new}", processor_chain([ + dup21, + dup22, + setc("event_description","process RESTART mode"), + dup23, + ])); + + var msg215 = msg("clean_process", part242); + + var part243 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group->} Linklocal MAC:%{macaddr}", processor_chain([ + dup21, + dup22, + setc("event_description","Chassis Linklocal to MAC"), + dup23, + ])); + + var msg216 = msg("CM_JAVA", part243); + + var part244 = match("MESSAGE#212:DCD_AS_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, + dup22, + setc("event_description","DCD must be run as root"), + dup23, + ])); + + var msg217 = msg("DCD_AS_ROOT", part244); + + var part245 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Filter library initialization failed", processor_chain([ + dup30, + dup22, + setc("event_description","Filter library initialization failed"), + dup23, + ])); + + var msg218 = msg("DCD_FILTER_LIB_ERROR", part245); + + var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup139); + + var part246 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([ + dup30, + dup22, + setc("event_description","errors while parsing configuration file"), + dup23, + ])); + + var msg220 = msg("DCD_PARSE_EMERGENCY", part246); + + var part247 = match("MESSAGE#216:DCD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing filter index file", processor_chain([ + dup30, + dup22, + setc("event_description","errors while parsing filter index file"), + dup23, + ])); + + var msg221 = msg("DCD_PARSE_FILTER_EMERGENCY", part247); + + var part248 = match("MESSAGE#217:DCD_PARSE_MINI_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration overlay", processor_chain([ + dup30, + dup22, + setc("event_description","errors while parsing configuration overlay"), + dup23, + ])); + + var msg222 = msg("DCD_PARSE_MINI_EMERGENCY", part248); + + var part249 = match("MESSAGE#218:DCD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: An unhandled state was encountered during interface parsing", processor_chain([ + dup30, + dup22, + setc("event_description","unhandled state was encountered during interface parsing"), + dup23, + ])); + + var msg223 = msg("DCD_PARSE_STATE_EMERGENCY", part249); + + var part250 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing policer indexfile", processor_chain([ + dup30, + dup22, + setc("event_description","errors while parsing policer indexfile"), + dup23, + ])); + + var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part250); + + var part251 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename->} after %{dclass_counter1->} retries last error=%{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","Failed to pull file"), + dup23, + ])); + + var msg225 = msg("DCD_PULL_LOG_FAILURE", part251); + + var part252 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","DFWD ARGUMENT ERROR"), + dup23, + ])); + + var msg226 = msg("DFWD_ARGUMENT_ERROR", part252); + + var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup139); + + var part253 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([ + dup30, + dup22, + setc("event_description","errors encountered while parsing filter index file"), + dup23, + ])); + + var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part253); + + var part254 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered unhandled state while parsing interface", processor_chain([ + dup30, + dup22, + setc("event_description","encountered unhandled state while parsing interface"), + dup23, + ])); + + var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part254); + + var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup140); + + var msg231 = msg("ECCD_DUPLICATE", dup141); + + var part255 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","ECCD LOOP EXIT FAILURE"), + dup23, + ])); + + var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part255); + + var part256 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, + dup22, + setc("event_description","ECCD Must be run as root"), + dup23, + ])); + + var msg233 = msg("ECCD_NOT_ROOT", part256); + + var part257 = match("MESSAGE#229:ECCD_PCI_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: open() failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","ECCD PCI FILE OPEN FAILED"), + dup23, + ])); + + var msg234 = msg("ECCD_PCI_FILE_OPEN_FAILED", part257); + + var part258 = match("MESSAGE#230:ECCD_PCI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","PCI read failure"), + dup23, + ])); + + var msg235 = msg("ECCD_PCI_READ_FAILED", part258); + + var part259 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","PCI write failure"), + dup23, + ])); + + var msg236 = msg("ECCD_PCI_WRITE_FAILED", part259); + + var msg237 = msg("ECCD_PID_FILE_LOCK", dup142); + + var msg238 = msg("ECCD_PID_FILE_UPDATE", dup143); + + var part260 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","ECCD TRACE FILE OPEN FAILURE"), + dup23, + ])); + + var msg239 = msg("ECCD_TRACE_FILE_OPEN_FAILED", part260); + + var part261 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","ECCD Usage"), + dup23, + ])); + + var msg240 = msg("ECCD_usage", part261); + + var part262 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} viewed security audit log with arguments: %{param}", processor_chain([ + dup21, + dup22, + setc("event_description","User viewed security audit log with arguments"), + dup23, + ])); + + var msg241 = msg("EVENTD_AUDIT_SHOW", part262); + + var part263 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr->} destination %{daddr->} ipid %{fld11->} succeed", processor_chain([ + dup21, + dup22, + dup23, + ])); + + var msg242 = msg("FLOW_REASSEMBLE_SUCCEED", part263); + + var part264 = match("MESSAGE#238:FSAD_CHANGE_FILE_OWNER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to change owner of file `%{filename}' to user %{username}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to change owner of file"), + dup23, + ])); + + var msg243 = msg("FSAD_CHANGE_FILE_OWNER", part264); + + var part265 = match("MESSAGE#239:FSAD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","FSAD CONFIG ERROR"), + dup23, + ])); + + var msg244 = msg("FSAD_CONFIG_ERROR", part265); + + var part266 = match("MESSAGE#240:FSAD_CONNTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection timed out to the client (%{shost}, %{saddr}) having request type %{obj_type}", processor_chain([ + dup30, + dup22, + setc("event_description","Connection timed out to client"), + dup23, + ])); + + var msg245 = msg("FSAD_CONNTIMEDOUT", part266); + + var part267 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","FSAD_FAILED"), + dup23, + ])); + + var msg246 = msg("FSAD_FAILED", part267); + + var part268 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname->} for file `%{filename}' timed out", processor_chain([ + dup30, + dup22, + setc("event_description","Fetch to server to get file timed out"), + dup23, + ])); + + var msg247 = msg("FSAD_FETCHTIMEDOUT", part268); + + var part269 = match("MESSAGE#243:FSAD_FILE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: fn failed for file `%{filename}' with error message %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","fn failed for file"), + dup23, + ])); + + var msg248 = msg("FSAD_FILE_FAILED", part269); + + var part270 = match("MESSAGE#244:FSAD_FILE_REMOVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to remove file `%{filename}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to remove file"), + dup23, + ])); + + var msg249 = msg("FSAD_FILE_REMOVE", part270); + + var part271 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to rename file `%{filename}' to `%{resultcode}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to rename file"), + dup23, + ])); + + var msg250 = msg("FSAD_FILE_RENAME", part271); + + var part272 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed for file pathname %{filename}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","stat failed for file"), + dup23, + ])); + + var msg251 = msg("FSAD_FILE_STAT", part272); + + var part273 = match("MESSAGE#247:FSAD_FILE_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to sync file %{filename}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to sync file"), + dup23, + ])); + + var msg252 = msg("FSAD_FILE_SYNC", part273); + + var part274 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Upper limit reached in fsad for handling connections", processor_chain([ + dup30, + dup22, + setc("event_description","Upper limit reached in fsad"), + dup23, + ])); + + var msg253 = msg("FSAD_MAXCONN", part274); + + var part275 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed in the function %{action->} (%{resultcode})", processor_chain([ + dup51, + dup22, + setc("event_description","FSAD MEMORYALLOC FAILED"), + dup23, + ])); + + var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part275); + + var part276 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, + dup22, + setc("event_description","FSAD must be run as root"), + dup23, + ])); + + var msg255 = msg("FSAD_NOT_ROOT", part276); + + var part277 = match("MESSAGE#251:FSAD_PARENT_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: invalid directory: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","invalid directory"), + dup23, + ])); + + var msg256 = msg("FSAD_PARENT_DIRECTORY", part277); + + var part278 = match("MESSAGE#252:FSAD_PATH_IS_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File path cannot be a directory (%{filename})", processor_chain([ + dup30, + dup22, + setc("event_description","File path cannot be a directory"), + dup23, + ])); + + var msg257 = msg("FSAD_PATH_IS_DIRECTORY", part278); + + var part279 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Not a regular file (%{filename})", processor_chain([ + dup30, + dup22, + setc("event_description","Not a regular file"), + dup23, + ])); + + var msg258 = msg("FSAD_PATH_IS_SPECIAL", part279); + + var part280 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type->} at (%{saddr}, %{sport})", processor_chain([ + dup30, + dup22, + setc("event_description","fsad received error message from client"), + dup23, + ])); + + var msg259 = msg("FSAD_RECVERROR", part280); + + var part281 = match("MESSAGE#255:FSAD_TERMINATED_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open file %{filename}` closed due to %{result}", processor_chain([ + dup27, + dup22, + setc("event_description","FSAD TERMINATED CONNECTION"), + dup23, + ])); + + var msg260 = msg("FSAD_TERMINATED_CONNECTION", part281); + + var part282 = match("MESSAGE#256:FSAD_TERMINATING_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received terminating %{resultcode}; %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Received terminating signal"), + dup23, + ])); + + var msg261 = msg("FSAD_TERMINATING_SIGNAL", part282); + + var part283 = match("MESSAGE#257:FSAD_TRACEOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open operation on trace file `%{filename}' returned error %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Open operation on trace file failed"), + dup23, + ])); + + var msg262 = msg("FSAD_TRACEOPEN_FAILED", part283); + + var part284 = match("MESSAGE#258:FSAD_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage, %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","Incorrect FSAD usage"), + dup23, + ])); + + var msg263 = msg("FSAD_USAGE", part284); + + var part285 = match("MESSAGE#259:GGSN_ALARM_TRAP_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","GGSN ALARM TRAP FAILED"), + dup23, + ])); + + var msg264 = msg("GGSN_ALARM_TRAP_FAILED", part285); + + var part286 = match("MESSAGE#260:GGSN_ALARM_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","GGSN ALARM TRAP SEND FAILED"), + dup23, + ])); + + var msg265 = msg("GGSN_ALARM_TRAP_SEND", part286); + + var part287 = match("MESSAGE#261:GGSN_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown trap request type %{obj_type}", processor_chain([ + dup30, + dup22, + setc("event_description","Unknown trap request type"), + dup23, + ])); + + var msg266 = msg("GGSN_TRAP_SEND", part287); + + var part288 = match("MESSAGE#262:JADE_AUTH_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authorization failed: %{result}", processor_chain([ + dup69, + dup34, + setc("ec_subject","Service"), + dup43, + dup22, + setc("event_description","Authorization failed"), + dup23, + ])); + + var msg267 = msg("JADE_AUTH_ERROR", part288); + + var part289 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: CLI %{resultcode->} %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","JADE EXEC ERROR"), + dup23, + ])); + + var msg268 = msg("JADE_EXEC_ERROR", part289); + + var part290 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username->} does not exist", processor_chain([ + dup30, + dup22, + setc("event_description","Local user does not exist"), + dup23, + ])); + + var msg269 = msg("JADE_NO_LOCAL_USER", part290); + + var part291 = match("MESSAGE#265:JADE_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","JADE PAM error"), + dup23, + ])); + + var msg270 = msg("JADE_PAM_ERROR", part291); + + var part292 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get local username from PAM: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to get local username from PAM"), + dup23, + ])); + + var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part292); + + var part293 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr->} from %{smacaddr->} to %{dmacaddr}", processor_chain([ + dup30, + dup22, + setc("event_description","arp info overwritten"), + dup23, + ])); + + var msg272 = msg("KERN_ARP_ADDR_CHANGE", part293); + + var part294 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5}", processor_chain([ + dup30, + dup22, + setc("event_description","security association has been established"), + dup23, + ])); + + var msg273 = msg("KMD_PM_SA_ESTABLISHED", part294); + + var part295 = match("MESSAGE#269:L2CPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialized", processor_chain([ + dup21, + dup22, + setc("event_description","Task Reinitialized"), + dup61, + dup23, + ])); + + var msg274 = msg("L2CPD_TASK_REINIT", part295); + + var part296 = match("MESSAGE#270:LIBJNX_EXEC_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal='%{obj_type}' %{result}, command '%{action}'", processor_chain([ + dup21, + dup22, + dup70, + dup23, + ])); + + var msg275 = msg("LIBJNX_EXEC_EXITED", part296); + + var part297 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Child exec failed for command"), + dup23, + ])); + + var msg276 = msg("LIBJNX_EXEC_FAILED", part297); + + var msg277 = msg("LIBJNX_EXEC_PIPE", dup144); + + var part298 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([ + dup30, + dup22, + setc("event_description","Command received signal"), + dup23, + ])); + + var msg278 = msg("LIBJNX_EXEC_SIGNALED", part298); + + var part299 = match("MESSAGE#274:LIBJNX_EXEC_WEXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ + dup21, + dup22, + dup72, + dup23, + ])); + + var msg279 = msg("LIBJNX_EXEC_WEXIT", part299); + + var part300 = match("MESSAGE#275:LIBJNX_FILE_COPY_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: copy_file_to_transfer_dir failed to copy from source to destination", processor_chain([ + dup73, + dup22, + setc("event_description","copy_file_to_transfer_dir failed to copy"), + dup23, + ])); + + var msg280 = msg("LIBJNX_FILE_COPY_FAILED", part300); + + var part301 = match("MESSAGE#276:LIBJNX_PRIV_LOWER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lower privilege level: %{result}", processor_chain([ + dup73, + dup22, + setc("event_description","Unable to lower privilege level"), + dup23, + ])); + + var msg281 = msg("LIBJNX_PRIV_LOWER_FAILED", part301); + + var part302 = match("MESSAGE#277:LIBJNX_PRIV_RAISE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to raise privilege level: %{result}", processor_chain([ + dup73, + dup22, + setc("event_description","Unable to raise privilege level"), + dup23, + ])); + + var msg282 = msg("LIBJNX_PRIV_RAISE_FAILED", part302); + + var part303 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup73, + dup22, + setc("event_description","rcp failed"), + dup23, + ])); + + var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part303); + + var part304 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1->} -f %{action}: %{result}", processor_chain([ + dup73, + dup22, + setc("event_description","ROTATE COMPRESS EXEC FAILED"), + dup23, + ])); + + var msg284 = msg("LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", part304); + + var part305 = match("MESSAGE#280:LIBSERVICED_CLIENT_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client connection error: %{result}", processor_chain([ + dup74, + dup22, + setc("event_description","Client connection error"), + dup23, + ])); + + var msg285 = msg("LIBSERVICED_CLIENT_CONNECTION", part305); + + var part306 = match("MESSAGE#281:LIBSERVICED_OUTBOUND_REQUEST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Outbound request failed for command [%{action}]: %{result}", processor_chain([ + dup73, + dup22, + setc("event_description","Outbound request failed for command"), + dup23, + ])); + + var msg286 = msg("LIBSERVICED_OUTBOUND_REQUEST", part306); + + var part307 = match("MESSAGE#282:LIBSERVICED_SNMP_LOST_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection closed while receiving from client %{dclass_counter1}", processor_chain([ + dup27, + dup22, + setc("event_description","Connection closed while receiving from client"), + dup23, + ])); + + var msg287 = msg("LIBSERVICED_SNMP_LOST_CONNECTION", part307); + + var part308 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: unable to bind socket %{ssid}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","unable to bind socket"), + dup23, + ])); + + var msg288 = msg("LIBSERVICED_SOCKET_BIND", part308); + + var part309 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid->} to management routing instance: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to attach socket to management routing instance"), + dup23, + ])); + + var msg289 = msg("LIBSERVICED_SOCKET_PRIVATIZE", part309); + + var part310 = match("MESSAGE#285:LICENSE_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","LICENSE EXPIRED"), + dup23, + ])); + + var msg290 = msg("LICENSE_EXPIRED", part310); + + var part311 = match("MESSAGE#286:LICENSE_EXPIRED_KEY_DELETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License key \"%{filename}\" has expired.", processor_chain([ + dup21, + dup22, + setc("event_description","License key has expired"), + dup23, + ])); + + var msg291 = msg("LICENSE_EXPIRED_KEY_DELETED", part311); + + var part312 = match("MESSAGE#287:LICENSE_NEARING_EXPIRY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License for feature %{disposition->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","License key expiration soon"), + dup23, + ])); + + var msg292 = msg("LICENSE_NEARING_EXPIRY", part312); + + var part313 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client aborted login", processor_chain([ + dup30, + dup22, + setc("event_description","client aborted login"), + dup23, + ])); + + var msg293 = msg("LOGIN_ABORTED", part313); + + var part314 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username->} from host %{dhost}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + dup23, + ])); + + var msg294 = msg("LOGIN_FAILED", part314); + + var part315 = match("MESSAGE#290:LOGIN_FAILED_INCORRECT_PASSWORD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect password for user %{username}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Incorrect password for user"), + dup23, + ])); + + var msg295 = msg("LOGIN_FAILED_INCORRECT_PASSWORD", part315); + + var part316 = match("MESSAGE#291:LOGIN_FAILED_SET_CONTEXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set context for user %{username}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Failed to set context for user"), + dup23, + ])); + + var msg296 = msg("LOGIN_FAILED_SET_CONTEXT", part316); + + var part317 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set login ID for user %{username}: %{dhost}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Failed to set login ID for user"), + dup23, + ])); + + var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part317); + + var part318 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Unable to resolve hostname"), + dup23, + ])); + + var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part318); + + var part319 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{event_type}: %{p0}"); + + var part320 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{username->} logged in from host %{dhost->} on %{p0}"); + + var part321 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}"); + + var select34 = linear_select([ + part321, + dup45, + ]); + + var part322 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{terminal}"); + + var all19 = all_match({ + processors: [ + dup39, + dup137, + part319, + dup145, + part320, + select34, + part322, + ], + on_success: processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + setc("event_description","Successful Login"), + dup23, + ]), + }); + + var msg299 = msg("LOGIN_INFORMATION", all19); + + var part323 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","No entry in local password file for user"), + dup23, + ])); + + var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part323); + + var part324 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Invalid username"), + dup23, + ])); + + var msg301 = msg("LOGIN_MALFORMED_USER", part324); + + var part325 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_0", "nwparser.p0", "PAM authentication error for user %{p0}"); + + var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_1", "nwparser.p0", "Failed password for user %{p0}"); + + var select35 = linear_select([ + part325, + part326, + ]); + + var part327 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{username}"); + + var all20 = all_match({ + processors: [ + dup50, + select35, + part327, + ], + on_success: processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","PAM authentication error for user"), + dup23, + ]), + }); + + var msg302 = msg("LOGIN_PAM_AUTHENTICATION_ERROR", all20); + + var part328 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failure while authenticating user %{username}: %{dhost}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + setc("event_description","PAM authentication failure"), + setc("result","Failure while authenticating user"), + dup23, + ])); + + var msg303 = msg("LOGIN_PAM_ERROR", part328); + + var part329 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Too many retries while authenticating user"), + dup23, + ])); + + var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part329); + + var part330 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} authenticated but has no local login ID", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","User authenticated but has no local login ID"), + dup23, + ])); + + var msg305 = msg("LOGIN_PAM_NONLOCAL_USER", part330); + + var part331 = match("MESSAGE#301:LOGIN_PAM_STOP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to end PAM session: %{info}", processor_chain([ + setc("eventcategory","1303000000"), + dup34, + dup43, + dup22, + setc("event_description","Failed to end PAM session"), + dup23, + ])); + + var msg306 = msg("LOGIN_PAM_STOP", part331); + + var part332 = match("MESSAGE#302:LOGIN_PAM_USER_UNKNOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Attempt to authenticate unknown user %{username}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Attempt to authenticate unknown user"), + dup23, + ])); + + var msg307 = msg("LOGIN_PAM_USER_UNKNOWN", part332); + + var part333 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Forcing change of expired password for user %{username}>", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Forcing change of expired password for user"), + dup23, + ])); + + var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part333); + + var part334 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username->} from host %{shost->} on %{terminal->} was refused: %{info}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Login of user refused"), + dup23, + ])); + + var msg309 = msg("LOGIN_REFUSED", part334); + + var part335 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} logged in as root from host %{shost->} on %{terminal}", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + setc("event_description","successful login as root"), + setc("result","User logged in as root"), + dup23, + ])); + + var msg310 = msg("LOGIN_ROOT", part335); + + var part336 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1->} seconds", processor_chain([ + dup44, + dup34, + dup36, + dup43, + dup22, + dup75, + setc("result","Login attempt timed out"), + dup23, + ])); + + var msg311 = msg("LOGIN_TIMED_OUT", part336); + + var part337 = match("MESSAGE#307:MIB2D_ATM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","MIB2D ATM ERROR"), + dup23, + ])); + + var msg312 = msg("MIB2D_ATM_ERROR", part337); + + var part338 = match("MESSAGE#308:MIB2D_CONFIG_CHECK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","CONFIG CHECK FAILED"), + dup23, + ])); + + var msg313 = msg("MIB2D_CONFIG_CHECK_FAILED", part338); + + var part339 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}': %{result}", processor_chain([ + dup30, + dup22, + dup78, + dup23, + ])); + + var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part339); + + var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup146); + + var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup146); + + var part340 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","mib2d initialization failure"), + dup23, + ])); + + var msg317 = msg("MIB2D_INIT_FAILURE", part340); + + var part341 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","MIB2D KVM FAILURE"), + dup23, + ])); + + var msg318 = msg("MIB2D_KVM_FAILURE", part341); + + var part342 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2->} index (%{result})", processor_chain([ + dup30, + dup22, + setc("event_description","MIB2D RTSLIB READ FAILURE"), + dup23, + ])); + + var msg319 = msg("MIB2D_RTSLIB_READ_FAILURE", part342); + + var part343 = match("MESSAGE#315:MIB2D_RTSLIB_SEQ_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: sequence mismatch (%{result}), %{action}", processor_chain([ + dup30, + dup22, + setc("event_description","RTSLIB sequence mismatch"), + dup23, + ])); + + var msg320 = msg("MIB2D_RTSLIB_SEQ_MISMATCH", part343); + + var part344 = match("MESSAGE#316:MIB2D_SYSCTL_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","MIB2D SYSCTL FAILURE"), + dup23, + ])); + + var msg321 = msg("MIB2D_SYSCTL_FAILURE", part344); + + var part345 = match("MESSAGE#317:MIB2D_TRAP_HEADER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: trap_request_header failed", processor_chain([ + dup30, + dup22, + setc("event_description","trap_request_header failed"), + dup23, + ])); + + var msg322 = msg("MIB2D_TRAP_HEADER_FAILURE", part345); + + var part346 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","MIB2D TRAP SEND FAILURE"), + dup23, + ])); + + var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part346); + + var part347 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new->} sighupped=%{result}", processor_chain([ + dup21, + dup22, + setc("event_description","user sighupped"), + dup23, + ])); + + var msg324 = msg("Multiuser", part347); + + var part348 = match("MESSAGE#320:NASD_AUTHENTICATION_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate authentication handle: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to allocate authentication handle"), + dup23, + ])); + + var msg325 = msg("NASD_AUTHENTICATION_CREATE_FAILED", part348); + + var part349 = match("MESSAGE#321:NASD_CHAP_AUTHENTICATION_IN_PROGRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}, authentication already in progress", processor_chain([ + dup80, + dup34, + dup43, + dup22, + setc("event_description","authentication already in progress"), + dup23, + ])); + + var msg326 = msg("NASD_CHAP_AUTHENTICATION_IN_PROGRESS", part349); + + var part350 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: unable to obtain hostname for outgoing CHAP message: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","unable to obtain hostname for outgoing CHAP message"), + dup23, + ])); + + var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part350); + + var part351 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename->} expected CHAP ID: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","CHAP INVALID_CHAP IDENTIFIER"), + dup23, + ])); + + var msg328 = msg("NASD_CHAP_INVALID_CHAP_IDENTIFIER", part351); + + var part352 = match("MESSAGE#324:NASD_CHAP_INVALID_OPCODE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}.%{dclass_counter1}: invalid operation code received %{filename}, CHAP ID: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","CHAP INVALID OPCODE"), + dup23, + ])); + + var msg329 = msg("NASD_CHAP_INVALID_OPCODE", part352); + + var part353 = match("MESSAGE#325:NASD_CHAP_LOCAL_NAME_UNAVAILABLE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine value for '%{username}' in outgoing CHAP packet", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to determine value for username in outgoing CHAP packet"), + dup23, + ])); + + var msg330 = msg("NASD_CHAP_LOCAL_NAME_UNAVAILABLE", part353); + + var part354 = match("MESSAGE#326:NASD_CHAP_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}", processor_chain([ + dup30, + dup22, + setc("event_description","CHAP MESSAGE UNEXPECTED"), + dup23, + ])); + + var msg331 = msg("NASD_CHAP_MESSAGE_UNEXPECTED", part354); + + var part355 = match("MESSAGE#327:NASD_CHAP_REPLAY_ATTACK_DETECTED", "nwparser.payload", "%{process}[%{ssid}]: %{event_type}: %{interface}.%{dclass_counter1}: received %{filename->} %{result}.%{info}", processor_chain([ + dup81, + dup22, + setc("event_description","CHAP REPLAY ATTACK DETECTED"), + dup23, + ])); + + var msg332 = msg("NASD_CHAP_REPLAY_ATTACK_DETECTED", part355); + + var part356 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine last modified time of JUNOS configuration database: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to determine last modified time of JUNOS configuration database"), + dup23, + ])); + + var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part356); + + var msg334 = msg("NASD_DAEMONIZE_FAILED", dup140); + + var part357 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to allocate database object"), + dup23, + ])); + + var msg335 = msg("NASD_DB_ALLOC_FAILURE", part357); + + var part358 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{filename}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","DB TABLE CREATE FAILURE"), + dup23, + ])); + + var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part358); + + var msg337 = msg("NASD_DUPLICATE", dup141); + + var part359 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","EVLIB CREATE FAILURE"), + dup23, + ])); + + var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part359); + + var part360 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} value: %{result}, error: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","EVLIB EXIT FAILURE"), + dup23, + ])); + + var msg339 = msg("NASD_EVLIB_EXIT_FAILURE", part360); + + var part361 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate LOCAL module handle: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to allocate LOCAL module handle"), + dup23, + ])); + + var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part361); + + var part362 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, + dup22, + setc("event_description","NASD must be run as root"), + dup23, + ])); + + var msg341 = msg("NASD_NOT_ROOT", part362); + + var msg342 = msg("NASD_PID_FILE_LOCK", dup142); + + var msg343 = msg("NASD_PID_FILE_UPDATE", dup143); + + var part363 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","POST CONFIGURE EVENT FAILED"), + dup23, + ])); + + var msg344 = msg("NASD_POST_CONFIGURE_EVENT_FAILED", part363); + + var part364 = match("MESSAGE#340:NASD_PPP_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","PPP READ FAILURE"), + dup23, + ])); + + var msg345 = msg("NASD_PPP_READ_FAILURE", part364); + + var part365 = match("MESSAGE#341:NASD_PPP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send message: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to send message"), + dup23, + ])); + + var msg346 = msg("NASD_PPP_SEND_FAILURE", part365); + + var part366 = match("MESSAGE#342:NASD_PPP_SEND_PARTIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send all of message: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to send all of message"), + dup23, + ])); + + var msg347 = msg("NASD_PPP_SEND_PARTIAL", part366); + + var part367 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unrecognized authentication protocol: %{protocol}", processor_chain([ + dup30, + dup22, + setc("event_description","Unrecognized authentication protocol"), + dup23, + ])); + + var msg348 = msg("NASD_PPP_UNRECOGNIZED", part367); + + var part368 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} when allocating password for RADIUS: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RADIUS password allocation failure"), + dup23, + ])); + + var msg349 = msg("NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", part368); + + var part369 = match("MESSAGE#345:NASD_RADIUS_CONFIG_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RADIUS CONFIG FAILED"), + dup23, + ])); + + var msg350 = msg("NASD_RADIUS_CONFIG_FAILED", part369); + + var part370 = match("MESSAGE#346:NASD_RADIUS_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate RADIUS module handle: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to allocate RADIUS module handle"), + dup23, + ])); + + var msg351 = msg("NASD_RADIUS_CREATE_FAILED", part370); + + var part371 = match("MESSAGE#347:NASD_RADIUS_CREATE_REQUEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RADIUS CREATE REQUEST FAILED"), + dup23, + ])); + + var msg352 = msg("NASD_RADIUS_CREATE_REQUEST_FAILED", part371); + + var part372 = match("MESSAGE#348:NASD_RADIUS_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain hostname for outgoing RADIUS message: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to obtain hostname for outgoing RADIUS message"), + dup23, + ])); + + var msg353 = msg("NASD_RADIUS_GETHOSTNAME_FAILED", part372); + + var part373 = match("MESSAGE#349:NASD_RADIUS_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown response from RADIUS server: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unknown response from RADIUS server"), + dup23, + ])); + + var msg354 = msg("NASD_RADIUS_MESSAGE_UNEXPECTED", part373); + + var part374 = match("MESSAGE#350:NASD_RADIUS_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RADIUS OPEN FAILED"), + dup23, + ])); + + var msg355 = msg("NASD_RADIUS_OPEN_FAILED", part374); + + var part375 = match("MESSAGE#351:NASD_RADIUS_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RADIUS SELECT FAILED"), + dup23, + ])); + + var msg356 = msg("NASD_RADIUS_SELECT_FAILED", part375); + + var part376 = match("MESSAGE#352:NASD_RADIUS_SET_TIMER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RADIUS SET TIMER FAILED"), + dup23, + ])); + + var msg357 = msg("NASD_RADIUS_SET_TIMER_FAILED", part376); + + var part377 = match("MESSAGE#353:NASD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TRACE FILE OPEN FAILED"), + dup23, + ])); + + var msg358 = msg("NASD_TRACE_FILE_OPEN_FAILED", part377); + + var part378 = match("MESSAGE#354:NASD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","NASD Usage"), + dup23, + ])); + + var msg359 = msg("NASD_usage", part378); + + var part379 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event_type}:%{action}: %{event_description}: The %{result}", processor_chain([ + dup21, + dup22, + dup23, + ])); + + var msg360 = msg("NOTICE", part379); + + var part380 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ + dup21, + dup22, + dup82, + dup23, + ])); + + var msg361 = msg("PFE_FW_SYSLOG_IP", part380); + + var part381 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ + dup21, + dup22, + dup82, + dup23, + ])); + + var msg362 = msg("PFE_FW_SYSLOG_IP:01", part381); + + var select36 = linear_select([ + msg361, + msg362, + ]); + + var part382 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ + dup21, + dup22, + setc("event_description","Next-hop resolution requests throttled"), + dup23, + ])); + + var msg363 = msg("PFE_NH_RESOLVE_THROTTLED", part382); + + var part383 = match("MESSAGE#359:PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup21, + dup22, + setc("event_description","PING TEST COMPLETED"), + dup23, + ])); + + var msg364 = msg("PING_TEST_COMPLETED", part383); + + var part384 = match("MESSAGE#360:PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup21, + dup22, + setc("event_description","PING TEST FAILED"), + dup23, + ])); + + var msg365 = msg("PING_TEST_FAILED", part384); + + var part385 = match("MESSAGE#361:process_mode/2", "nwparser.p0", "%{p0}"); + + var part386 = match("MESSAGE#361:process_mode/3_0", "nwparser.p0", "%{event_type}: %{p0}"); + + var part387 = match("MESSAGE#361:process_mode/3_1", "nwparser.p0", "%{event_type->} %{p0}"); + + var select37 = linear_select([ + part386, + part387, + ]); + + var part388 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "mode=%{protocol->} cmd=%{action->} master_mode=%{result}"); + + var all21 = all_match({ + processors: [ + dup39, + dup137, + part385, + select37, + part388, + ], + on_success: processor_chain([ + dup21, + dup22, + dup83, + dup23, + ]), + }); + + var msg366 = msg("process_mode", all21); + + var part389 = match("MESSAGE#362:process_mode:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ + dup21, + dup22, + dup83, + dup23, + ])); + + var msg367 = msg("process_mode:01", part389); + + var select38 = linear_select([ + msg366, + msg367, + ]); + + var part390 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} exiting with status %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","process exit with status"), + dup23, + ])); + + var msg368 = msg("PWC_EXIT", part390); + + var part391 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} released child %{child_pid->} from %{dclass_counter1->} state", processor_chain([ + dup21, + dup22, + setc("event_description","Process released child from state"), + dup23, + ])); + + var msg369 = msg("PWC_HOLD_RELEASE", part391); + + var part392 = match("MESSAGE#365:PWC_INVALID_RUNS_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}, not %{resultcode}", processor_chain([ + dup21, + dup22, + setc("event_description","invalid runs argument"), + dup23, + ])); + + var msg370 = msg("PWC_INVALID_RUNS_ARGUMENT", part392); + + var part393 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","INVALID TIMEOUT ARGUMENT"), + dup23, + ])); + + var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part393); + + var part394 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} received terminating signal", processor_chain([ + dup21, + dup22, + setc("event_description","pwc process received terminating signal"), + dup23, + ])); + + var msg372 = msg("PWC_KILLED_BY_SIGNAL", part394); + + var part395 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode->} to child %{child_pid}", processor_chain([ + dup30, + dup22, + setc("event_description","pwc is sending kill event to child"), + dup23, + ])); + + var msg373 = msg("PWC_KILL_EVENT", part395); + + var part396 = match("MESSAGE#369:PWC_KILL_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to kill process %{child_pid}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to kill process"), + dup23, + ])); + + var msg374 = msg("PWC_KILL_FAILED", part396); + + var part397 = match("MESSAGE#370:PWC_KQUEUE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: kevent failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","kevent failed"), + dup23, + ])); + + var msg375 = msg("PWC_KQUEUE_ERROR", part397); + + var part398 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create kqueue: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to create kqueue"), + dup23, + ])); + + var msg376 = msg("PWC_KQUEUE_INIT", part398); + + var part399 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent->} for purpose: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Failed to register kqueue filter"), + dup23, + ])); + + var msg377 = msg("PWC_KQUEUE_REGISTER_FILTER", part399); + + var part400 = match("MESSAGE#373:PWC_LOCKFILE_BAD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file has bad format: %{agent}", processor_chain([ + dup30, + dup22, + setc("event_description","PID lock file has bad format"), + dup23, + ])); + + var msg378 = msg("PWC_LOCKFILE_BAD_FORMAT", part400); + + var part401 = match("MESSAGE#374:PWC_LOCKFILE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file had error: %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","PID lock file error"), + dup23, + ])); + + var msg379 = msg("PWC_LOCKFILE_ERROR", part401); + + var part402 = match("MESSAGE#375:PWC_LOCKFILE_MISSING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not found: %{agent}", processor_chain([ + dup30, + dup22, + setc("event_description","PID lock file not found"), + dup23, + ])); + + var msg380 = msg("PWC_LOCKFILE_MISSING", part402); + + var part403 = match("MESSAGE#376:PWC_LOCKFILE_NOT_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not locked: %{agent}", processor_chain([ + dup30, + dup22, + setc("event_description","PID lock file not locked"), + dup23, + ])); + + var msg381 = msg("PWC_LOCKFILE_NOT_LOCKED", part403); + + var part404 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No process specified", processor_chain([ + dup30, + dup22, + setc("event_description","No process specified for PWC"), + dup23, + ])); + + var msg382 = msg("PWC_NO_PROCESS", part404); + + var part405 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} child %{child_pid->} exited with status %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","pwc process exited with status"), + dup23, + ])); + + var msg383 = msg("PWC_PROCESS_EXIT", part405); + + var part406 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} forcing hold down of child %{child_pid->} until signal", processor_chain([ + dup21, + dup22, + setc("event_description","Process forcing hold down of child until signalled"), + dup23, + ])); + + var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part406); + + var part407 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} until signal", processor_chain([ + dup21, + dup22, + setc("event_description","Process holding down child until signalled"), + dup23, + ])); + + var msg385 = msg("PWC_PROCESS_HOLD", part407); + + var part408 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} will not down child %{child_pid->} because of %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Process not holding down child"), + dup23, + ])); + + var msg386 = msg("PWC_PROCESS_HOLD_SKIPPED", part408); + + var part409 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create child process with pidpopen: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Failed to create child process with pidpopen"), + dup23, + ])); + + var msg387 = msg("PWC_PROCESS_OPEN", part409); + + var part410 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Process holding down child"), + dup23, + ])); + + var msg388 = msg("PWC_PROCESS_TIMED_HOLD", part410); + + var part411 = match("MESSAGE#384:PWC_PROCESS_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child timed out %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Child process timed out"), + dup23, + ])); + + var msg389 = msg("PWC_PROCESS_TIMEOUT", part411); + + var part412 = match("MESSAGE#385:PWC_SIGNAL_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: signal(%{agent}) failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","signal failure"), + dup23, + ])); + + var msg390 = msg("PWC_SIGNAL_INIT", part412); + + var part413 = match("MESSAGE#386:PWC_SOCKET_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to connect socket to %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to connect socket to service"), + dup23, + ])); + + var msg391 = msg("PWC_SOCKET_CONNECT", part413); + + var part414 = match("MESSAGE#387:PWC_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create socket: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Failed to create socket"), + dup23, + ])); + + var msg392 = msg("PWC_SOCKET_CREATE", part414); + + var part415 = match("MESSAGE#388:PWC_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to set socket option %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to set socket option"), + dup23, + ])); + + var msg393 = msg("PWC_SOCKET_OPTION", part415); + + var part416 = match("MESSAGE#389:PWC_STDOUT_WRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Write to stdout failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Write to stdout failed"), + dup23, + ])); + + var msg394 = msg("PWC_STDOUT_WRITE", part416); + + var part417 = match("MESSAGE#390:PWC_SYSTEM_CALL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","PWC SYSTEM CALL"), + dup23, + ])); + + var msg395 = msg("PWC_SYSTEM_CALL", part417); + + var part418 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown kill option [%{agent}]", processor_chain([ + dup30, + dup22, + setc("event_description","Unknown kill option"), + dup23, + ])); + + var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part418); + + var part419 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed", processor_chain([ + dup30, + dup22, + setc("event_description","Multicast address not allowed"), + dup23, + ])); + + var msg397 = msg("RMOPD_ADDRESS_MULTICAST_INVALID", part419); + + var part420 = match("MESSAGE#393:RMOPD_ADDRESS_SOURCE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Source address invalid: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RMOPD ADDRESS SOURCE INVALID"), + dup23, + ])); + + var msg398 = msg("RMOPD_ADDRESS_SOURCE_INVALID", part420); + + var part421 = match("MESSAGE#394:RMOPD_ADDRESS_STRING_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to convert numeric address to string: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to convert numeric address to string"), + dup23, + ])); + + var msg399 = msg("RMOPD_ADDRESS_STRING_FAILURE", part421); + + var part422 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rmop_util_set_address status message: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","rmop_util_set_address status message invalid"), + dup23, + ])); + + var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part422); + + var msg401 = msg("RMOPD_DUPLICATE", dup141); + + var part423 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([ + dup30, + dup22, + setc("event_description","Only IPv4 source address is supported"), + dup23, + ])); + + var msg402 = msg("RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", part423); + + var part424 = match("MESSAGE#398:RMOPD_ICMP_SENDMSG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{fld1}: No route to host", processor_chain([ + dup30, + dup22, + setc("event_description","No route to host"), + dup23, + ])); + + var msg403 = msg("RMOPD_ICMP_SENDMSG_FAILURE", part424); + + var part425 = match("MESSAGE#399:RMOPD_IFINDEX_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifindex: %{interface}", processor_chain([ + dup30, + dup22, + setc("event_description","IFINDEX NOT ACTIVE"), + dup23, + ])); + + var msg404 = msg("RMOPD_IFINDEX_NOT_ACTIVE", part425); + + var part426 = match("MESSAGE#400:RMOPD_IFINDEX_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","IFINDEX NO INFO"), + dup23, + ])); + + var msg405 = msg("RMOPD_IFINDEX_NO_INFO", part426); + + var part427 = match("MESSAGE#401:RMOPD_IFNAME_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifname: %{interface}", processor_chain([ + dup30, + dup22, + setc("event_description","RMOPD IFNAME NOT ACTIVE"), + dup23, + ])); + + var msg406 = msg("RMOPD_IFNAME_NOT_ACTIVE", part427); + + var part428 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","IFNAME NO INFO"), + dup23, + ])); + + var msg407 = msg("RMOPD_IFNAME_NO_INFO", part428); + + var part429 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, + dup22, + setc("event_description","RMOPD Must be run as root"), + dup23, + ])); + + var msg408 = msg("RMOPD_NOT_ROOT", part429); + + var part430 = match("MESSAGE#404:RMOPD_ROUTING_INSTANCE_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for routing instance %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","No information for routing instance"), + dup23, + ])); + + var msg409 = msg("RMOPD_ROUTING_INSTANCE_NO_INFO", part430); + + var part431 = match("MESSAGE#405:RMOPD_TRACEROUTE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TRACEROUTE ERROR"), + dup23, + ])); + + var msg410 = msg("RMOPD_TRACEROUTE_ERROR", part431); + + var part432 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","RMOPD usage"), + dup23, + ])); + + var msg411 = msg("RMOPD_usage", part432); + + var part433 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RPD ABORT"), + dup23, + ])); + + var msg412 = msg("RPD_ABORT", part433); + + var part434 = match("MESSAGE#408:RPD_ACTIVE_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Exiting with active tasks: %{agent}", processor_chain([ + dup30, + dup22, + setc("event_description","RPD exiting with active tasks"), + dup23, + ])); + + var msg413 = msg("RPD_ACTIVE_TERMINATE", part434); + + var part435 = match("MESSAGE#409:RPD_ASSERT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","RPD Assertion failed"), + dup23, + ])); + + var msg414 = msg("RPD_ASSERT", part435); + + var part436 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Soft assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","RPD Soft assertion failed"), + dup23, + ])); + + var msg415 = msg("RPD_ASSERT_SOFT", part436); + + var part437 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}", processor_chain([ + dup21, + dup22, + setc("event_description","RPD EXIT"), + dup23, + ])); + + var msg416 = msg("RPD_EXIT", part437); + + var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup147); + + var msg418 = msg("RPD_IFL_NAMECOLLISION", dup147); + + var part438 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","IS-IS lost adjacency"), + dup23, + ])); + + var msg419 = msg("RPD_ISIS_ADJDOWN", part438); + + var part439 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface}", processor_chain([ + dup21, + dup22, + setc("event_description","IS-IS new adjacency"), + dup23, + ])); + + var msg420 = msg("RPD_ISIS_ADJUP", part439); + + var part440 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface->} without an address", processor_chain([ + dup30, + dup22, + setc("event_description","IS-IS new adjacency without an address"), + dup23, + ])); + + var msg421 = msg("RPD_ISIS_ADJUPNOIP", part440); + + var part441 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1->} LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([ + dup30, + dup22, + setc("event_description","IS-IS LSP checksum error on iterface"), + dup23, + ])); + + var msg422 = msg("RPD_ISIS_LSPCKSUM", part441); + + var part442 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS database overload", processor_chain([ + dup30, + dup22, + setc("event_description","IS-IS database overload"), + dup23, + ])); + + var msg423 = msg("RPD_ISIS_OVERLOAD", part442); + + var part443 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent->} message with unsupported address family %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","message with unsupported address family received"), + dup23, + ])); + + var msg424 = msg("RPD_KRT_AFUNSUPRT", part443); + + var part444 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, error", processor_chain([ + dup30, + dup22, + setc("event_description","RPD KRT CCC IFL MODIFY"), + dup23, + ])); + + var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part444); + + var part445 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1->} table ID %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","received deleted routing table from kernel"), + dup23, + ])); + + var msg426 = msg("RPD_KRT_DELETED_RTT", part445); + + var part446 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifa generation mismatch -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","ifa generation mismatch"), + dup23, + ])); + + var msg427 = msg("RPD_KRT_IFA_GENERATION", part446); + + var part447 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} CHANGE for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ + dup30, + dup22, + setc("event_description","CHANGE for ifd failed"), + dup23, + ])); + + var msg428 = msg("RPD_KRT_IFDCHANGE", part447); + + var part448 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} SERVICE: %{service->} for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ + dup30, + dup22, + setc("event_description","GET SERVICE failure on interface"), + dup23, + ])); + + var msg429 = msg("RPD_KRT_IFDEST_GET", part448); + + var part449 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} GET index for ifd interface failed, error \"%{result}\"", processor_chain([ + dup30, + dup22, + setc("event_description","GET index for ifd interface failed"), + dup23, + ])); + + var msg430 = msg("RPD_KRT_IFDGET", part449); + + var part450 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1->} generation mismatch -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","ifd generation mismatch"), + dup23, + ])); + + var msg431 = msg("RPD_KRT_IFD_GENERATION", part450); + + var part451 = match("MESSAGE#427:RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","KRT IFL CELL RELAY MODE INVALID"), + dup23, + ])); + + var msg432 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", part451); + + var part452 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","KRT IFL CELL RELAY MODE UNSPECIFIED"), + dup23, + ])); + + var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part452); + + var part453 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface->} generation mismatch -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","ifl generation mismatch"), + dup23, + ])); + + var msg434 = msg("RPD_KRT_IFL_GENERATION", part453); + + var part454 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1->} for route %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","lost interface for route"), + dup23, + ])); + + var msg435 = msg("RPD_KRT_KERNEL_BAD_ROUTE", part454); + + var part455 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: number of next hops (%{dclass_counter1}) exceeded the maximum allowed (%{dclass_counter2}) -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","number of next hops exceeded the maximum"), + dup23, + ])); + + var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part455); + + var part456 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1->} for interface %{interface}", processor_chain([ + dup30, + dup22, + setc("event_description","No device for interface"), + dup23, + ])); + + var msg437 = msg("RPD_KRT_NOIFD", part456); + + var part457 = match("MESSAGE#433:RPD_KRT_UNKNOWN_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received routing table message for unknown table with kernel ID %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","received routing table message for unknown table"), + dup23, + ])); + + var msg438 = msg("RPD_KRT_UNKNOWN_RTT", part457); + + var part458 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket version mismatch (%{info}) -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Routing socket version mismatch"), + dup23, + ])); + + var msg439 = msg("RPD_KRT_VERSION", part458); + + var part459 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info->} -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Routing socket message type not supported by kernel"), + dup23, + ])); + + var msg440 = msg("RPD_KRT_VERSIONNONE", part459); + + var part460 = match("MESSAGE#436:RPD_KRT_VERSIONOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is older than expected (%{info}) -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Routing socket message type version is older than expected"), + dup23, + ])); + + var msg441 = msg("RPD_KRT_VERSIONOLD", part460); + + var part461 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate session ID detected from %{daddr}, interface %{interface}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Duplicate session ID detected"), + dup23, + ])); + + var msg442 = msg("RPD_LDP_INTF_BLOCKED", part461); + + var part462 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface->} is now %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","LDP interface now unblocked"), + dup23, + ])); + + var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part462); + + var part463 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ + setc("eventcategory","1603030000"), + dup22, + setc("event_description","LDP neighbor down"), + dup23, + ])); + + var msg444 = msg("RPD_LDP_NBRDOWN", part463); + + var part464 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","LDP neighbor up"), + dup23, + ])); + + var msg445 = msg("RPD_LDP_NBRUP", part464); + + var part465 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is down, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","LDP session down"), + dup23, + ])); + + var msg446 = msg("RPD_LDP_SESSIONDOWN", part465); + + var part466 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is up", processor_chain([ + dup21, + dup22, + setc("event_description","LDP session up"), + dup23, + ])); + + var msg447 = msg("RPD_LDP_SESSIONUP", part466); + + var part467 = match("MESSAGE#443:RPD_LOCK_FLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to obtain a lock"), + dup23, + ])); + + var msg448 = msg("RPD_LOCK_FLOCKED", part467); + + var part468 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to obtain service lock"), + dup23, + ])); + + var msg449 = msg("RPD_LOCK_LOCKED", part468); + + var part469 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","MPLS LSP CHANGE"), + dup23, + ])); + + var msg450 = msg("RPD_MPLS_LSP_CHANGE", part469); + + var part470 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","MPLS LSP DOWN"), + dup23, + ])); + + var msg451 = msg("RPD_MPLS_LSP_DOWN", part470); + + var part471 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","MPLS LSP SWITCH"), + dup23, + ])); + + var msg452 = msg("RPD_MPLS_LSP_SWITCH", part471); + + var part472 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","MPLS LSP UP"), + dup23, + ])); + + var msg453 = msg("RPD_MPLS_LSP_UP", part472); + + var part473 = match("MESSAGE#449:RPD_MSDP_PEER_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","MSDP PEER DOWN"), + dup23, + ])); + + var msg454 = msg("RPD_MSDP_PEER_DOWN", part473); + + var part474 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","MSDP PEER UP"), + dup23, + ])); + + var msg455 = msg("RPD_MSDP_PEER_UP", part474); + + var part475 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","OSPF neighbor down"), + dup23, + ])); + + var msg456 = msg("RPD_OSPF_NBRDOWN", part475); + + var part476 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","OSPF neighbor up"), + dup23, + ])); + + var msg457 = msg("RPD_OSPF_NBRUP", part476); + + var part477 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1->} KB of memory, %{info}", processor_chain([ + dup51, + dup22, + setc("event_description","OS MEMHIGH"), + dup23, + ])); + + var msg458 = msg("RPD_OS_MEMHIGH", part477); + + var part478 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr->} timeout interface %{interface}", processor_chain([ + dup30, + dup22, + setc("event_description","PIM neighbor down"), + setc("result","timeout"), + dup23, + ])); + + var msg459 = msg("RPD_PIM_NBRDOWN", part478); + + var part479 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr->} interface %{interface}", processor_chain([ + dup21, + dup22, + setc("event_description","PIM neighbor up"), + dup23, + ])); + + var msg460 = msg("RPD_PIM_NBRUP", part479); + + var part480 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, + dup22, + setc("event_description","Bad checksum for router solicitation"), + dup23, + ])); + + var msg461 = msg("RPD_RDISC_CKSUM", part480); + + var part481 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1->} on %{interface->} -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Ignoring interface"), + dup23, + ])); + + var msg462 = msg("RPD_RDISC_NOMULTI", part481); + + var part482 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to locate interface for router"), + dup23, + ])); + + var msg463 = msg("RPD_RDISC_NORECVIF", part482); + + var part483 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, + dup22, + setc("event_description","Expected multicast for router solicitation"), + dup23, + ])); + + var msg464 = msg("RPD_RDISC_SOLICITADDR", part483); + + var part484 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, + dup22, + setc("event_description","Nonzero ICMP code for router solicitation"), + dup23, + ])); + + var msg465 = msg("RPD_RDISC_SOLICITICMP", part484); + + var part485 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, + dup22, + setc("event_description","Insufficient length for router solicitation"), + dup23, + ])); + + var msg466 = msg("RPD_RDISC_SOLICITLEN", part485); + + var part486 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr->} (%{interface})", processor_chain([ + dup30, + dup22, + setc("event_description","RIP update with invalid authentication"), + dup23, + ])); + + var msg467 = msg("RPD_RIP_AUTH", part486); + + var part487 = match("MESSAGE#463:RPD_RIP_JOIN_BROADCAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get broadcast address %{interface}; %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RIP - unable to get broadcast address"), + dup23, + ])); + + var msg468 = msg("RPD_RIP_JOIN_BROADCAST", part487); + + var part488 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to join multicast group %{interface}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RIP - Unable to join multicast group"), + dup23, + ])); + + var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part488); + + var part489 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface->} index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([ + dup21, + dup22, + setc("event_description","RIP interface up"), + dup23, + ])); + + var msg470 = msg("RPD_RT_IFUP", part489); + + var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup148); + + var part490 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([ + dup30, + dup22, + setc("event_description","excessive runtime after action of module"), + dup23, + ])); + + var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part490); + + var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup148); + + var part491 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([ + dup30, + dup22, + setc("event_description","task extended runtime"), + dup23, + ])); + + var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part491); + + var part492 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} termination signal received", processor_chain([ + dup30, + dup22, + setc("event_description","termination signal received for service"), + dup23, + ])); + + var msg475 = msg("RPD_SIGNAL_TERMINATE", part492); + + var part493 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1->} version version built %{dclass_counter2}", processor_chain([ + dup21, + dup22, + setc("event_description","version built"), + dup23, + ])); + + var msg476 = msg("RPD_START", part493); + + var part494 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: detail: %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","system command"), + dup23, + ])); + + var msg477 = msg("RPD_SYSTEM", part494); + + var part495 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2->} by builder", processor_chain([ + dup21, + dup22, + setc("event_description","Commencing routing updates"), + dup23, + ])); + + var msg478 = msg("RPD_TASK_BEGIN", part495); + + var part496 = match("MESSAGE#474:RPD_TASK_CHILDKILLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","task killed by signal"), + dup23, + ])); + + var msg479 = msg("RPD_TASK_CHILDKILLED", part496); + + var part497 = match("MESSAGE#475:RPD_TASK_CHILDSTOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","task stopped by signal"), + dup23, + ])); + + var msg480 = msg("RPD_TASK_CHILDSTOPPED", part497); + + var part498 = match("MESSAGE#476:RPD_TASK_FORK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork task: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to fork task"), + dup23, + ])); + + var msg481 = msg("RPD_TASK_FORK", part498); + + var part499 = match("MESSAGE#477:RPD_TASK_GETWD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: getwd: %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","RPD TASK GETWD"), + dup23, + ])); + + var msg482 = msg("RPD_TASK_GETWD", part499); + + var part500 = match("MESSAGE#478:RPD_TASK_NOREINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialization not possible", processor_chain([ + dup30, + dup22, + setc("event_description","Reinitialization not possible"), + dup23, + ])); + + var msg483 = msg("RPD_TASK_NOREINIT", part500); + + var part501 = match("MESSAGE#479:RPD_TASK_PIDCLOSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to close and remove %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to close and remove task"), + dup23, + ])); + + var msg484 = msg("RPD_TASK_PIDCLOSED", part501); + + var part502 = match("MESSAGE#480:RPD_TASK_PIDFLOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: flock(%{agent}, %{action}): %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RPD TASK PIDFLOCK"), + dup23, + ])); + + var msg485 = msg("RPD_TASK_PIDFLOCK", part502); + + var part503 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to write %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to write"), + dup23, + ])); + + var msg486 = msg("RPD_TASK_PIDWRITE", part503); + + var msg487 = msg("RPD_TASK_REINIT", dup149); + + var part504 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([ + dup21, + dup22, + setc("event_description","ignoring task signal"), + dup23, + ])); + + var msg488 = msg("RPD_TASK_SIGNALIGNORE", part504); + + var part505 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1->} (%{agent}) failed, err %{resultcode->} (%{result})", processor_chain([ + dup30, + dup22, + setc("event_description","COS IPC op failed"), + dup23, + ])); + + var msg489 = msg("RT_COS", part505); + + var part506 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/2", "nwparser.p0", "%{fld5}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); + + var part507 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{fld10}\" dst-nat-rule-%{p0}"); + + var part508 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_0", "nwparser.p0", "type=%{fld21->} dst-nat-rule-name=\"%{p0}"); + + var select39 = linear_select([ + part508, + dup91, + ]); + + var part509 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/6", "nwparser.p0", "\"%{fld11->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{fld13}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); + + var part510 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" encrypted=%{fld8->} %{p0}"); + + var select40 = linear_select([ + part510, + dup45, + ]); + + var all22 = all_match({ + processors: [ + dup87, + dup150, + part506, + dup151, + part507, + select39, + part509, + select40, + dup92, + ], + on_success: processor_chain([ + dup28, + dup53, + dup54, + dup22, + dup52, + ]), + }); + + var msg490 = msg("RT_FLOW_SESSION_CREATE:02", all22); + + var part511 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_0", "nwparser.p0", " service-name=\"%{service}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-type=\"%{fld20}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-type=\"%{fld10}\" dst-nat-rule-name=\"%{rule_template}\"%{p0}"); + + var select41 = linear_select([ + part511, + dup45, + ]); + + var part512 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/2", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\"%{p0}"); + + var part513 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_0", "nwparser.p0", " source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" username=\"%{username}\" roles=\"%{fld50}\" packet-incoming-interface=\"%{dinterface}\" application=\"%{application}\" nested-application=\"%{fld7}\" encrypted=\"%{fld8}\"%{p0}"); + + var select42 = linear_select([ + part513, + dup45, + ]); + + var all23 = all_match({ + processors: [ + dup87, + select41, + part512, + select42, + dup92, + ], + on_success: processor_chain([ + dup28, + dup53, + dup54, + dup22, + dup52, + ]), + }); + + var msg491 = msg("RT_FLOW_SESSION_CREATE", all23); + + var part514 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_0", "nwparser.payload", "%{process}: %{event_type}: session created %{p0}"); + + var part515 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_1", "nwparser.payload", "%{event_type}: session created %{p0}"); + + var select43 = linear_select([ + part514, + part515, + ]); + + var part516 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{p0}"); + + var part517 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_0", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{protocol->} %{fld15->} UNKNOWN UNKNOWN"); + + var part518 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_1", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{fld15}"); + + var part519 = match_copy("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_2", "nwparser.p0", "info"); + + var select44 = linear_select([ + part517, + part518, + part519, + ]); + + var all24 = all_match({ + processors: [ + select43, + part516, + select44, + ], + on_success: processor_chain([ + dup28, + dup53, + dup54, + dup22, + setc("event_description","session created"), + dup23, + ]), + }); + + var msg492 = msg("RT_FLOW_SESSION_CREATE:01", all24); + + var select45 = linear_select([ + msg490, + msg491, + msg492, + ]); + + var part520 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/2", "nwparser.p0", "%{fld5}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); + + var part521 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_0", "nwparser.p0", " encrypted=\"%{fld16}\" reason=\"%{result}\" src-vrf-grp=\"%{fld99}\" dst-vrf-grp=\"%{fld98}\"%{p0}"); + + var part522 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_1", "nwparser.p0", " encrypted=%{fld16->} reason=\"%{result}\"%{p0}"); + + var select46 = linear_select([ + part521, + part522, + dup45, + ]); + + var all25 = all_match({ + processors: [ + dup87, + dup150, + part520, + select46, + dup92, + ], + on_success: processor_chain([ + dup93, + dup53, + dup94, + dup22, + dup52, + ]), + }); + + var msg493 = msg("RT_FLOW_SESSION_DENY:02", all25); + + var part523 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([ + dup93, + dup53, + dup94, + dup22, + dup52, + ])); + + var msg494 = msg("RT_FLOW_SESSION_DENY", part523); + + var part524 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone->} HTTP %{info}"); + + var all26 = all_match({ + processors: [ + dup152, + part524, + ], + on_success: processor_chain([ + dup27, + dup53, + dup94, + dup22, + dup97, + dup23, + ]), + }); + + var msg495 = msg("RT_FLOW_SESSION_DENY:03", all26); + + var part525 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}"); + + var all27 = all_match({ + processors: [ + dup152, + part525, + ], + on_success: processor_chain([ + dup27, + dup53, + dup94, + dup22, + dup97, + dup23, + ]), + }); + + var msg496 = msg("RT_FLOW_SESSION_DENY:01", all27); + + var select47 = linear_select([ + msg493, + msg494, + msg495, + msg496, + ]); + + var select48 = linear_select([ + dup103, + dup45, + ]); + + var all28 = all_match({ + processors: [ + dup98, + dup150, + dup99, + dup151, + dup100, + dup153, + dup102, + select48, + dup92, + ], + on_success: processor_chain([ + dup27, + dup53, + dup55, + dup104, + dup22, + dup52, + ]), + }); + + var msg497 = msg("RT_FLOW_SESSION_CLOSE:01", all28); + + var part526 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup27, + dup53, + dup55, + dup22, + dup52, + ])); + + var msg498 = msg("RT_FLOW_SESSION_CLOSE", part526); + + var part527 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_0", "nwparser.payload", "%{process}: %{event_type}: session closed %{p0}"); + + var part528 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_1", "nwparser.payload", "%{event_type}: session closed %{p0}"); + + var select49 = linear_select([ + part527, + part528, + ]); + + var part529 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/1", "nwparser.p0", "%{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{info}"); + + var all29 = all_match({ + processors: [ + select49, + part529, + ], + on_success: processor_chain([ + dup27, + dup53, + dup55, + dup22, + setc("event_description","session closed"), + dup23, + ]), + }); + + var msg499 = msg("RT_FLOW_SESSION_CLOSE:02", all29); + + var part530 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_1", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\" %{p0}"); + + var select50 = linear_select([ + dup103, + part530, + dup45, + ]); + + var part531 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] session closed %{fld60}: %{fld51}/%{fld52}->%{fld53}/%{fld54->} %{fld55->} %{fld56}/%{fld57}->%{fld58}/%{fld59->} %{info}"); + + var all30 = all_match({ + processors: [ + dup98, + dup150, + dup99, + dup151, + dup100, + dup153, + dup102, + select50, + part531, + ], + on_success: processor_chain([ + dup27, + dup53, + dup55, + dup104, + dup22, + dup52, + dup61, + ]), + }); + + var msg500 = msg("RT_FLOW_SESSION_CLOSE:03", all30); + + var select51 = linear_select([ + msg497, + msg498, + msg499, + msg500, + ]); + + var part532 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: %{event_type}: Fragmented traffic! source:%{saddr}, destination: %{daddr}, protocol-id: %{protocol}, zone name: %{zone}, interface name: %{interface}", processor_chain([ + dup30, + dup22, + setc("event_description","Fragmented traffic"), + dup23, + ])); + + var msg501 = msg("RT_SCREEN_IP", part532); + + var part533 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var msg502 = msg("RT_SCREEN_IP:01", part533); + + var select52 = linear_select([ + msg501, + msg502, + ]); + + var msg503 = msg("RT_SCREEN_TCP", dup154); + + var part534 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part534); + + var msg505 = msg("RT_SCREEN_UDP", dup154); + + var part535 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([ + dup27, + dup22, + setc("event_description","attempt to connect to interface failed"), + dup23, + ])); + + var msg506 = msg("SERVICED_CLIENT_CONNECT", part535); + + var part536 = match("MESSAGE#502:SERVICED_CLIENT_DISCONNECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unexpected termination of connection to interface", processor_chain([ + dup27, + dup22, + setc("event_description","unexpected termination of connection"), + dup23, + ])); + + var msg507 = msg("SERVICED_CLIENT_DISCONNECTED", part536); + + var part537 = match("MESSAGE#503:SERVICED_CLIENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: client interface connection failure: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","client interface connection failure"), + dup23, + ])); + + var msg508 = msg("SERVICED_CLIENT_ERROR", part537); + + var part538 = match("MESSAGE#504:SERVICED_COMMAND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: remote command execution failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","remote command execution failed"), + dup23, + ])); + + var msg509 = msg("SERVICED_COMMAND_FAILED", part538); + + var part539 = match("MESSAGE#505:SERVICED_COMMIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: client failed to commit configuration with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","client commit configuration failed"), + dup23, + ])); + + var msg510 = msg("SERVICED_COMMIT_FAILED", part539); + + var part540 = match("MESSAGE#506:SERVICED_CONFIGURATION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: configuration process failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","configuration process failed"), + dup23, + ])); + + var msg511 = msg("SERVICED_CONFIGURATION_FAILED", part540); + + var part541 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SERVICED CONFIG ERROR"), + dup23, + ])); + + var msg512 = msg("SERVICED_CONFIG_ERROR", part541); + + var part542 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} failed to read path with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","service failed to read path"), + dup23, + ])); + + var msg513 = msg("SERVICED_CONFIG_FILE", part542); + + var part543 = match("MESSAGE#509:SERVICED_CONNECTION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SERVICED CONNECTION ERROR"), + dup23, + ])); + + var msg514 = msg("SERVICED_CONNECTION_ERROR", part543); + + var part544 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: GGSN services disabled: object: %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","GGSN services disabled"), + dup23, + ])); + + var msg515 = msg("SERVICED_DISABLED_GGSN", part544); + + var msg516 = msg("SERVICED_DUPLICATE", dup141); + + var part545 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","event function failed"), + dup23, + ])); + + var msg517 = msg("SERVICED_EVENT_FAILED", part545); + + var part546 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: initialization failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","service initialization failed"), + dup23, + ])); + + var msg518 = msg("SERVICED_INIT_FAILED", part546); + + var part547 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1->} bytes %{bytes}]: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","memory allocation failure"), + dup23, + ])); + + var msg519 = msg("SERVICED_MALLOC_FAILURE", part547); + + var part548 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","NETWORK FAILURE"), + dup23, + ])); + + var msg520 = msg("SERVICED_NETWORK_FAILURE", part548); + + var part549 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, + dup22, + setc("event_description","SERVICED must be run as root"), + dup23, + ])); + + var msg521 = msg("SERVICED_NOT_ROOT", part549); + + var msg522 = msg("SERVICED_PID_FILE_LOCK", dup142); + + var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup143); + + var part550 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","routing socket sequence error"), + dup23, + ])); + + var msg524 = msg("SERVICED_RTSOCK_SEQUENCE", part550); + + var part551 = match("MESSAGE#520:SERVICED_SIGNAL_HANDLER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: set up of signal name handler failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","set up of signal name handler failed"), + dup23, + ])); + + var msg525 = msg("SERVICED_SIGNAL_HANDLER", part551); + + var part552 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket create failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","socket create failed with error"), + dup23, + ])); + + var msg526 = msg("SERVICED_SOCKET_CREATE", part552); + + var part553 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2->} failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","socket function failed"), + dup23, + ])); + + var msg527 = msg("SERVICED_SOCKET_IO", part553); + + var part554 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unable to set socket option %{dclass_counter2}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","unable to set socket option"), + dup23, + ])); + + var msg528 = msg("SERVICED_SOCKET_OPTION", part554); + + var part555 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","STDLIB FAILURE"), + dup23, + ])); + + var msg529 = msg("SERVICED_STDLIB_FAILURE", part555); + + var part556 = match("MESSAGE#525:SERVICED_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Incorrect service usage"), + dup23, + ])); + + var msg530 = msg("SERVICED_USAGE", part556); + + var part557 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: object has unexpected value %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","object has unexpected value"), + dup23, + ])); + + var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part557); + + var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup155); + + var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup155); + + var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup155); + + var part558 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([ + dup21, + dup22, + setc("event_description","AgentX subagent connected"), + dup61, + dup23, + ])); + + var msg535 = msg("SNMP_NS_LOG_INFO", part558); + + var part559 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1->} rows", processor_chain([ + dup21, + dup22, + setc("event_description","ns_subagent registering rows"), + dup61, + dup23, + ])); + + var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part559); + + var part560 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} access group %{group}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD ACCESS GROUP ERROR"), + dup23, + ])); + + var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part560); + + var part561 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to unknown community name (%{pool_name})", processor_chain([ + dup30, + dup22, + dup105, + setc("result","unauthorized SNMP community to unknown community name"), + dup23, + ])); + + var msg538 = msg("SNMPD_AUTH_FAILURE", part561); + + var part562 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr->} to unknown (%{pool_name})", processor_chain([ + dup30, + dup22, + dup105, + setc("result","failed input interface authorization to unknown"), + dup23, + ])); + + var msg539 = msg("SNMPD_AUTH_FAILURE:01", part562); + + var part563 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to %{saddr->} (%{pool_name})", processor_chain([ + dup30, + dup22, + dup105, + setc("result","unauthorized SNMP community "), + dup23, + ])); + + var msg540 = msg("SNMPD_AUTH_FAILURE:02", part563); + + var part564 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([ + dup30, + dup22, + dup105, + dup61, + dup62, + ])); + + var msg541 = msg("SNMPD_AUTH_FAILURE:03", part564); + + var select53 = linear_select([ + msg538, + msg539, + msg540, + msg541, + ]); + + var part565 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: request exceeded community privileges", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP request exceeded community privileges"), + dup23, + ])); + + var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part565); + + var part566 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr->} not allowed", processor_chain([ + dup48, + dup22, + setc("event_description","SNMPD AUTH RESTRICTED ADDRESS"), + setc("result","request not allowed"), + dup23, + ])); + + var msg543 = msg("SNMPD_AUTH_RESTRICTED_ADDRESS", part566); + + var part567 = match("MESSAGE#538:SNMPD_AUTH_WRONG_PDU_TYPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: unauthorized SNMP PDU type: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","unauthorized SNMP PDU type"), + dup23, + ])); + + var msg544 = msg("SNMPD_AUTH_WRONG_PDU_TYPE", part567); + + var part568 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration database has errors", processor_chain([ + dup30, + dup22, + setc("event_description","Configuration database has errors"), + dup23, + ])); + + var msg545 = msg("SNMPD_CONFIG_ERROR", part568); + + var part569 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} context %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD CONTEXT ERROR"), + dup23, + ])); + + var msg546 = msg("SNMPD_CONTEXT_ERROR", part569); + + var part570 = match("MESSAGE#541:SNMPD_ENGINE_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD ENGINE FILE FAILURE"), + dup23, + ])); + + var msg547 = msg("SNMPD_ENGINE_FILE_FAILURE", part570); + + var part571 = match("MESSAGE#542:SNMPD_ENGINE_PROCESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: from-path: undecodable/unmatched subagent response", processor_chain([ + dup30, + dup22, + setc("event_description"," from-path - SNMP undecodable/unmatched subagent response"), + dup23, + ])); + + var msg548 = msg("SNMPD_ENGINE_PROCESS_ERROR", part571); + + var part572 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: fopen %{dclass_counter2}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD FILE FAILURE"), + dup23, + ])); + + var msg549 = msg("SNMPD_FILE_FAILURE", part572); + + var part573 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} group: '%{group}' user '%{username}' model '%{version}'", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD GROUP ERROR"), + dup23, + ])); + + var msg550 = msg("SNMPD_GROUP_ERROR", part573); + + var part574 = match("MESSAGE#545:SNMPD_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: snmpd initialization failure: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","snmpd initialization failure"), + dup23, + ])); + + var msg551 = msg("SNMPD_INIT_FAILED", part574); + + var part575 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system_default_inaddr: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","LIBJUNIPER FAILURE"), + dup23, + ])); + + var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part575); + + var part576 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","LOOPBACK ADDR ERROR"), + dup23, + ])); + + var msg553 = msg("SNMPD_LOOPBACK_ADDR_ERROR", part576); + + var part577 = match("MESSAGE#548:SNMPD_MEMORY_FREED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: called for freed - already freed", processor_chain([ + dup30, + dup22, + setc("event_description","duplicate memory free"), + dup23, + ])); + + var msg554 = msg("SNMPD_MEMORY_FREED", part577); + + var part578 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: radix_add failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","radix_add failed"), + dup23, + ])); + + var msg555 = msg("SNMPD_RADIX_FAILURE", part578); + + var part579 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1->} failure: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD RECEIVE FAILURE"), + dup23, + ])); + + var msg556 = msg("SNMPD_RECEIVE_FAILURE", part579); + + var part580 = match("MESSAGE#551:SNMPD_RMONFILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RMONFILE FAILURE"), + dup23, + ])); + + var msg557 = msg("SNMPD_RMONFILE_FAILURE", part580); + + var part581 = match("MESSAGE#552:SNMPD_RMON_COOKIE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Null cookie", processor_chain([ + dup30, + dup22, + setc("event_description","Null cookie"), + dup23, + ])); + + var msg558 = msg("SNMPD_RMON_COOKIE", part581); + + var part582 = match("MESSAGE#553:SNMPD_RMON_EVENTLOG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","RMON EVENTLOG"), + dup23, + ])); + + var msg559 = msg("SNMPD_RMON_EVENTLOG", part582); + + var part583 = match("MESSAGE#554:SNMPD_RMON_IOERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Received io error, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Received io error"), + dup23, + ])); + + var msg560 = msg("SNMPD_RMON_IOERROR", part583); + + var part584 = match("MESSAGE#555:SNMPD_RMON_MIBERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: internal Get request error: description, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","internal Get request error"), + dup23, + ])); + + var msg561 = msg("SNMPD_RMON_MIBERROR", part584); + + var part585 = match("MESSAGE#556:SNMPD_RTSLIB_ASYNC_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: sequence mismatch %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","sequence mismatch"), + dup23, + ])); + + var msg562 = msg("SNMPD_RTSLIB_ASYNC_EVENT", part585); + + var part586 = match("MESSAGE#557:SNMPD_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send send-type (index1) failure: %{result}", processor_chain([ + dup30, + dup22, + dup106, + dup23, + ])); + + var msg563 = msg("SNMPD_SEND_FAILURE", part586); + + var part587 = match("MESSAGE#558:SNMPD_SEND_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send to (%{saddr}) failure: %{result}", processor_chain([ + dup30, + dup22, + dup106, + dup23, + ])); + + var msg564 = msg("SNMPD_SEND_FAILURE:01", part587); + + var select54 = linear_select([ + msg563, + msg564, + ]); + + var part588 = match("MESSAGE#559:SNMPD_SOCKET_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket failure: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD SOCKET FAILURE"), + dup23, + ])); + + var msg565 = msg("SNMPD_SOCKET_FAILURE", part588); + + var part589 = match("MESSAGE#560:SNMPD_SUBAGENT_NO_BUFFERS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No buffers available for subagent (%{agent})", processor_chain([ + dup30, + dup22, + setc("event_description","No buffers available for subagent"), + dup23, + ])); + + var msg566 = msg("SNMPD_SUBAGENT_NO_BUFFERS", part589); + + var part590 = match("MESSAGE#561:SNMPD_SUBAGENT_SEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Send to subagent failed (%{agent}): %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Send to subagent failed"), + dup23, + ])); + + var msg567 = msg("SNMPD_SUBAGENT_SEND_FAILED", part590); + + var part591 = match("MESSAGE#562:SNMPD_SYSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system function '%{dclass_counter1}' failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","system function failed"), + dup23, + ])); + + var msg568 = msg("SNMPD_SYSLIB_FAILURE", part591); + + var part592 = match("MESSAGE#563:SNMPD_THROTTLE_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: cleared all throttled traps", processor_chain([ + dup21, + dup22, + setc("event_description","cleared all throttled traps"), + dup23, + ])); + + var msg569 = msg("SNMPD_THROTTLE_QUEUE_DRAINED", part592); + + var part593 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: cold start", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP trap: cold start"), + dup23, + ])); + + var msg570 = msg("SNMPD_TRAP_COLD_START", part593); + + var part594 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode->} (%{result})", processor_chain([ + dup30, + dup22, + dup107, + dup23, + ])); + + var msg571 = msg("SNMPD_TRAP_GEN_FAILURE", part594); + + var part595 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{dclass_counter2->} %{result}", processor_chain([ + dup30, + dup22, + dup107, + dup23, + ])); + + var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part595); + + var part596 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result->} (%{dclass_counter2}) received", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD TRAP INVALID DATA"), + dup23, + ])); + + var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part596); + + var part597 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info->} (%{result})", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD TRAP ERROR"), + dup23, + ])); + + var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part597); + + var part598 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2->} to %{obj_name->} queue, %{dclass_counter1->} traps in queue", processor_chain([ + dup21, + dup22, + setc("event_description","Adding trap to queue"), + dup23, + ])); + + var msg575 = msg("SNMPD_TRAP_QUEUED", part598); + + var part599 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name->} sent successfully", processor_chain([ + dup21, + dup22, + setc("event_description","traps queued - sent successfully"), + dup23, + ])); + + var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part599); + + var part600 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1->} attempts, deleting %{dclass_counter2->} traps queued to %{obj_name}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"), + dup23, + ])); + + var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part600); + + var part601 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2->} from %{obj_name->} queue", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP TRAP maximum queue size exceeded"), + dup23, + ])); + + var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part601); + + var part602 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1->} traps", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP traps throttled"), + dup23, + ])); + + var msg579 = msg("SNMPD_TRAP_THROTTLED", part602); + + var part603 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type->} )", processor_chain([ + dup30, + dup22, + setc("event_description","unknown SNMP trap type requested"), + dup23, + ])); + + var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part603); + + var part604 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1->} varbind to be VT_NUMBER (%{resultcode->} )", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"), + dup23, + ])); + + var msg581 = msg("SNMPD_TRAP_VARBIND_TYPE_ERROR", part604); + + var part605 = match("MESSAGE#576:SNMPD_TRAP_VERSION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: invalid version signature (%{result})", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD TRAP ERROR - invalid version signature"), + dup23, + ])); + + var msg582 = msg("SNMPD_TRAP_VERSION_ERROR", part605); + + var part606 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: warm start", processor_chain([ + dup21, + dup22, + setc("event_description","SNMPD TRAP WARM START"), + dup23, + ])); + + var msg583 = msg("SNMPD_TRAP_WARM_START", part606); + + var part607 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} user '%{username}' %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD USER ERROR"), + dup23, + ])); + + var msg584 = msg("SNMPD_USER_ERROR", part607); + + var part608 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: deleting view %{dclass_counter2->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP deleting view"), + dup23, + ])); + + var msg585 = msg("SNMPD_VIEW_DELETE", part608); + + var part609 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} installing default %{dclass_counter1->} view %{dclass_counter2}", processor_chain([ + dup21, + dup22, + setc("event_description","installing default SNMP view"), + dup23, + ])); + + var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part609); + + var part610 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2->} oid %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","oid parsing failed for SNMP view"), + dup23, + ])); + + var msg587 = msg("SNMPD_VIEW_OID_PARSE", part610); + + var part611 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP_GET_ERROR 1"), + dup23, + ])); + + var msg588 = msg("SNMP_GET_ERROR1", part611); + + var part612 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP GET ERROR 2"), + dup23, + ])); + + var msg589 = msg("SNMP_GET_ERROR2", part612); + + var part613 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP GET ERROR 3"), + dup23, + ])); + + var msg590 = msg("SNMP_GET_ERROR3", part613); + + var part614 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP GET ERROR 4"), + dup23, + ])); + + var msg591 = msg("SNMP_GET_ERROR4", part614); + + var part615 = match("MESSAGE#586:SNMP_RTSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: rtslib-error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP RTSLIB FAILURE"), + dup23, + ])); + + var msg592 = msg("SNMP_RTSLIB_FAILURE", part615); + + var part616 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ + dup30, + dup22, + dup108, + dup23, + ])); + + var msg593 = msg("SNMP_TRAP_LINK_DOWN", part616); + + var part617 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([ + dup30, + dup22, + dup108, + dup61, + dup62, + ])); + + var msg594 = msg("SNMP_TRAP_LINK_DOWN:01", part617); + + var select55 = linear_select([ + msg593, + msg594, + ]); + + var part618 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ + dup21, + dup22, + dup109, + dup23, + ])); + + var msg595 = msg("SNMP_TRAP_LINK_UP", part618); + + var part619 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([ + dup21, + dup22, + dup109, + dup61, + dup62, + ])); + + var msg596 = msg("SNMP_TRAP_LINK_UP:01", part619); + + var select56 = linear_select([ + msg595, + msg596, + ]); + + var part620 = match("MESSAGE#589:SNMP_TRAP_PING_PROBE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP TRAP PING PROBE FAILED"), + dup23, + ])); + + var msg597 = msg("SNMP_TRAP_PING_PROBE_FAILED", part620); + + var part621 = match("MESSAGE#590:SNMP_TRAP_PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP TRAP PING TEST COMPLETED"), + dup23, + ])); + + var msg598 = msg("SNMP_TRAP_PING_TEST_COMPLETED", part621); + + var part622 = match("MESSAGE#591:SNMP_TRAP_PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP TRAP PING TEST FAILED"), + dup23, + ])); + + var msg599 = msg("SNMP_TRAP_PING_TEST_FAILED", part622); + + var part623 = match("MESSAGE#592:SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP TRAP TRACE ROUTE PATH CHANGE"), + dup23, + ])); + + var msg600 = msg("SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", part623); + + var part624 = match("MESSAGE#593:SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP TRAP TRACE ROUTE TEST COMPLETED"), + dup23, + ])); + + var msg601 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", part624); + + var part625 = match("MESSAGE#594:SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP TRAP TRACE ROUTE TEST FAILED"), + dup23, + ])); + + var msg602 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", part625); + + var part626 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{process}: %{event_type}: Login failed for user '%{username}' from host '%{saddr}'", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup110, + dup23, + ])); + + var msg603 = msg("SSHD_LOGIN_FAILED", part626); + + var part627 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup110, + dup61, + dup52, + setf("process","hfld33"), + ])); + + var msg604 = msg("SSHD_LOGIN_FAILED:01", part627); + + var select57 = linear_select([ + msg603, + msg604, + ]); + + var part628 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent->} addr %{daddr}+%{dport}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","task connect failure"), + dup23, + ])); + + var msg605 = msg("task_connect", part628); + + var msg606 = msg("TASK_TASK_REINIT", dup149); + + var part629 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Unexpected address family"), + dup23, + ])); + + var msg607 = msg("TFTPD_AF_ERR", part629); + + var part630 = match("MESSAGE#603:TFTPD_BIND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: bind: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD BIND ERROR"), + dup23, + ])); + + var msg608 = msg("TFTPD_BIND_ERR", part630); + + var part631 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD CONNECT ERROR"), + dup23, + ])); + + var msg609 = msg("TFTPD_CONNECT_ERR", part631); + + var part632 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol->} from address %{daddr->} port %{dport->} file %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","TFTPD CONNECT INFO"), + dup23, + ])); + + var msg610 = msg("TFTPD_CONNECT_INFO", part632); + + var part633 = match("MESSAGE#606:TFTPD_CREATE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: check_space %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD CREATE ERROR"), + dup23, + ])); + + var msg611 = msg("TFTPD_CREATE_ERR", part633); + + var part634 = match("MESSAGE#607:TFTPD_FIO_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD FIO ERR"), + dup23, + ])); + + var msg612 = msg("TFTPD_FIO_ERR", part634); + + var part635 = match("MESSAGE#608:TFTPD_FORK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fork: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD FORK ERROR"), + dup23, + ])); + + var msg613 = msg("TFTPD_FORK_ERR", part635); + + var part636 = match("MESSAGE#609:TFTPD_NAK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: nak error %{resultcode}, %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD NAK ERROR"), + dup23, + ])); + + var msg614 = msg("TFTPD_NAK_ERR", part636); + + var part637 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}', error: %{result}", processor_chain([ + dup30, + dup22, + dup78, + dup23, + ])); + + var msg615 = msg("TFTPD_OPEN_ERR", part637); + + var part638 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1->} blocks of %{dclass_counter2->} size for file '%{filename}'", processor_chain([ + dup21, + dup22, + setc("event_description","TFTPD RECVCOMPLETE INFO"), + dup23, + ])); + + var msg616 = msg("TFTPD_RECVCOMPLETE_INFO", part638); + + var part639 = match("MESSAGE#612:TFTPD_RECVFROM_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recvfrom: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD RECVFROM ERROR"), + dup23, + ])); + + var msg617 = msg("TFTPD_RECVFROM_ERR", part639); + + var part640 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recv: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD RECV ERROR"), + dup23, + ])); + + var msg618 = msg("TFTPD_RECV_ERR", part640); + + var part641 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1->} blocks of %{dclass_counter2->} and %{info->} for file '%{filename}'", processor_chain([ + dup21, + dup22, + setc("event_description","TFTPD SENDCOMPLETE INFO"), + dup23, + ])); + + var msg619 = msg("TFTPD_SENDCOMPLETE_INFO", part641); + + var part642 = match("MESSAGE#615:TFTPD_SEND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: send: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD SEND ERROR"), + dup23, + ])); + + var msg620 = msg("TFTPD_SEND_ERR", part642); + + var part643 = match("MESSAGE#616:TFTPD_SOCKET_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: socket: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD SOCKET ERROR"), + dup23, + ])); + + var msg621 = msg("TFTPD_SOCKET_ERR", part643); + + var part644 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: statfs %{agent}, error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD STATFS ERROR"), + dup23, + ])); + + var msg622 = msg("TFTPD_STATFS_ERR", part644); + + var part645 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1->} to interface %{interface}", processor_chain([ + dup21, + dup22, + setc("event_description","adding neighbor to interface"), + dup23, + ])); + + var msg623 = msg("TNP", part645); + + var part646 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33->} started", processor_chain([ + dup21, + dup22, + setc("event_description","tracing to file"), + dup23, + call({ + dest: "nwparser.filename", + fn: RMQ, + args: [ + field("fld33"), + ], + }), + ])); + + var msg624 = msg("trace_on", part646); + + var part647 = match("MESSAGE#620:trace_rotate", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rotating %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","trace rotating file"), + dup23, + ])); + + var msg625 = msg("trace_rotate", part647); + + var part648 = match("MESSAGE#621:transfer-file", "nwparser.payload", "%{process}: %{event_type}: Transferred %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","transfered file"), + dup23, + ])); + + var msg626 = msg("transfer-file", part648); + + var part649 = match("MESSAGE#622:ttloop", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer died: %{result}: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","ttloop - peer died"), + dup23, + ])); + + var msg627 = msg("ttloop", part649); + + var part650 = match("MESSAGE#623:UI_AUTH_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated user '%{username}' at permission level '%{privilege}'", processor_chain([ + dup80, + dup34, + dup35, + dup37, + dup22, + setc("event_description","Authenticated user"), + dup23, + ])); + + var msg628 = msg("UI_AUTH_EVENT", part650); + + var part651 = match("MESSAGE#624:UI_AUTH_INVALID_CHALLENGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received invalid authentication challenge for user '%{username}': response", processor_chain([ + dup30, + dup22, + setc("event_description","Received invalid authentication challenge for user response"), + dup23, + ])); + + var msg629 = msg("UI_AUTH_INVALID_CHALLENGE", part651); + + var part652 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch boot time: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to fetch boot time"), + dup23, + ])); + + var msg630 = msg("UI_BOOTTIME_FAILED", part652); + + var part653 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} path unknown", processor_chain([ + dup30, + dup22, + setc("event_description","user path unknown"), + dup23, + ])); + + var msg631 = msg("UI_CFG_AUDIT_NEW", part653); + + var part654 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename->} security policies %{policyname}] %{info}", processor_chain([ + dup42, + dup22, + setc("event_description"," user Inserted Security Policies in config"), + dup23, + ])); + + var msg632 = msg("UI_CFG_AUDIT_NEW:01", part654); + + var select58 = linear_select([ + msg631, + msg632, + ]); + + var part655 = match("MESSAGE#628:UI_CFG_AUDIT_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' delete: [%{filename}]", processor_chain([ + dup21, + dup22, + setc("event_description","User deleted file"), + setc("action","delete"), + dup23, + ])); + + var msg633 = msg("UI_CFG_AUDIT_OTHER", part655); + + var part656 = match("MESSAGE#629:UI_CFG_AUDIT_OTHER:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' rollback: %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","User rollback file"), + dup23, + ])); + + var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part656); + + var part657 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\""); + + var select59 = linear_select([ + part657, + dup112, + ]); + + var all31 = all_match({ + processors: [ + dup111, + select59, + ], + on_success: processor_chain([ + dup21, + dup22, + setc("event_description","User set"), + dup23, + ]), + }); + + var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31); + + var part658 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([ + dup21, + dup22, + setc("event_description","User config replace"), + setc("action","replace"), + dup23, + ])); + + var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part658); + + var part659 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}]", processor_chain([ + setc("eventcategory","1701070000"), + dup22, + setc("event_description","User deactivating group(s)"), + setc("action","deactivate"), + dup23, + ])); + + var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part659); + + var part660 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([ + dup113, + dup22, + setc("event_description","User updates config file"), + setc("action","update"), + dup23, + ])); + + var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part660); + + var select60 = linear_select([ + msg633, + msg634, + msg635, + msg636, + msg637, + msg638, + ]); + + var part661 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}"); + + var select61 = linear_select([ + part661, + dup114, + ]); + + var all32 = all_match({ + processors: [ + dup111, + select61, + dup115, + ], + on_success: processor_chain([ + dup21, + dup22, + dup116, + dup23, + ]), + }); + + var msg639 = msg("UI_CFG_AUDIT_SET:01", all32); + + var part662 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}"); + + var select62 = linear_select([ + part662, + dup114, + ]); + + var all33 = all_match({ + processors: [ + dup111, + select62, + dup115, + ], + on_success: processor_chain([ + dup21, + dup22, + dup116, + dup23, + ]), + }); + + var msg640 = msg("UI_CFG_AUDIT_SET:02", all33); + + var part663 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ + dup21, + dup22, + setc("event_description","User replace config application(s)"), + dup23, + ])); + + var msg641 = msg("UI_CFG_AUDIT_SET", part663); + + var select63 = linear_select([ + msg639, + msg640, + msg641, + ]); + + var part664 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]"); + + var all34 = all_match({ + processors: [ + dup117, + dup156, + part664, + ], + on_success: processor_chain([ + dup113, + dup22, + dup120, + dup23, + ]), + }); + + var msg642 = msg("UI_CFG_AUDIT_SET_SECRET:01", all34); + + var part665 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]"); + + var all35 = all_match({ + processors: [ + dup117, + dup156, + part665, + ], + on_success: processor_chain([ + dup113, + dup22, + dup120, + dup23, + ]), + }); + + var msg643 = msg("UI_CFG_AUDIT_SET_SECRET:02", all35); + + var part666 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([ + dup21, + dup22, + setc("event_description","UI CFG AUDIT SET SECRET"), + dup23, + ])); + + var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part666); + + var select64 = linear_select([ + msg642, + msg643, + msg644, + ]); + + var part667 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([ + dup30, + dup22, + setc("event_description","Too many arguments for child process"), + dup23, + ])); + + var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part667); + + var part668 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to switch to local user"), + dup23, + ])); + + var msg646 = msg("UI_CHILD_CHANGE_USER", part668); + + var part669 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Child exec failed"), + dup23, + ])); + + var msg647 = msg("UI_CHILD_EXEC", part669); + + var part670 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ + dup30, + dup22, + setc("event_description","Child exited"), + dup23, + ])); + + var msg648 = msg("UI_CHILD_EXITED", part670); + + var part671 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to append to log"), + dup23, + ])); + + var msg649 = msg("UI_CHILD_FOPEN", part671); + + var part672 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to create pipe for command"), + dup23, + ])); + + var msg650 = msg("UI_CHILD_PIPE_FAILED", part672); + + var part673 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([ + dup21, + dup22, + dup61, + setc("event_description","Child received signal"), + dup23, + ])); + + var msg651 = msg("UI_CHILD_SIGNALED", part673); + + var part674 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([ + dup21, + dup22, + setc("event_description","Child stopped"), + dup23, + ])); + + var msg652 = msg("UI_CHILD_STOPPED", part674); + + var part675 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([ + dup21, + dup22, + setc("event_description","Starting child"), + dup23, + ])); + + var msg653 = msg("UI_CHILD_START", part675); + + var part676 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Cleanup child"), + dup23, + ])); + + var msg654 = msg("UI_CHILD_STATUS", part676); + + var part677 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","waitpid failed"), + dup23, + ])); + + var msg655 = msg("UI_CHILD_WAITPID", part677); + + var part678 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Idle timeout for user exceeded"), + dup23, + ])); + + var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part678); + + var part679 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([ + dup21, + dup22, + dup121, + dup23, + ])); + + var msg657 = msg("UI_CMDLINE_READ_LINE", part679); + + var part680 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Command execution failed"), + dup23, + ])); + + var msg658 = msg("UI_CMDSET_EXEC_FAILED", part680); + + var part681 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to fork command"), + dup23, + ])); + + var msg659 = msg("UI_CMDSET_FORK_FAILED", part681); + + var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup144); + + var part682 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([ + dup30, + dup22, + dup70, + dup23, + ])); + + var msg661 = msg("UI_CMDSET_STOPPED", part682); + + var part683 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([ + dup30, + dup22, + dup72, + dup23, + ])); + + var msg662 = msg("UI_CMDSET_WEXITED", part683); + + var part684 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Invalid regexp command"), + dup23, + ])); + + var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part684); + + var part685 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info})"); + + var part686 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action}"); + + var select65 = linear_select([ + part685, + part686, + ]); + + var all36 = all_match({ + processors: [ + dup117, + select65, + ], + on_success: processor_chain([ + dup21, + dup22, + dup122, + dup23, + ]), + }); + + var msg664 = msg("UI_COMMIT", all36); + + var part687 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([ + dup21, + dup22, + dup122, + dup23, + ])); + + var msg665 = msg("UI_COMMIT_AT", part687); + + var part688 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([ + dup21, + dup22, + setc("event_description","User commit successful"), + dup23, + ])); + + var msg666 = msg("UI_COMMIT_AT_COMPLETED", part688); + + var part689 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([ + dup30, + dup22, + setc("event_description","User commit failed"), + dup23, + ])); + + var msg667 = msg("UI_COMMIT_AT_FAILED", part689); + + var part690 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to compress file"), + dup23, + ])); + + var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part690); + + var part691 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([ + dup21, + dup22, + setc("event_description","UI COMMIT CONFIRMED"), + dup23, + ])); + + var msg669 = msg("UI_COMMIT_CONFIRMED", part691); + + var part692 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}"); + + var part693 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1}"); + + var part694 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes"); + + var select66 = linear_select([ + part693, + part694, + ]); + + var all37 = all_match({ + processors: [ + part692, + select66, + ], + on_success: processor_chain([ + dup21, + dup22, + setc("event_description","COMMIT must be confirmed within # minutes"), + dup23, + ]), + }); + + var msg670 = msg("UI_COMMIT_CONFIRMED_REMINDER", all37); + + var part695 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "'%{username}' performed '%{action}'"); + + var all38 = all_match({ + processors: [ + dup50, + dup145, + part695, + ], + on_success: processor_chain([ + dup21, + dup22, + setc("event_description","user performed commit confirm"), + dup23, + ]), + }); + + var msg671 = msg("UI_COMMIT_CONFIRMED_TIMED", all38); + + var part696 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Skipped empty object"), + dup23, + ])); + + var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part696); + + var part697 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","COMMIT NOT CONFIRMED"), + dup23, + ])); + + var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part697); + + var part698 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}"); + + var part699 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}"); + + var select67 = linear_select([ + part698, + part699, + ]); + + var part700 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}"); + + var all39 = all_match({ + processors: [ + dup50, + select67, + part700, + ], + on_success: processor_chain([ + dup21, + dup22, + setc("event_description","Commit operation in progress"), + dup23, + ]), + }); + + var msg674 = msg("UI_COMMIT_PROGRESS", all39); + + var part701 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","COMMIT QUIT"), + dup23, + ])); + + var msg675 = msg("UI_COMMIT_QUIT", part701); + + var part702 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([ + dup30, + dup22, + setc("event_description","Automatic rollback failed"), + dup23, + ])); + + var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part702); + + var part703 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","COMMIT SYNC"), + dup23, + ])); + + var msg677 = msg("UI_COMMIT_SYNC", part703); + + var part704 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","All logins to local configuration database were terminated"), + dup23, + ])); + + var msg678 = msg("UI_COMMIT_SYNC_FORCE", part704); + + var part705 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}"); + + var part706 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}"); + + var part707 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}"); + + var select68 = linear_select([ + part706, + part707, + ]); + + var part708 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "statement: %{info->} %{p0}"); + + var part709 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} "); + + var select69 = linear_select([ + part709, + dup112, + ]); + + var all40 = all_match({ + processors: [ + part705, + select68, + part708, + select69, + ], + on_success: processor_chain([ + dup30, + dup22, + setc("event_description","CONFIGURATION ERROR"), + dup23, + ]), + }); + + var msg679 = msg("UI_CONFIGURATION_ERROR", all40); + + var part710 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "socket connection accept failed: %{result}"); + + var all41 = all_match({ + processors: [ + dup50, + dup157, + part710, + ], + on_success: processor_chain([ + dup30, + dup22, + setc("event_description","socket connection accept failed"), + dup23, + ]), + }); + + var msg680 = msg("UI_DAEMON_ACCEPT_FAILED", all41); + + var part711 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to create session child"), + dup23, + ])); + + var msg681 = msg("UI_DAEMON_FORK_FAILED", part711); + + var part712 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","DAEMON SELECT FAILED"), + dup23, + ])); + + var msg682 = msg("UI_DAEMON_SELECT_FAILED", part712); + + var part713 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "socket create failed: %{result}"); + + var all42 = all_match({ + processors: [ + dup50, + dup157, + part713, + ], + on_success: processor_chain([ + dup30, + dup22, + setc("event_description","socket create failed"), + dup23, + ]), + }); + + var msg683 = msg("UI_DAEMON_SOCKET_FAILED", all42); + + var part714 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to reaccess database file"), + dup23, + ])); + + var msg684 = msg("UI_DBASE_ACCESS_FAILED", part714); + + var part715 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([ + dup30, + dup22, + setc("event_description","Database is out of data"), + dup23, + ])); + + var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part715); + + var part716 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to extend database file"), + dup23, + ])); + + var msg686 = msg("UI_DBASE_EXTEND_FAILED", part716); + + var part717 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + setc("event_description","User entering configuration mode"), + dup23, + ])); + + var msg687 = msg("UI_DBASE_LOGIN_EVENT", part717); + + var part718 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([ + dup125, + dup34, + dup35, + dup126, + dup37, + dup22, + setc("event_description","User exiting configuration mode"), + dup23, + ])); + + var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part718); + + var part719 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Database header extent mismatch"), + dup23, + ])); + + var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part719); + + var part720 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Database header major version number mismatch"), + dup23, + ])); + + var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part720); + + var part721 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Database header minor version number mismatch"), + dup23, + ])); + + var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part721); + + var part722 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([ + dup30, + dup22, + setc("event_description","Database header sequence numbers mismatch"), + dup23, + ])); + + var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part722); + + var part723 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Database header size mismatch"), + dup23, + ])); + + var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part723); + + var part724 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Database open failed"), + dup23, + ])); + + var msg694 = msg("UI_DBASE_OPEN_FAILED", part724); + + var part725 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([ + dup30, + dup22, + setc("event_description","DBASE REBUILD FAILED"), + dup23, + ])); + + var msg695 = msg("UI_DBASE_REBUILD_FAILED", part725); + + var part726 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([ + dup30, + dup22, + setc("event_description","Automatic rebuild of the database failed"), + dup23, + ])); + + var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part726); + + var part727 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}"); + + var select70 = linear_select([ + dup76, + part727, + ]); + + var part728 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{username->} rebuild/rollback of the database '%{filename}' started"); + + var all43 = all_match({ + processors: [ + dup50, + select70, + part728, + ], + on_success: processor_chain([ + dup21, + dup22, + setc("event_description","DBASE REBUILD STARTED"), + dup23, + ]), + }); + + var msg697 = msg("UI_DBASE_REBUILD_STARTED", all43); + + var part729 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([ + dup21, + dup22, + setc("event_description","user attempting database re-creation"), + dup23, + ])); + + var msg698 = msg("UI_DBASE_RECREATE", part729); + + var part730 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([ + dup30, + dup22, + setc("event_description","Reopen of the database failed"), + dup23, + ])); + + var msg699 = msg("UI_DBASE_REOPEN_FAILED", part730); + + var part731 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([ + dup30, + dup22, + setc("event_description","Users have the same UID"), + dup23, + ])); + + var msg700 = msg("UI_DUPLICATE_UID", part731); + + var part732 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([ + setc("eventcategory","1401050100"), + dup22, + setc("event_description","User used JUNOScript client to run command"), + dup23, + ])); + + var msg701 = msg("UI_JUNOSCRIPT_CMD", part732); + + var part733 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","JUNOScript error"), + dup23, + ])); + + var msg702 = msg("UI_JUNOSCRIPT_ERROR", part733); + + var part734 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([ + dup21, + dup22, + setc("event_description","User command"), + dup23, + ])); + + var msg703 = msg("UI_LOAD_EVENT", part734); + + var part735 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([ + setc("eventcategory","1701040000"), + dup22, + setc("event_description","Loading default config from file"), + dup23, + ])); + + var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part735); + + var part736 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + dup127, + dup128, + dup23, + ])); + + var msg705 = msg("UI_LOGIN_EVENT:01", part736); + + var part737 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + dup127, + dup23, + ])); + + var msg706 = msg("UI_LOGIN_EVENT", part737); + + var select71 = linear_select([ + msg705, + msg706, + ]); + + var part738 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([ + dup125, + dup34, + dup35, + dup126, + dup37, + dup22, + setc("event_description","User logout"), + dup23, + ])); + + var msg707 = msg("UI_LOGOUT_EVENT", part738); + + var part739 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([ + dup30, + dup22, + setc("event_description","Lost connection to daemon"), + dup23, + ])); + + var msg708 = msg("UI_LOST_CONN", part739); + + var part740 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([ + dup21, + dup22, + setc("event_description","MASTERSHIP EVENT"), + dup23, + ])); + + var msg709 = msg("UI_MASTERSHIP_EVENT", part740); + + var part741 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([ + dup21, + dup22, + setc("event_description","Terminating operation"), + dup23, + ])); + + var msg710 = msg("UI_MGD_TERMINATE", part741); + + var part742 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([ + dup29, + dup22, + setc("event_description","User used NETCONF client to run command"), + dup23, + ])); + + var msg711 = msg("UI_NETCONF_CMD", part742); + + var part743 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","read failed for peer"), + dup23, + ])); + + var msg712 = msg("UI_READ_FAILED", part743); + + var part744 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([ + dup30, + dup22, + setc("event_description","Timeout on read of peer"), + dup23, + ])); + + var msg713 = msg("UI_READ_TIMEOUT", part744); + + var part745 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([ + dup60, + dup22, + setc("event_description","System reboot or halt"), + dup23, + ])); + + var msg714 = msg("UI_REBOOT_EVENT", part745); + + var part746 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([ + dup29, + dup22, + setc("event_description","user restarting daemon"), + dup23, + ])); + + var msg715 = msg("UI_RESTART_EVENT", part746); + + var part747 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Schema is out of date"), + dup23, + ])); + + var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part747); + + var part748 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Schema major version mismatch"), + dup23, + ])); + + var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part748); + + var part749 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Schema minor version mismatch"), + dup23, + ])); + + var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part749); + + var part750 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([ + dup30, + dup22, + setc("event_description","Schema header sequence numbers mismatch"), + dup23, + ])); + + var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part750); + + var part751 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([ + dup30, + dup22, + setc("event_description","Schema sequence number mismatch"), + dup23, + ])); + + var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part751); + + var part752 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Configuration synchronization with remote Routing Engine"), + dup23, + ])); + + var msg721 = msg("UI_SYNC_OTHER_RE", part752); + + var part753 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([ + dup30, + dup22, + dup129, + dup23, + ])); + + var msg722 = msg("UI_TACPLUS_ERROR", part753); + + var part754 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to fetch system version"), + dup23, + ])); + + var msg723 = msg("UI_VERSION_FAILED", part754); + + var part755 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([ + dup21, + dup22, + setc("event_description","Re-establishing connection to peer"), + dup23, + ])); + + var msg724 = msg("UI_WRITE_RECONNECT", part755); + + var part756 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([ + dup21, + dup22, + setc("event_description","Interface new master for User"), + dup23, + ])); + + var msg725 = msg("VRRPD_NEWMASTER_TRAP", part756); + + var part757 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([ + dup69, + dup34, + dup35, + dup43, + dup22, + setc("event_description","Unable to authenticate client"), + dup23, + ])); + + var msg726 = msg("WEB_AUTH_FAIL", part757); + + var part758 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([ + dup80, + dup34, + dup35, + dup37, + dup22, + setc("event_description","Authenticated client"), + dup23, + ])); + + var msg727 = msg("WEB_AUTH_SUCCESS", part758); + + var part759 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([ + setc("eventcategory","1001030300"), + dup22, + setc("event_description","web request from unauthorized interface"), + dup23, + ])); + + var msg728 = msg("WEB_INTERFACE_UNAUTH", part759); + + var part760 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([ + dup74, + dup22, + setc("event_description","Unable to read from client"), + dup23, + ])); + + var msg729 = msg("WEB_READ", part760); + + var part761 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([ + setc("eventcategory","1204020100"), + dup22, + setc("event_description","failed to check web request"), + dup23, + ])); + + var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part761); + + var part762 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ + dup74, + dup53, + dup43, + dup22, + dup52, + ])); + + var msg731 = msg("FLOW_REASSEMBLE_FAIL", part762); + + var part763 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([ + dup29, + dup22, + setc("event_description","Bridge Address"), + dup23, + ])); + + var msg732 = msg("eswd", part763); + + var part764 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([ + dup29, + dup22, + setc("event_description","ESWD STP State Change Info"), + dup23, + ])); + + var msg733 = msg("eswd:01", part764); + + var select72 = linear_select([ + msg732, + msg733, + ]); + + var part765 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([ + dup29, + dup22, + dup26, + dup23, + ])); + + var msg734 = msg("/usr/sbin/cron", part765); + + var part766 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([ + dup29, + dup22, + setc("event_description","Link status change event"), + dup23, + ])); + + var msg735 = msg("chassism:02", part766); + + var part767 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([ + dup29, + dup22, + setc("event_description","ifd process flaps"), + dup23, + ])); + + var msg736 = msg("chassism:01", part767); + + var part768 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([ + dup29, + dup22, + setc("event_description","IFCM "), + dup23, + ])); + + var msg737 = msg("chassism", part768); + + var select73 = linear_select([ + msg735, + msg736, + msg737, + ]); + + var msg738 = msg("WEBFILTER_URL_PERMITTED", dup158); + + var part769 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part769); + + var part770 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part770); + + var part771 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part771); + + var select74 = linear_select([ + msg738, + msg739, + msg740, + msg741, + ]); + + var msg742 = msg("WEBFILTER_URL_BLOCKED", dup158); + + var part772 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part772); + + var select75 = linear_select([ + msg742, + msg743, + ]); + + var part773 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([ + dup46, + dup47, + dup23, + dup22, + dup128, + ])); + + var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part773); + + var part774 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([ + dup46, + dup47, + dup23, + ])); + + var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part774); + + var part775 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([ + dup46, + dup47, + dup23, + dup22, + dup128, + ])); + + var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part775); + + var part776 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([ + dup46, + dup47, + dup23, + dup22, + dup128, + ])); + + var msg747 = msg("SECINTEL_ERROR_OTHERS", part776); + + var part777 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([ + dup48, + dup47, + dup23, + dup22, + dup128, + ])); + + var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part777); + + var part778 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([ + dup46, + dup47, + dup23, + dup22, + dup128, + ])); + + var msg749 = msg("LACPD_TIMEOUT", part778); + + var msg750 = msg("cli", dup159); + + var msg751 = msg("pfed", dup159); + + var msg752 = msg("idpinfo", dup159); + + var msg753 = msg("kmd", dup159); + + var part779 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg754 = msg("node:01", part779); + + var part780 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg755 = msg("node:02", part780); + + var part781 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg756 = msg("node:03", part781); + + var part782 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg757 = msg("node:04", part782); + + var select76 = linear_select([ + dup131, + dup132, + ]); + + var part783 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}"); + + var select77 = linear_select([ + dup132, + dup131, + ]); + + var part784 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}"); + + var all44 = all_match({ + processors: [ + dup130, + select76, + part783, + select77, + part784, + ], + on_success: processor_chain([ + dup21, + dup23, + dup22, + ]), + }); + + var msg758 = msg("node:05", all44); + + var part785 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}"); + + var part786 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}"); + + var select78 = linear_select([ + part785, + part786, + ]); + + var all45 = all_match({ + processors: [ + dup130, + select78, + ], + on_success: processor_chain([ + dup21, + dup23, + dup22, + ]), + }); + + var msg759 = msg("node:06", all45); + + var part787 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg760 = msg("node:07", part787); + + var part788 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg761 = msg("node:08", part788); + + var part789 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg762 = msg("node:09", part789); + + var select79 = linear_select([ + msg754, + msg755, + msg756, + msg757, + msg758, + msg759, + msg760, + msg761, + msg762, + ]); + + var part790 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([ + dup21, + dup23, + dup22, + dup24, + ])); + + var msg763 = msg("(FPC:01", part790); + + var part791 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([ + dup21, + dup23, + dup22, + dup24, + ])); + + var msg764 = msg("(FPC:02", part791); + + var part792 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}"); + + var part793 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}"); + + var part794 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}"); + + var select80 = linear_select([ + part793, + part794, + ]); + + var part795 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "received for interface %{interface}, member of %{fld4}"); + + var all46 = all_match({ + processors: [ + part792, + select80, + part795, + ], + on_success: processor_chain([ + dup21, + dup23, + dup22, + dup24, + ]), + }); + + var msg765 = msg("(FPC:03", all46); + + var part796 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ + dup21, + dup23, + dup22, + dup24, + ])); + + var msg766 = msg("(FPC:04", part796); + + var part797 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([ + dup21, + dup23, + dup22, + dup24, + ])); + + var msg767 = msg("(FPC:05", part797); + + var part798 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([ + dup21, + dup23, + dup22, + dup24, + ])); + + var msg768 = msg("(FPC", part798); + + var select81 = linear_select([ + msg763, + msg764, + msg765, + msg766, + msg767, + msg768, + ]); + + var part799 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([ + dup48, + dup23, + dup22, + dup24, + ])); + + var msg769 = msg("tnp.bootpd", part799); + + var part800 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ + dup48, + dup52, + dup22, + dup61, + ])); + + var msg770 = msg("AAMW_ACTION_LOG", part800); + + var part801 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ + dup133, + dup52, + dup22, + dup61, + ])); + + var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part801); + + var part802 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ + dup133, + dup52, + dup22, + ])); + + var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part802); + + var part803 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ + dup81, + dup52, + dup22, + dup61, + ])); + + var msg773 = msg("IDP_ATTACK_LOG_EVENT", part803); + + var part804 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ + dup81, + dup52, + dup22, + dup61, + ])); + + var msg774 = msg("RT_SCREEN_ICMP", part804); + + var part805 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ + dup46, + dup52, + dup22, + dup61, + ])); + + var msg775 = msg("SECINTEL_ACTION_LOG", part805); + + var part806 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{fld2->} %{p0}"); + + var part807 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld3->} %{process}: qsfp-%{p0}"); + + var part808 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "qsfp-%{p0}"); + + var select82 = linear_select([ + part807, + part808, + ]); + + var part809 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{}Chan# %{interface->} %{fld5}:%{event_description}"); + + var all47 = all_match({ + processors: [ + part806, + select82, + part809, + ], + on_success: processor_chain([ + dup21, + dup22, + dup23, + ]), + }); + + var msg776 = msg("qsfp", all47); + + var part810 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([ + dup21, + dup22, + dup121, + dup23, + ])); + + var msg777 = msg("JUNOSROUTER_GENERIC:03", part810); + + var part811 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([ + dup125, + dup34, + dup35, + dup126, + dup37, + dup22, + setc("event_description","LOGOUT"), + dup23, + ])); + + var msg778 = msg("JUNOSROUTER_GENERIC:04", part811); + + var part812 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([ + dup30, + dup22, + dup129, + dup23, + ])); + + var msg779 = msg("JUNOSROUTER_GENERIC:05", part812); + + var part813 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ + dup30, + dup22, + dup57, + dup23, + ])); + + var msg780 = msg("JUNOSROUTER_GENERIC:06", part813); + + var part814 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ + dup21, + dup22, + dup38, + dup23, + ])); + + var msg781 = msg("JUNOSROUTER_GENERIC:07", part814); + + var part815 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{daddr->} (%{dhost}): code %{resultcode->} (%{action})%{p0}"); + + var part816 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", ", socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8}"); + + var part817 = match_copy("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", ""); + + var select83 = linear_select([ + part816, + part817, + ]); + + var all48 = all_match({ + processors: [ + part815, + select83, + ], + on_success: processor_chain([ + dup21, + dup22, + dup38, + dup23, + ]), + }); + + var msg782 = msg("JUNOSROUTER_GENERIC:08", all48); + + var part818 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([ + dup21, + dup22, + dup23, + ])); + + var msg783 = msg("JUNOSROUTER_GENERIC:09", part818); + + var part819 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([ + dup134, + dup23, + dup22, + setc("event_description","Interface Monitor failed "), + dup24, + ])); + + var msg784 = msg("JUNOSROUTER_GENERIC:01", part819); + + var part820 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([ + dup134, + dup23, + dup22, + setc("event_description","Interface Monitor failure recovered"), + dup24, + ])); + + var msg785 = msg("JUNOSROUTER_GENERIC:02", part820); + + var part821 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([ + dup134, + dup23, + dup22, + dup24, + ])); + + var msg786 = msg("JUNOSROUTER_GENERIC", part821); + + var select84 = linear_select([ + msg777, + msg778, + msg779, + msg780, + msg781, + msg782, + msg783, + msg784, + msg785, + msg786, + ]); + + var chain1 = processor_chain([ + select5, + msgid_select({ + "(FPC": select81, + "/usr/libexec/telnetd": msg2, + "/usr/sbin/cron": msg734, + "/usr/sbin/sshd": msg1, + "AAMWD_NETWORK_CONNECT_FAILED": msg745, + "AAMW_ACTION_LOG": msg770, + "AAMW_HOST_INFECTED_EVENT_LOG": msg771, + "AAMW_MALWARE_EVENT_LOG": msg772, + "ACCT_ACCOUNTING_FERROR": msg114, + "ACCT_ACCOUNTING_FOPEN_ERROR": msg115, + "ACCT_ACCOUNTING_SMALL_FILE_SIZE": msg116, + "ACCT_BAD_RECORD_FORMAT": msg117, + "ACCT_CU_RTSLIB_error": msg118, + "ACCT_GETHOSTNAME_error": msg119, + "ACCT_MALLOC_FAILURE": msg120, + "ACCT_UNDEFINED_COUNTER_NAME": msg121, + "ACCT_XFER_FAILED": msg122, + "ACCT_XFER_POPEN_FAIL": msg123, + "APPQOS_LOG_EVENT": msg124, + "APPTRACK_SESSION_CLOSE": select30, + "APPTRACK_SESSION_CREATE": msg125, + "APPTRACK_SESSION_VOL_UPDATE": select31, + "BCHIP": msg106, + "BFDD_TRAP_STATE_DOWN": msg130, + "BFDD_TRAP_STATE_UP": msg131, + "BOOTPD_ARG_ERR": msg143, + "BOOTPD_BAD_ID": msg144, + "BOOTPD_BOOTSTRING": msg145, + "BOOTPD_CONFIG_ERR": msg146, + "BOOTPD_CONF_OPEN": msg147, + "BOOTPD_DUP_REV": msg148, + "BOOTPD_DUP_SLOT": msg149, + "BOOTPD_MODEL_CHK": msg150, + "BOOTPD_MODEL_ERR": msg151, + "BOOTPD_NEW_CONF": msg152, + "BOOTPD_NO_BOOTSTRING": msg153, + "BOOTPD_NO_CONFIG": msg154, + "BOOTPD_PARSE_ERR": msg155, + "BOOTPD_REPARSE": msg156, + "BOOTPD_SELECT_ERR": msg157, + "BOOTPD_TIMEOUT": msg158, + "BOOTPD_VERSION": msg159, + "CHASSISD": msg160, + "CHASSISD_ARGUMENT_ERROR": msg161, + "CHASSISD_BLOWERS_SPEED": msg162, + "CHASSISD_BLOWERS_SPEED_FULL": msg163, + "CHASSISD_CB_READ": msg164, + "CHASSISD_COMMAND_ACK_ERROR": msg165, + "CHASSISD_COMMAND_ACK_SF_ERROR": msg166, + "CHASSISD_CONCAT_MODE_ERROR": msg167, + "CHASSISD_CONFIG_INIT_ERROR": msg168, + "CHASSISD_CONFIG_WARNING": msg169, + "CHASSISD_EXISTS": msg170, + "CHASSISD_EXISTS_TERM_OTHER": msg171, + "CHASSISD_FILE_OPEN": msg172, + "CHASSISD_FILE_STAT": msg173, + "CHASSISD_FRU_EVENT": msg174, + "CHASSISD_FRU_IPC_WRITE_ERROR_EXT": msg175, + "CHASSISD_FRU_STEP_ERROR": msg176, + "CHASSISD_GETTIMEOFDAY": msg177, + "CHASSISD_HIGH_TEMP_CONDITION": msg214, + "CHASSISD_HOST_TEMP_READ": msg178, + "CHASSISD_IFDEV_DETACH_ALL_PSEUDO": msg179, + "CHASSISD_IFDEV_DETACH_FPC": msg180, + "CHASSISD_IFDEV_DETACH_PIC": msg181, + "CHASSISD_IFDEV_DETACH_PSEUDO": msg182, + "CHASSISD_IFDEV_DETACH_TLV_ERROR": msg183, + "CHASSISD_IFDEV_GET_BY_INDEX_FAIL": msg184, + "CHASSISD_IPC_MSG_QFULL_ERROR": msg185, + "CHASSISD_IPC_UNEXPECTED_RECV": msg186, + "CHASSISD_IPC_WRITE_ERR_NO_PIPE": msg187, + "CHASSISD_IPC_WRITE_ERR_NULL_ARGS": msg188, + "CHASSISD_MAC_ADDRESS_ERROR": msg189, + "CHASSISD_MAC_DEFAULT": msg190, + "CHASSISD_MBUS_ERROR": msg191, + "CHASSISD_PARSE_COMPLETE": msg192, + "CHASSISD_PARSE_ERROR": msg193, + "CHASSISD_PARSE_INIT": msg194, + "CHASSISD_PIDFILE_OPEN": msg195, + "CHASSISD_PIPE_WRITE_ERROR": msg196, + "CHASSISD_POWER_CHECK": msg197, + "CHASSISD_RECONNECT_SUCCESSFUL": msg198, + "CHASSISD_RELEASE_MASTERSHIP": msg199, + "CHASSISD_RE_INIT_INVALID_RE_SLOT": msg200, + "CHASSISD_ROOT_MOUNT_ERROR": msg201, + "CHASSISD_RTS_SEQ_ERROR": msg202, + "CHASSISD_SBOARD_VERSION_MISMATCH": msg203, + "CHASSISD_SERIAL_ID": msg204, + "CHASSISD_SMB_ERROR": msg205, + "CHASSISD_SNMP_TRAP10": msg208, + "CHASSISD_SNMP_TRAP6": msg206, + "CHASSISD_SNMP_TRAP7": msg207, + "CHASSISD_TERM_SIGNAL": msg209, + "CHASSISD_TRACE_PIC_OFFLINE": msg210, + "CHASSISD_UNEXPECTED_EXIT": msg211, + "CHASSISD_UNSUPPORTED_MODEL": msg212, + "CHASSISD_VERSION_MISMATCH": msg213, + "CM": msg107, + "CM_JAVA": msg216, + "COS": msg108, + "COSFPC": msg109, + "COSMAN": msg110, + "CRON": msg16, + "CROND": select11, + "Cmerror": msg17, + "DCD_AS_ROOT": msg217, + "DCD_FILTER_LIB_ERROR": msg218, + "DCD_MALLOC_FAILED_INIT": msg219, + "DCD_PARSE_EMERGENCY": msg220, + "DCD_PARSE_FILTER_EMERGENCY": msg221, + "DCD_PARSE_MINI_EMERGENCY": msg222, + "DCD_PARSE_STATE_EMERGENCY": msg223, + "DCD_POLICER_PARSE_EMERGENCY": msg224, + "DCD_PULL_LOG_FAILURE": msg225, + "DFWD_ARGUMENT_ERROR": msg226, + "DFWD_MALLOC_FAILED_INIT": msg227, + "DFWD_PARSE_FILTER_EMERGENCY": msg228, + "DFWD_PARSE_STATE_EMERGENCY": msg229, + "ECCD_DAEMONIZE_FAILED": msg230, + "ECCD_DUPLICATE": msg231, + "ECCD_LOOP_EXIT_FAILURE": msg232, + "ECCD_NOT_ROOT": msg233, + "ECCD_PCI_FILE_OPEN_FAILED": msg234, + "ECCD_PCI_READ_FAILED": msg235, + "ECCD_PCI_WRITE_FAILED": msg236, + "ECCD_PID_FILE_LOCK": msg237, + "ECCD_PID_FILE_UPDATE": msg238, + "ECCD_TRACE_FILE_OPEN_FAILED": msg239, + "ECCD_usage": msg240, + "EVENT": msg23, + "EVENTD_AUDIT_SHOW": msg241, + "FLOW_REASSEMBLE_FAIL": msg731, + "FLOW_REASSEMBLE_SUCCEED": msg242, + "FSAD_CHANGE_FILE_OWNER": msg243, + "FSAD_CONFIG_ERROR": msg244, + "FSAD_CONNTIMEDOUT": msg245, + "FSAD_FAILED": msg246, + "FSAD_FETCHTIMEDOUT": msg247, + "FSAD_FILE_FAILED": msg248, + "FSAD_FILE_REMOVE": msg249, + "FSAD_FILE_RENAME": msg250, + "FSAD_FILE_STAT": msg251, + "FSAD_FILE_SYNC": msg252, + "FSAD_MAXCONN": msg253, + "FSAD_MEMORYALLOC_FAILED": msg254, + "FSAD_NOT_ROOT": msg255, + "FSAD_PARENT_DIRECTORY": msg256, + "FSAD_PATH_IS_DIRECTORY": msg257, + "FSAD_PATH_IS_SPECIAL": msg258, + "FSAD_RECVERROR": msg259, + "FSAD_TERMINATED_CONNECTION": msg260, + "FSAD_TERMINATING_SIGNAL": msg261, + "FSAD_TRACEOPEN_FAILED": msg262, + "FSAD_USAGE": msg263, + "Failed": select25, + "GGSN_ALARM_TRAP_FAILED": msg264, + "GGSN_ALARM_TRAP_SEND": msg265, + "GGSN_TRAP_SEND": msg266, + "IDP_ATTACK_LOG_EVENT": msg773, + "JADE_AUTH_ERROR": msg267, + "JADE_EXEC_ERROR": msg268, + "JADE_NO_LOCAL_USER": msg269, + "JADE_PAM_ERROR": msg270, + "JADE_PAM_NO_LOCAL_USER": msg271, + "JSRPD_HA_CONTROL_LINK_UP": msg748, + "JUNOSROUTER_GENERIC": select84, + "KERN_ARP_ADDR_CHANGE": msg272, + "KMD_PM_SA_ESTABLISHED": msg273, + "L2CPD_TASK_REINIT": msg274, + "LACPD_TIMEOUT": msg749, + "LIBJNX_EXEC_EXITED": msg275, + "LIBJNX_EXEC_FAILED": msg276, + "LIBJNX_EXEC_PIPE": msg277, + "LIBJNX_EXEC_SIGNALED": msg278, + "LIBJNX_EXEC_WEXIT": msg279, + "LIBJNX_FILE_COPY_FAILED": msg280, + "LIBJNX_PRIV_LOWER_FAILED": msg281, + "LIBJNX_PRIV_RAISE_FAILED": msg282, + "LIBJNX_REPLICATE_RCP_EXEC_FAILED": msg283, + "LIBJNX_ROTATE_COMPRESS_EXEC_FAILED": msg284, + "LIBSERVICED_CLIENT_CONNECTION": msg285, + "LIBSERVICED_OUTBOUND_REQUEST": msg286, + "LIBSERVICED_SNMP_LOST_CONNECTION": msg287, + "LIBSERVICED_SOCKET_BIND": msg288, + "LIBSERVICED_SOCKET_PRIVATIZE": msg289, + "LICENSE_EXPIRED": msg290, + "LICENSE_EXPIRED_KEY_DELETED": msg291, + "LICENSE_NEARING_EXPIRY": msg292, + "LOGIN_ABORTED": msg293, + "LOGIN_FAILED": msg294, + "LOGIN_FAILED_INCORRECT_PASSWORD": msg295, + "LOGIN_FAILED_SET_CONTEXT": msg296, + "LOGIN_FAILED_SET_LOGIN": msg297, + "LOGIN_HOSTNAME_UNRESOLVED": msg298, + "LOGIN_INFORMATION": msg299, + "LOGIN_INVALID_LOCAL_USER": msg300, + "LOGIN_MALFORMED_USER": msg301, + "LOGIN_PAM_AUTHENTICATION_ERROR": msg302, + "LOGIN_PAM_ERROR": msg303, + "LOGIN_PAM_MAX_RETRIES": msg304, + "LOGIN_PAM_NONLOCAL_USER": msg305, + "LOGIN_PAM_STOP": msg306, + "LOGIN_PAM_USER_UNKNOWN": msg307, + "LOGIN_PASSWORD_EXPIRED": msg308, + "LOGIN_REFUSED": msg309, + "LOGIN_ROOT": msg310, + "LOGIN_TIMED_OUT": msg311, + "MIB2D_ATM_ERROR": msg312, + "MIB2D_CONFIG_CHECK_FAILED": msg313, + "MIB2D_FILE_OPEN_FAILURE": msg314, + "MIB2D_IFD_IFINDEX_FAILURE": msg315, + "MIB2D_IFL_IFINDEX_FAILURE": msg316, + "MIB2D_INIT_FAILURE": msg317, + "MIB2D_KVM_FAILURE": msg318, + "MIB2D_RTSLIB_READ_FAILURE": msg319, + "MIB2D_RTSLIB_SEQ_MISMATCH": msg320, + "MIB2D_SYSCTL_FAILURE": msg321, + "MIB2D_TRAP_HEADER_FAILURE": msg322, + "MIB2D_TRAP_SEND_FAILURE": msg323, + "MRVL-L2": msg56, + "Multiuser": msg324, + "NASD_AUTHENTICATION_CREATE_FAILED": msg325, + "NASD_CHAP_AUTHENTICATION_IN_PROGRESS": msg326, + "NASD_CHAP_GETHOSTNAME_FAILED": msg327, + "NASD_CHAP_INVALID_CHAP_IDENTIFIER": msg328, + "NASD_CHAP_INVALID_OPCODE": msg329, + "NASD_CHAP_LOCAL_NAME_UNAVAILABLE": msg330, + "NASD_CHAP_MESSAGE_UNEXPECTED": msg331, + "NASD_CHAP_REPLAY_ATTACK_DETECTED": msg332, + "NASD_CONFIG_GET_LAST_MODIFIED_FAILED": msg333, + "NASD_DAEMONIZE_FAILED": msg334, + "NASD_DB_ALLOC_FAILURE": msg335, + "NASD_DB_TABLE_CREATE_FAILURE": msg336, + "NASD_DUPLICATE": msg337, + "NASD_EVLIB_CREATE_FAILURE": msg338, + "NASD_EVLIB_EXIT_FAILURE": msg339, + "NASD_LOCAL_CREATE_FAILED": msg340, + "NASD_NOT_ROOT": msg341, + "NASD_PID_FILE_LOCK": msg342, + "NASD_PID_FILE_UPDATE": msg343, + "NASD_POST_CONFIGURE_EVENT_FAILED": msg344, + "NASD_PPP_READ_FAILURE": msg345, + "NASD_PPP_SEND_FAILURE": msg346, + "NASD_PPP_SEND_PARTIAL": msg347, + "NASD_PPP_UNRECOGNIZED": msg348, + "NASD_RADIUS_ALLOCATE_PASSWORD_FAILED": msg349, + "NASD_RADIUS_CONFIG_FAILED": msg350, + "NASD_RADIUS_CREATE_FAILED": msg351, + "NASD_RADIUS_CREATE_REQUEST_FAILED": msg352, + "NASD_RADIUS_GETHOSTNAME_FAILED": msg353, + "NASD_RADIUS_MESSAGE_UNEXPECTED": msg354, + "NASD_RADIUS_OPEN_FAILED": msg355, + "NASD_RADIUS_SELECT_FAILED": msg356, + "NASD_RADIUS_SET_TIMER_FAILED": msg357, + "NASD_TRACE_FILE_OPEN_FAILED": msg358, + "NASD_usage": msg359, + "NOTICE": msg360, + "PFEMAN": msg61, + "PFE_FW_SYSLOG_IP": select36, + "PFE_NH_RESOLVE_THROTTLED": msg363, + "PING_TEST_COMPLETED": msg364, + "PING_TEST_FAILED": msg365, + "PKID_UNABLE_TO_GET_CRL": msg746, + "PWC_EXIT": msg368, + "PWC_HOLD_RELEASE": msg369, + "PWC_INVALID_RUNS_ARGUMENT": msg370, + "PWC_INVALID_TIMEOUT_ARGUMENT": msg371, + "PWC_KILLED_BY_SIGNAL": msg372, + "PWC_KILL_EVENT": msg373, + "PWC_KILL_FAILED": msg374, + "PWC_KQUEUE_ERROR": msg375, + "PWC_KQUEUE_INIT": msg376, + "PWC_KQUEUE_REGISTER_FILTER": msg377, + "PWC_LOCKFILE_BAD_FORMAT": msg378, + "PWC_LOCKFILE_ERROR": msg379, + "PWC_LOCKFILE_MISSING": msg380, + "PWC_LOCKFILE_NOT_LOCKED": msg381, + "PWC_NO_PROCESS": msg382, + "PWC_PROCESS_EXIT": msg383, + "PWC_PROCESS_FORCED_HOLD": msg384, + "PWC_PROCESS_HOLD": msg385, + "PWC_PROCESS_HOLD_SKIPPED": msg386, + "PWC_PROCESS_OPEN": msg387, + "PWC_PROCESS_TIMED_HOLD": msg388, + "PWC_PROCESS_TIMEOUT": msg389, + "PWC_SIGNAL_INIT": msg390, + "PWC_SOCKET_CONNECT": msg391, + "PWC_SOCKET_CREATE": msg392, + "PWC_SOCKET_OPTION": msg393, + "PWC_STDOUT_WRITE": msg394, + "PWC_SYSTEM_CALL": msg395, + "PWC_UNKNOWN_KILL_OPTION": msg396, + "RDP": msg111, + "RMOPD_ADDRESS_MULTICAST_INVALID": msg397, + "RMOPD_ADDRESS_SOURCE_INVALID": msg398, + "RMOPD_ADDRESS_STRING_FAILURE": msg399, + "RMOPD_ADDRESS_TARGET_INVALID": msg400, + "RMOPD_DUPLICATE": msg401, + "RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED": msg402, + "RMOPD_ICMP_SENDMSG_FAILURE": msg403, + "RMOPD_IFINDEX_NOT_ACTIVE": msg404, + "RMOPD_IFINDEX_NO_INFO": msg405, + "RMOPD_IFNAME_NOT_ACTIVE": msg406, + "RMOPD_IFNAME_NO_INFO": msg407, + "RMOPD_NOT_ROOT": msg408, + "RMOPD_ROUTING_INSTANCE_NO_INFO": msg409, + "RMOPD_TRACEROUTE_ERROR": msg410, + "RMOPD_usage": msg411, + "RPD_ABORT": msg412, + "RPD_ACTIVE_TERMINATE": msg413, + "RPD_ASSERT": msg414, + "RPD_ASSERT_SOFT": msg415, + "RPD_EXIT": msg416, + "RPD_IFL_INDEXCOLLISION": msg417, + "RPD_IFL_NAMECOLLISION": msg418, + "RPD_ISIS_ADJDOWN": msg419, + "RPD_ISIS_ADJUP": msg420, + "RPD_ISIS_ADJUPNOIP": msg421, + "RPD_ISIS_LSPCKSUM": msg422, + "RPD_ISIS_OVERLOAD": msg423, + "RPD_KRT_AFUNSUPRT": msg424, + "RPD_KRT_CCC_IFL_MODIFY": msg425, + "RPD_KRT_DELETED_RTT": msg426, + "RPD_KRT_IFA_GENERATION": msg427, + "RPD_KRT_IFDCHANGE": msg428, + "RPD_KRT_IFDEST_GET": msg429, + "RPD_KRT_IFDGET": msg430, + "RPD_KRT_IFD_GENERATION": msg431, + "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID": msg432, + "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED": msg433, + "RPD_KRT_IFL_GENERATION": msg434, + "RPD_KRT_KERNEL_BAD_ROUTE": msg435, + "RPD_KRT_NEXTHOP_OVERFLOW": msg436, + "RPD_KRT_NOIFD": msg437, + "RPD_KRT_UNKNOWN_RTT": msg438, + "RPD_KRT_VERSION": msg439, + "RPD_KRT_VERSIONNONE": msg440, + "RPD_KRT_VERSIONOLD": msg441, + "RPD_LDP_INTF_BLOCKED": msg442, + "RPD_LDP_INTF_UNBLOCKED": msg443, + "RPD_LDP_NBRDOWN": msg444, + "RPD_LDP_NBRUP": msg445, + "RPD_LDP_SESSIONDOWN": msg446, + "RPD_LDP_SESSIONUP": msg447, + "RPD_LOCK_FLOCKED": msg448, + "RPD_LOCK_LOCKED": msg449, + "RPD_MPLS_LSP_CHANGE": msg450, + "RPD_MPLS_LSP_DOWN": msg451, + "RPD_MPLS_LSP_SWITCH": msg452, + "RPD_MPLS_LSP_UP": msg453, + "RPD_MSDP_PEER_DOWN": msg454, + "RPD_MSDP_PEER_UP": msg455, + "RPD_OSPF_NBRDOWN": msg456, + "RPD_OSPF_NBRUP": msg457, + "RPD_OS_MEMHIGH": msg458, + "RPD_PIM_NBRDOWN": msg459, + "RPD_PIM_NBRUP": msg460, + "RPD_RDISC_CKSUM": msg461, + "RPD_RDISC_NOMULTI": msg462, + "RPD_RDISC_NORECVIF": msg463, + "RPD_RDISC_SOLICITADDR": msg464, + "RPD_RDISC_SOLICITICMP": msg465, + "RPD_RDISC_SOLICITLEN": msg466, + "RPD_RIP_AUTH": msg467, + "RPD_RIP_JOIN_BROADCAST": msg468, + "RPD_RIP_JOIN_MULTICAST": msg469, + "RPD_RT_IFUP": msg470, + "RPD_SCHED_CALLBACK_LONGRUNTIME": msg471, + "RPD_SCHED_CUMULATIVE_LONGRUNTIME": msg472, + "RPD_SCHED_MODULE_LONGRUNTIME": msg473, + "RPD_SCHED_TASK_LONGRUNTIME": msg474, + "RPD_SIGNAL_TERMINATE": msg475, + "RPD_START": msg476, + "RPD_SYSTEM": msg477, + "RPD_TASK_BEGIN": msg478, + "RPD_TASK_CHILDKILLED": msg479, + "RPD_TASK_CHILDSTOPPED": msg480, + "RPD_TASK_FORK": msg481, + "RPD_TASK_GETWD": msg482, + "RPD_TASK_NOREINIT": msg483, + "RPD_TASK_PIDCLOSED": msg484, + "RPD_TASK_PIDFLOCK": msg485, + "RPD_TASK_PIDWRITE": msg486, + "RPD_TASK_REINIT": msg487, + "RPD_TASK_SIGNALIGNORE": msg488, + "RT_COS": msg489, + "RT_FLOW_SESSION_CLOSE": select51, + "RT_FLOW_SESSION_CREATE": select45, + "RT_FLOW_SESSION_DENY": select47, + "RT_SCREEN_ICMP": msg774, + "RT_SCREEN_IP": select52, + "RT_SCREEN_SESSION_LIMIT": msg504, + "RT_SCREEN_TCP": msg503, + "RT_SCREEN_UDP": msg505, + "Resolve": msg63, + "SECINTEL_ACTION_LOG": msg775, + "SECINTEL_ERROR_OTHERS": msg747, + "SECINTEL_NETWORK_CONNECT_FAILED": msg744, + "SERVICED_CLIENT_CONNECT": msg506, + "SERVICED_CLIENT_DISCONNECTED": msg507, + "SERVICED_CLIENT_ERROR": msg508, + "SERVICED_COMMAND_FAILED": msg509, + "SERVICED_COMMIT_FAILED": msg510, + "SERVICED_CONFIGURATION_FAILED": msg511, + "SERVICED_CONFIG_ERROR": msg512, + "SERVICED_CONFIG_FILE": msg513, + "SERVICED_CONNECTION_ERROR": msg514, + "SERVICED_DISABLED_GGSN": msg515, + "SERVICED_DUPLICATE": msg516, + "SERVICED_EVENT_FAILED": msg517, + "SERVICED_INIT_FAILED": msg518, + "SERVICED_MALLOC_FAILURE": msg519, + "SERVICED_NETWORK_FAILURE": msg520, + "SERVICED_NOT_ROOT": msg521, + "SERVICED_PID_FILE_LOCK": msg522, + "SERVICED_PID_FILE_UPDATE": msg523, + "SERVICED_RTSOCK_SEQUENCE": msg524, + "SERVICED_SIGNAL_HANDLER": msg525, + "SERVICED_SOCKET_CREATE": msg526, + "SERVICED_SOCKET_IO": msg527, + "SERVICED_SOCKET_OPTION": msg528, + "SERVICED_STDLIB_FAILURE": msg529, + "SERVICED_USAGE": msg530, + "SERVICED_WORK_INCONSISTENCY": msg531, + "SNMPD_ACCESS_GROUP_ERROR": msg537, + "SNMPD_AUTH_FAILURE": select53, + "SNMPD_AUTH_PRIVILEGES_EXCEEDED": msg542, + "SNMPD_AUTH_RESTRICTED_ADDRESS": msg543, + "SNMPD_AUTH_WRONG_PDU_TYPE": msg544, + "SNMPD_CONFIG_ERROR": msg545, + "SNMPD_CONTEXT_ERROR": msg546, + "SNMPD_ENGINE_FILE_FAILURE": msg547, + "SNMPD_ENGINE_PROCESS_ERROR": msg548, + "SNMPD_FILE_FAILURE": msg549, + "SNMPD_GROUP_ERROR": msg550, + "SNMPD_INIT_FAILED": msg551, + "SNMPD_LIBJUNIPER_FAILURE": msg552, + "SNMPD_LOOPBACK_ADDR_ERROR": msg553, + "SNMPD_MEMORY_FREED": msg554, + "SNMPD_RADIX_FAILURE": msg555, + "SNMPD_RECEIVE_FAILURE": msg556, + "SNMPD_RMONFILE_FAILURE": msg557, + "SNMPD_RMON_COOKIE": msg558, + "SNMPD_RMON_EVENTLOG": msg559, + "SNMPD_RMON_IOERROR": msg560, + "SNMPD_RMON_MIBERROR": msg561, + "SNMPD_RTSLIB_ASYNC_EVENT": msg562, + "SNMPD_SEND_FAILURE": select54, + "SNMPD_SOCKET_FAILURE": msg565, + "SNMPD_SUBAGENT_NO_BUFFERS": msg566, + "SNMPD_SUBAGENT_SEND_FAILED": msg567, + "SNMPD_SYSLIB_FAILURE": msg568, + "SNMPD_THROTTLE_QUEUE_DRAINED": msg569, + "SNMPD_TRAP_COLD_START": msg570, + "SNMPD_TRAP_GEN_FAILURE": msg571, + "SNMPD_TRAP_GEN_FAILURE2": msg572, + "SNMPD_TRAP_INVALID_DATA": msg573, + "SNMPD_TRAP_NOT_ENOUGH_VARBINDS": msg574, + "SNMPD_TRAP_QUEUED": msg575, + "SNMPD_TRAP_QUEUE_DRAINED": msg576, + "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS": msg577, + "SNMPD_TRAP_QUEUE_MAX_SIZE": msg578, + "SNMPD_TRAP_THROTTLED": msg579, + "SNMPD_TRAP_TYPE_ERROR": msg580, + "SNMPD_TRAP_VARBIND_TYPE_ERROR": msg581, + "SNMPD_TRAP_VERSION_ERROR": msg582, + "SNMPD_TRAP_WARM_START": msg583, + "SNMPD_USER_ERROR": msg584, + "SNMPD_VIEW_DELETE": msg585, + "SNMPD_VIEW_INSTALL_DEFAULT": msg586, + "SNMPD_VIEW_OID_PARSE": msg587, + "SNMP_GET_ERROR1": msg588, + "SNMP_GET_ERROR2": msg589, + "SNMP_GET_ERROR3": msg590, + "SNMP_GET_ERROR4": msg591, + "SNMP_NS_LOG_INFO": msg535, + "SNMP_RTSLIB_FAILURE": msg592, + "SNMP_SUBAGENT_IPC_REG_ROWS": msg536, + "SNMP_TRAP_LINK_DOWN": select55, + "SNMP_TRAP_LINK_UP": select56, + "SNMP_TRAP_PING_PROBE_FAILED": msg597, + "SNMP_TRAP_PING_TEST_COMPLETED": msg598, + "SNMP_TRAP_PING_TEST_FAILED": msg599, + "SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE": msg600, + "SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED": msg601, + "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED": msg602, + "SNTPD": msg112, + "SSB": msg113, + "SSHD_LOGIN_FAILED": select57, + "SSL_PROXY_SESSION_IGNORE": msg534, + "SSL_PROXY_SSL_SESSION_ALLOW": msg532, + "SSL_PROXY_SSL_SESSION_DROP": msg533, + "TASK_TASK_REINIT": msg606, + "TFTPD_AF_ERR": msg607, + "TFTPD_BIND_ERR": msg608, + "TFTPD_CONNECT_ERR": msg609, + "TFTPD_CONNECT_INFO": msg610, + "TFTPD_CREATE_ERR": msg611, + "TFTPD_FIO_ERR": msg612, + "TFTPD_FORK_ERR": msg613, + "TFTPD_NAK_ERR": msg614, + "TFTPD_OPEN_ERR": msg615, + "TFTPD_RECVCOMPLETE_INFO": msg616, + "TFTPD_RECVFROM_ERR": msg617, + "TFTPD_RECV_ERR": msg618, + "TFTPD_SENDCOMPLETE_INFO": msg619, + "TFTPD_SEND_ERR": msg620, + "TFTPD_SOCKET_ERR": msg621, + "TFTPD_STATFS_ERR": msg622, + "TNP": msg623, + "UI_AUTH_EVENT": msg628, + "UI_AUTH_INVALID_CHALLENGE": msg629, + "UI_BOOTTIME_FAILED": msg630, + "UI_CFG_AUDIT_NEW": select58, + "UI_CFG_AUDIT_OTHER": select60, + "UI_CFG_AUDIT_SET": select63, + "UI_CFG_AUDIT_SET_SECRET": select64, + "UI_CHILD_ARGS_EXCEEDED": msg645, + "UI_CHILD_CHANGE_USER": msg646, + "UI_CHILD_EXEC": msg647, + "UI_CHILD_EXITED": msg648, + "UI_CHILD_FOPEN": msg649, + "UI_CHILD_PIPE_FAILED": msg650, + "UI_CHILD_SIGNALED": msg651, + "UI_CHILD_START": msg653, + "UI_CHILD_STATUS": msg654, + "UI_CHILD_STOPPED": msg652, + "UI_CHILD_WAITPID": msg655, + "UI_CLI_IDLE_TIMEOUT": msg656, + "UI_CMDLINE_READ_LINE": msg657, + "UI_CMDSET_EXEC_FAILED": msg658, + "UI_CMDSET_FORK_FAILED": msg659, + "UI_CMDSET_PIPE_FAILED": msg660, + "UI_CMDSET_STOPPED": msg661, + "UI_CMDSET_WEXITED": msg662, + "UI_CMD_AUTH_REGEX_INVALID": msg663, + "UI_COMMIT": msg664, + "UI_COMMIT_AT": msg665, + "UI_COMMIT_AT_COMPLETED": msg666, + "UI_COMMIT_AT_FAILED": msg667, + "UI_COMMIT_COMPRESS_FAILED": msg668, + "UI_COMMIT_CONFIRMED": msg669, + "UI_COMMIT_CONFIRMED_REMINDER": msg670, + "UI_COMMIT_CONFIRMED_TIMED": msg671, + "UI_COMMIT_EMPTY_CONTAINER": msg672, + "UI_COMMIT_NOT_CONFIRMED": msg673, + "UI_COMMIT_PROGRESS": msg674, + "UI_COMMIT_QUIT": msg675, + "UI_COMMIT_ROLLBACK_FAILED": msg676, + "UI_COMMIT_SYNC": msg677, + "UI_COMMIT_SYNC_FORCE": msg678, + "UI_CONFIGURATION_ERROR": msg679, + "UI_DAEMON_ACCEPT_FAILED": msg680, + "UI_DAEMON_FORK_FAILED": msg681, + "UI_DAEMON_SELECT_FAILED": msg682, + "UI_DAEMON_SOCKET_FAILED": msg683, + "UI_DBASE_ACCESS_FAILED": msg684, + "UI_DBASE_CHECKOUT_FAILED": msg685, + "UI_DBASE_EXTEND_FAILED": msg686, + "UI_DBASE_LOGIN_EVENT": msg687, + "UI_DBASE_LOGOUT_EVENT": msg688, + "UI_DBASE_MISMATCH_EXTENT": msg689, + "UI_DBASE_MISMATCH_MAJOR": msg690, + "UI_DBASE_MISMATCH_MINOR": msg691, + "UI_DBASE_MISMATCH_SEQUENCE": msg692, + "UI_DBASE_MISMATCH_SIZE": msg693, + "UI_DBASE_OPEN_FAILED": msg694, + "UI_DBASE_REBUILD_FAILED": msg695, + "UI_DBASE_REBUILD_SCHEMA_FAILED": msg696, + "UI_DBASE_REBUILD_STARTED": msg697, + "UI_DBASE_RECREATE": msg698, + "UI_DBASE_REOPEN_FAILED": msg699, + "UI_DUPLICATE_UID": msg700, + "UI_JUNOSCRIPT_CMD": msg701, + "UI_JUNOSCRIPT_ERROR": msg702, + "UI_LOAD_EVENT": msg703, + "UI_LOAD_JUNOS_DEFAULT_FILE_EVENT": msg704, + "UI_LOGIN_EVENT": select71, + "UI_LOGOUT_EVENT": msg707, + "UI_LOST_CONN": msg708, + "UI_MASTERSHIP_EVENT": msg709, + "UI_MGD_TERMINATE": msg710, + "UI_NETCONF_CMD": msg711, + "UI_READ_FAILED": msg712, + "UI_READ_TIMEOUT": msg713, + "UI_REBOOT_EVENT": msg714, + "UI_RESTART_EVENT": msg715, + "UI_SCHEMA_CHECKOUT_FAILED": msg716, + "UI_SCHEMA_MISMATCH_MAJOR": msg717, + "UI_SCHEMA_MISMATCH_MINOR": msg718, + "UI_SCHEMA_MISMATCH_SEQUENCE": msg719, + "UI_SCHEMA_SEQUENCE_ERROR": msg720, + "UI_SYNC_OTHER_RE": msg721, + "UI_TACPLUS_ERROR": msg722, + "UI_VERSION_FAILED": msg723, + "UI_WRITE_RECONNECT": msg724, + "VRRPD_NEWMASTER_TRAP": msg725, + "Version": msg99, + "WEBFILTER_REQUEST_NOT_CHECKED": msg730, + "WEBFILTER_URL_BLOCKED": select75, + "WEBFILTER_URL_PERMITTED": select74, + "WEB_AUTH_FAIL": msg726, + "WEB_AUTH_SUCCESS": msg727, + "WEB_INTERFACE_UNAUTH": msg728, + "WEB_READ": msg729, + "alarmd": msg3, + "bgp_connect_start": msg132, + "bgp_event": msg133, + "bgp_listen_accept": msg134, + "bgp_listen_reset": msg135, + "bgp_nexthop_sanity": msg136, + "bgp_pp_recv": select33, + "bgp_process_caps": select32, + "bgp_send": msg141, + "bgp_traffic_timeout": msg142, + "bigd": select6, + "bigpipe": select7, + "bigstart": msg9, + "cgatool": msg10, + "chassisd": msg11, + "chassism": select73, + "checkd": select8, + "clean_process": msg215, + "cli": msg750, + "cosd": msg14, + "craftd": msg15, + "cron": msg18, + "crond": msg21, + "dcd": msg22, + "eswd": select72, + "ftpd": msg24, + "ha_rto_stats_handler": msg25, + "hostinit": msg26, + "idpinfo": msg752, + "ifinfo": select13, + "ifp_ifl_anydown_change_event": msg30, + "ifp_ifl_config_event": msg31, + "ifp_ifl_ext_chg": msg32, + "inetd": select14, + "init": select15, + "ipc_msg_write": msg40, + "kernel": select17, + "kmd": msg753, + "last": select28, + "login": select18, + "lsys_ssam_handler": msg53, + "mcsn": msg54, + "mgd": msg62, + "mrvl_dfw_log_effuse_status": msg55, + "node": select79, + "pfed": msg751, + "process_mode": select38, + "profile_ssam_handler": msg57, + "pst_nat_binding_set_profile": msg58, + "qsfp": msg776, + "respawn": msg64, + "root": msg65, + "rpd": select20, + "rshd": msg70, + "sfd": msg71, + "sshd": select21, + "syslogd": msg92, + "task_connect": msg605, + "task_reconfigure": msg59, + "tnetd": msg60, + "tnp.bootpd": msg769, + "trace_on": msg624, + "trace_rotate": msg625, + "transfer-file": msg626, + "ttloop": msg627, + "ucd-snmp": select26, + "usp_ipc_client_reconnect": msg95, + "usp_trace_ipc_disconnect": msg96, + "usp_trace_ipc_reconnect": msg97, + "uspinfo": msg98, + "xntpd": select27, + }), + ]); + + var hdr43 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}"); + + var part822 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); + + var part823 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); + + var part824 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); + + var part825 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); + + var part826 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); + + var part827 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); + + var part828 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); + + var part829 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); + + var part830 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); + + var part831 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); + + var part832 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); + + var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); + + var part833 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); + + var part834 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); + + var part835 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); + + var part836 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); + + var part837 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); + + var part838 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); + + var part839 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); + + var part840 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); + + var part841 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); + + var part842 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); + + var part843 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); + + var part844 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); + + var part845 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); + + var part846 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); + + var part847 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); + + var part848 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); + + var part849 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); + + var part850 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); + + var part851 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); + + var part852 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); + + var part853 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); + + var part854 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); + + var part855 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); + + var part856 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); + + var part857 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); + + var part858 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); + + var part859 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); + + var part860 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); + + var part861 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); + + var part862 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); + + var part863 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); + + var part864 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); + + var part865 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); + + var select85 = linear_select([ + dup14, + dup15, + dup16, + dup17, + ]); + + var part866 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ + dup13, + ])); + + var select86 = linear_select([ + dup40, + dup41, + ]); + + var part867 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ + dup21, + dup22, + dup56, + dup23, + ])); + + var part868 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ + dup51, + dup22, + dup64, + dup23, + ])); + + var part869 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ + dup30, + dup22, + dup65, + dup23, + ])); + + var part870 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ + dup30, + dup22, + dup66, + dup23, + ])); + + var part871 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ + dup30, + dup22, + dup67, + dup23, + ])); + + var part872 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ + dup30, + dup22, + dup68, + dup23, + ])); + + var part873 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ + dup30, + dup22, + dup71, + dup23, + ])); + + var select87 = linear_select([ + dup76, + dup77, + ]); + + var part874 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ + dup30, + dup22, + dup79, + dup23, + ])); + + var part875 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ + dup30, + dup22, + dup84, + dup23, + ])); + + var part876 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ + dup30, + dup22, + dup85, + dup23, + ])); + + var part877 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ + dup21, + dup22, + dup86, + dup23, + ])); + + var select88 = linear_select([ + dup88, + dup89, + ]); + + var select89 = linear_select([ + dup90, + dup45, + ]); + + var select90 = linear_select([ + dup95, + dup96, + ]); + + var select91 = linear_select([ + dup101, + dup91, + ]); + + var part878 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var part879 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ + dup27, + dup22, + dup52, + ])); + + var select92 = linear_select([ + dup118, + dup119, + ]); + + var select93 = linear_select([ + dup123, + dup124, + ]); + + var part880 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var part881 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ + dup48, + dup47, + dup23, + dup22, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/juniper/1.1.1/data_stream/junos/agent/stream/udp.yml.hbs b/packages/juniper/1.1.1/data_stream/junos/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..2abb5c1182 --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/junos/agent/stream/udp.yml.hbs @@ -0,0 +1,12569 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Juniper" + product: "Junos" + type: "Routers" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{day->} %{time->} %{p0}"); + + var dup2 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); + + var dup3 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); + + var dup4 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); + + var dup5 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); + + var dup6 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); + + var dup7 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); + + var dup8 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); + + var dup9 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": "), + field("p0"), + ], + }); + + var dup10 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("p0"), + ], + }); + + var dup11 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("messageid"), + constant(": "), + field("p0"), + ], + }); + + var dup12 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("["), + field("pid"), + constant("]: "), + field("messageid"), + constant(": "), + field("p0"), + ], + }); + + var dup13 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" ["), + field("p0"), + ], + }); + + var dup14 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); + + var dup15 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); + + var dup16 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); + + var dup17 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); + + var dup18 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); + + var dup19 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("pid"), + constant("]: "), + field("p0"), + ], + }); + + var dup20 = setc("messageid","JUNOSROUTER_GENERIC"); + + var dup21 = setc("eventcategory","1605000000"); + + var dup22 = setf("msg","$MSG"); + + var dup23 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dF,dH,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup24 = setf("hostname","hhost"); + + var dup25 = setc("event_description","AUDIT"); + + var dup26 = setc("event_description","CRON command"); + + var dup27 = setc("eventcategory","1801030000"); + + var dup28 = setc("eventcategory","1801020000"); + + var dup29 = setc("eventcategory","1605010000"); + + var dup30 = setc("eventcategory","1603000000"); + + var dup31 = setc("event_description","Process mode"); + + var dup32 = setc("event_description","NTP Server Unreachable"); + + var dup33 = setc("eventcategory","1401060000"); + + var dup34 = setc("ec_theme","Authentication"); + + var dup35 = setc("ec_subject","User"); + + var dup36 = setc("ec_activity","Logon"); + + var dup37 = setc("ec_outcome","Success"); + + var dup38 = setc("event_description","rpd proceeding"); + + var dup39 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); + + var dup40 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); + + var dup41 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); + + var dup42 = setc("eventcategory","1701010000"); + + var dup43 = setc("ec_outcome","Failure"); + + var dup44 = setc("eventcategory","1401030000"); + + var dup45 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); + + var dup46 = setc("eventcategory","1803000000"); + + var dup47 = setc("event_type","VPN"); + + var dup48 = setc("eventcategory","1605020000"); + + var dup49 = setc("eventcategory","1602020000"); + + var dup50 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); + + var dup51 = setc("eventcategory","1603020000"); + + var dup52 = date_time({ + dest: "event_time", + args: ["hfld32"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup53 = setc("ec_subject","NetworkComm"); + + var dup54 = setc("ec_activity","Create"); + + var dup55 = setc("ec_activity","Stop"); + + var dup56 = setc("event_description","Trap state change"); + + var dup57 = setc("event_description","peer NLRI mismatch"); + + var dup58 = setc("eventcategory","1605030000"); + + var dup59 = setc("eventcategory","1603010000"); + + var dup60 = setc("eventcategory","1606000000"); + + var dup61 = setf("hostname","hhostname"); + + var dup62 = date_time({ + dest: "event_time", + args: ["hfld6"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dc("T"),dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup63 = setc("eventcategory","1401050200"); + + var dup64 = setc("event_description","Memory allocation failed during initialization for configuration load"); + + var dup65 = setc("event_description","unable to run in the background as a daemon"); + + var dup66 = setc("event_description","Another copy of this program is running"); + + var dup67 = setc("event_description","Unable to lock PID file"); + + var dup68 = setc("event_description","Unable to update process PID file"); + + var dup69 = setc("eventcategory","1301000000"); + + var dup70 = setc("event_description","Command stopped"); + + var dup71 = setc("event_description","Unable to create pipes for command"); + + var dup72 = setc("event_description","Command exited"); + + var dup73 = setc("eventcategory","1603050000"); + + var dup74 = setc("eventcategory","1801010000"); + + var dup75 = setc("event_description","Login failure"); + + var dup76 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); + + var dup77 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); + + var dup78 = setc("event_description","Unable to open file"); + + var dup79 = setc("event_description","SNMP index assigned changed"); + + var dup80 = setc("eventcategory","1302000000"); + + var dup81 = setc("eventcategory","1001020300"); + + var dup82 = setc("event_description","PFE FW SYSLOG_IP"); + + var dup83 = setc("event_description","process_mode"); + + var dup84 = setc("event_description","Logical interface collision"); + + var dup85 = setc("event_description","excessive runtime time during action of module"); + + var dup86 = setc("event_description","Reinitializing"); + + var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); + + var dup88 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); + + var dup89 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); + + var dup90 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); + + var dup91 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); + + var dup92 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); + + var dup93 = setc("eventcategory","1803010000"); + + var dup94 = setc("ec_activity","Deny"); + + var dup95 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); + + var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); + + var dup97 = setc("event_description","session denied"); + + var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); + + var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); + + var dup100 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); + + var dup101 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); + + var dup102 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); + + var dup103 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); + + var dup104 = setc("dclass_counter1_string","No.of packets from client"); + + var dup105 = setc("event_description","SNMPD AUTH FAILURE"); + + var dup106 = setc("event_description","send send-type (index1) failure"); + + var dup107 = setc("event_description","SNMP trap error"); + + var dup108 = setc("event_description","SNMP TRAP LINK DOWN"); + + var dup109 = setc("event_description","SNMP TRAP LINK UP"); + + var dup110 = setc("event_description","Login Failure"); + + var dup111 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); + + var dup112 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); + + var dup113 = setc("eventcategory","1701020000"); + + var dup114 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); + + var dup115 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); + + var dup116 = setc("event_description","User set command"); + + var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); + + var dup118 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); + + var dup119 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); + + var dup120 = setc("event_description","User set groups to secret"); + + var dup121 = setc("event_description","UI CMDLINE READ LINE"); + + var dup122 = setc("event_description","User commit"); + + var dup123 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); + + var dup124 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); + + var dup125 = setc("eventcategory","1401070000"); + + var dup126 = setc("ec_activity","Logoff"); + + var dup127 = setc("event_description","Successful login"); + + var dup128 = setf("hostname","hostip"); + + var dup129 = setc("event_description","TACACS+ failure"); + + var dup130 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); + + var dup131 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); + + var dup132 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); + + var dup133 = setc("eventcategory","1003010000"); + + var dup134 = setc("eventcategory","1901000000"); + + var dup135 = linear_select([ + dup14, + dup15, + dup16, + dup17, + ]); + + var dup136 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ + dup13, + ])); + + var dup137 = linear_select([ + dup40, + dup41, + ]); + + var dup138 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ + dup21, + dup22, + dup56, + dup23, + ])); + + var dup139 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ + dup51, + dup22, + dup64, + dup23, + ])); + + var dup140 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ + dup30, + dup22, + dup65, + dup23, + ])); + + var dup141 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ + dup30, + dup22, + dup66, + dup23, + ])); + + var dup142 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ + dup30, + dup22, + dup67, + dup23, + ])); + + var dup143 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ + dup30, + dup22, + dup68, + dup23, + ])); + + var dup144 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ + dup30, + dup22, + dup71, + dup23, + ])); + + var dup145 = linear_select([ + dup76, + dup77, + ]); + + var dup146 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ + dup30, + dup22, + dup79, + dup23, + ])); + + var dup147 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ + dup30, + dup22, + dup84, + dup23, + ])); + + var dup148 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ + dup30, + dup22, + dup85, + dup23, + ])); + + var dup149 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ + dup21, + dup22, + dup86, + dup23, + ])); + + var dup150 = linear_select([ + dup88, + dup89, + ]); + + var dup151 = linear_select([ + dup90, + dup45, + ]); + + var dup152 = linear_select([ + dup95, + dup96, + ]); + + var dup153 = linear_select([ + dup101, + dup91, + ]); + + var dup154 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var dup155 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ + dup27, + dup22, + dup52, + ])); + + var dup156 = linear_select([ + dup118, + dup119, + ]); + + var dup157 = linear_select([ + dup123, + dup124, + ]); + + var dup158 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var dup159 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ + dup48, + dup47, + dup23, + dup22, + ])); + + var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{messageid}: restart %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": restart "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid->} message repeated %{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" message repeated "), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb %{messageid}(%{hfld1}): %{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("("), + field("hfld1"), + constant("): "), + field("p0"), + ], + }), + ])); + + var part1 = match("HEADER#3:0004/1_6", "nwparser.p0", "fpc6 %{p0}"); + + var part2 = match("HEADER#3:0004/1_7", "nwparser.p0", "fpc7 %{p0}"); + + var part3 = match("HEADER#3:0004/1_8", "nwparser.p0", "fpc8 %{p0}"); + + var part4 = match("HEADER#3:0004/1_9", "nwparser.p0", "fpc9 %{p0}"); + + var part5 = match("HEADER#3:0004/1_10", "nwparser.p0", "cfeb %{p0}"); + + var select1 = linear_select([ + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + part1, + part2, + part3, + part4, + part5, + dup8, + ]); + + var part6 = match("HEADER#3:0004/2", "nwparser.p0", "%{} %{messageid}: %{p0}", processor_chain([ + dup9, + ])); + + var all1 = all_match({ + processors: [ + dup1, + select1, + part6, + ], + on_success: processor_chain([ + setc("header_id","0004"), + ]), + }); + + var select2 = linear_select([ + dup2, + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + ]); + + var part7 = match("HEADER#4:0005/2", "nwparser.p0", "%{} %{messageid->} %{p0}", processor_chain([ + dup10, + ])); + + var all2 = all_match({ + processors: [ + dup1, + select2, + part7, + ], + on_success: processor_chain([ + setc("header_id","0005"), + ]), + }); + + var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}[%{hpid}]: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0007"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant("["), + field("hpid"), + constant("]: "), + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}[%{hpid}]: %{p0}", processor_chain([ + setc("header_id","0008"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hpid"), + constant("]: "), + field("p0"), + ], + }), + ])); + + var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} IFP trace> %{messageid}: %{p0}", processor_chain([ + setc("header_id","0009"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" IFP trace> "), + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr7 = match("HEADER#8:0010", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} %{messageid}: %{p0}", processor_chain([ + setc("header_id","0010"), + dup11, + ])); + + var hdr8 = match("HEADER#9:0029", "message", "%{month->} %{day->} %{time->} %{hostip->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0029"), + dup12, + ])); + + var hdr9 = match("HEADER#10:0015", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0015"), + dup12, + ])); + + var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{messageid}: %{p0}", processor_chain([ + setc("header_id","0011"), + dup11, + ])); + + var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname->} RT_FLOW: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0027"), + dup9, + ])); + + var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0012"), + dup9, + ])); + + var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname->} RT_FLOW - %{messageid->} [%{p0}", processor_chain([ + setc("header_id","0013"), + dup13, + ])); + + var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time->} %{hfld32->} %{hhostname->} %{p0}"); + + var all3 = all_match({ + processors: [ + hdr14, + dup135, + dup136, + ], + on_success: processor_chain([ + setc("header_id","0026.upd.a"), + ]), + }); + + var all4 = all_match({ + processors: [ + dup18, + dup135, + dup136, + ], + on_success: processor_chain([ + setc("header_id","0026.upd.b"), + ]), + }); + + var all5 = all_match({ + processors: [ + dup18, + dup135, + dup136, + ], + on_success: processor_chain([ + setc("header_id","0026"), + ]), + }); + + var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}[%{hpid}]: %{p0}", processor_chain([ + setc("header_id","0014"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("["), + field("pid"), + constant("]: "), + field("messageid"), + constant("["), + field("hpid"), + constant("]: "), + field("p0"), + ], + }), + ])); + + var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0016"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant(": "), + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid->} %{p0}", processor_chain([ + setc("header_id","0017"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("["), + field("pid"), + constant("]: "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr18 = match("HEADER#21:0018", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}[%{pid}]: %{p0}", processor_chain([ + setc("header_id","0018"), + dup19, + ])); + + var hdr19 = match("HEADER#22:0028", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}[%{pid}]: %{p0}", processor_chain([ + setc("header_id","0028"), + dup19, + ])); + + var hdr20 = match("HEADER#23:0019", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0019"), + dup9, + ])); + + var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{messageid}[%{pid}]: %{p0}", processor_chain([ + setc("header_id","0020"), + dup19, + ])); + + var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time->} /%{messageid}: %{p0}", processor_chain([ + setc("header_id","0021"), + dup9, + ])); + + var hdr23 = match("HEADER#26:0022", "message", "%{month->} %{day->} %{time->} %{messageid}: %{p0}", processor_chain([ + setc("header_id","0022"), + dup9, + ])); + + var hdr24 = match("HEADER#27:0023", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}[%{pid}]: %{p0}", processor_chain([ + setc("header_id","0023"), + dup19, + ])); + + var hdr25 = match("HEADER#28:0024", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0024"), + dup9, + ])); + + var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{hfld2->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","0025"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid->} %{p0}", processor_chain([ + setc("header_id","0031"), + dup10, + ])); + + var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip->} (%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{p0}", processor_chain([ + setc("header_id","0032"), + dup19, + ])); + + var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname->} %{messageid}: %{p0}", processor_chain([ + setc("header_id","0033"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant(" "), + field("hhostname"), + constant(" "), + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr30 = match("HEADER#33:3336", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","3336"), + ])); + + var hdr31 = match("HEADER#34:3339", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{messageid->} %{payload}", processor_chain([ + setc("header_id","3339"), + ])); + + var hdr32 = match("HEADER#35:3337", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","3337"), + ])); + + var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostname->} %{hfld2->} %{hfld3->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","3341"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr34 = match("HEADER#37:3338", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","3338"), + ])); + + var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost->} node%{hfld1}.fpc%{p0}", processor_chain([ + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hhost"), + constant(" node"), + field("hfld1"), + constant(".fpc"), + field("p0"), + ], + }), + ])); + + var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld2}.pic%{hfld3->} %{p0}"); + + var part9 = match("HEADER#38:3340/1_1", "nwparser.p0", "%{hfld2->} %{p0}"); + + var select3 = linear_select([ + part8, + part9, + ]); + + var part10 = match("HEADER#38:3340/2", "nwparser.p0", "%{} %{p0}"); + + var all6 = all_match({ + processors: [ + hdr35, + select3, + part10, + ], + on_success: processor_chain([ + setc("header_id","3340"), + setc("messageid","node"), + ]), + }); + + var hdr36 = match("HEADER#39:9997/0_0", "message", "mgd[%{p0}"); + + var hdr37 = match("HEADER#39:9997/0_1", "message", "rpd[%{p0}"); + + var hdr38 = match("HEADER#39:9997/0_2", "message", "dcd[%{p0}"); + + var select4 = linear_select([ + hdr36, + hdr37, + hdr38, + ]); + + var part11 = match("HEADER#39:9997/1", "nwparser.p0", "%{process_id}]:%{payload}"); + + var all7 = all_match({ + processors: [ + select4, + part11, + ], + on_success: processor_chain([ + setc("header_id","9997"), + dup20, + ]), + }); + + var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{hhost->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{p0}", processor_chain([ + setc("header_id","9995"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld3"), + constant("]:"), + field("p0"), + ], + }), + ])); + + var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1->} qsfp %{p0}", processor_chain([ + setc("header_id","9994"), + setc("messageid","qsfp"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("hfld1"), + constant(" qsfp "), + field("p0"), + ], + }), + ])); + + var hdr41 = match("HEADER#42:9999", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{hevent_type}: %{p0}", processor_chain([ + setc("header_id","9999"), + dup20, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hevent_type"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{process}: %{p0}", processor_chain([ + setc("header_id","9998"), + dup20, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" "), + field("process"), + constant(": "), + field("p0"), + ], + }), + ])); + + var select5 = linear_select([ + hdr1, + hdr2, + hdr3, + all1, + all2, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, + hdr13, + all3, + all4, + all5, + hdr15, + hdr16, + hdr17, + hdr18, + hdr19, + hdr20, + hdr21, + hdr22, + hdr23, + hdr24, + hdr25, + hdr26, + hdr27, + hdr28, + hdr29, + hdr30, + hdr31, + hdr32, + hdr33, + hdr34, + all6, + all7, + hdr39, + hdr40, + hdr41, + hdr42, + ]); + + var part12 = match("MESSAGE#0:/usr/sbin/sshd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","sshd exit status"), + dup23, + ])); + + var msg1 = msg("/usr/sbin/sshd", part12); + + var part13 = match("MESSAGE#1:/usr/libexec/telnetd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","telnetd exit status"), + dup23, + ])); + + var msg2 = msg("/usr/libexec/telnetd", part13); + + var part14 = match("MESSAGE#2:alarmd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License color=%{severity}, class=%{device}, reason=%{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Alarm Set or Cleared"), + dup23, + ])); + + var msg3 = msg("alarmd", part14); + + var part15 = match("MESSAGE#3:bigd", "nwparser.payload", "%{process}: Node detected UP for %{node}", processor_chain([ + dup21, + dup22, + setc("event_description","Node detected UP"), + dup23, + ])); + + var msg4 = msg("bigd", part15); + + var part16 = match("MESSAGE#4:bigd:01", "nwparser.payload", "%{process}: Monitor template id is %{id}", processor_chain([ + dup21, + dup22, + setc("event_description","Monitor template id"), + dup23, + ])); + + var msg5 = msg("bigd:01", part16); + + var select6 = linear_select([ + msg4, + msg5, + ]); + + var part17 = match("MESSAGE#5:bigpipe", "nwparser.payload", "%{process}: Loading the configuration file %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","Loading configuration file"), + dup23, + ])); + + var msg6 = msg("bigpipe", part17); + + var part18 = match("MESSAGE#6:bigpipe:01", "nwparser.payload", "%{process}: Begin config install operation %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","Begin config install operation"), + dup23, + ])); + + var msg7 = msg("bigpipe:01", part18); + + var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ + dup21, + dup22, + setc("event_description","Audit"), + dup23, + ])); + + var msg8 = msg("bigpipe:02", part19); + + var select7 = linear_select([ + msg6, + msg7, + msg8, + ]); + + var part20 = match("MESSAGE#8:bigstart", "nwparser.payload", "%{process}: shutdown %{service}", processor_chain([ + dup21, + dup22, + setc("event_description","portal shutdown"), + dup23, + ])); + + var msg9 = msg("bigstart", part20); + + var part21 = match("MESSAGE#9:cgatool", "nwparser.payload", "%{process}: %{event_type}: generated address is %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","cga address genration"), + dup23, + ])); + + var msg10 = msg("cgatool", part21); + + var part22 = match("MESSAGE#10:chassisd:01", "nwparser.payload", "%{process}[%{process_id}]:%{fld12}", processor_chain([ + dup21, + dup22, + dup23, + dup24, + ])); + + var msg11 = msg("chassisd:01", part22); + + var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ + dup21, + dup22, + dup25, + dup23, + ])); + + var msg12 = msg("checkd", part23); + + var part24 = match("MESSAGE#12:checkd:01", "nwparser.payload", "%{process}: exiting", processor_chain([ + dup21, + dup22, + setc("event_description","checkd exiting"), + dup23, + ])); + + var msg13 = msg("checkd:01", part24); + + var select8 = linear_select([ + msg12, + msg13, + ]); + + var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1->} for intf %{interface}", processor_chain([ + dup21, + dup22, + setc("event_description","link protection for interface"), + dup23, + ])); + + var msg14 = msg("cosd", part25); + + var part26 = match("MESSAGE#14:craftd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}, %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","License expiration warning"), + dup23, + ])); + + var msg15 = msg("craftd", part26); + + var part27 = match("MESSAGE#15:CRON/0", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{p0}"); + + var part28 = match("MESSAGE#15:CRON/1_0", "nwparser.p0", "CMD (%{result})"); + + var part29 = match("MESSAGE#15:CRON/1_1", "nwparser.p0", "cmd='%{result}'"); + + var select9 = linear_select([ + part28, + part29, + ]); + + var all8 = all_match({ + processors: [ + part27, + select9, + ], + on_success: processor_chain([ + dup21, + dup22, + dup26, + dup23, + ]), + }); + + var msg16 = msg("CRON", all8); + + var part30 = match("MESSAGE#16:Cmerror/0_0", "nwparser.payload", "%{hostname->} %{node}Cmerror: Level%{level}count increment %{dclass_counter1->} %{fld1}"); + + var part31 = match_copy("MESSAGE#16:Cmerror/0_1", "nwparser.payload", "fld2"); + + var select10 = linear_select([ + part30, + part31, + ]); + + var all9 = all_match({ + processors: [ + select10, + ], + on_success: processor_chain([ + dup21, + dup23, + dup22, + ]), + }); + + var msg17 = msg("Cmerror", all9); + + var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action->} (%{filename})", processor_chain([ + dup21, + dup22, + setc("event_description","cron RELOAD"), + dup23, + ])); + + var msg18 = msg("cron", part32); + + var part33 = match("MESSAGE#18:CROND", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ + dup21, + dup22, + dup23, + dup24, + ])); + + var msg19 = msg("CROND", part33); + + var part34 = match("MESSAGE#20:CROND:02", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session closed for user %{username}", processor_chain([ + dup27, + dup22, + dup23, + dup24, + ])); + + var msg20 = msg("CROND:02", part34); + + var select11 = linear_select([ + msg19, + msg20, + ]); + + var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username->} by (uid=%{uid})", processor_chain([ + dup28, + dup22, + dup23, + dup24, + ])); + + var msg21 = msg("crond:01", part35); + + var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result->} Setting ignored, %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","Setting ignored"), + dup23, + ])); + + var msg22 = msg("dcd", part36); + + var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface->} index %{resultcode->} %{p0}"); + + var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{p0}"); + + var part39 = match("MESSAGE#22:EVENT/1_1", "nwparser.p0", "\u003c\u003c%{p0}"); + + var select12 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#22:EVENT/2", "nwparser.p0", ">%{result}"); + + var all10 = all_match({ + processors: [ + part37, + select12, + part40, + ], + on_success: processor_chain([ + dup21, + dup22, + setc("event_description","EVENT"), + dup23, + ]), + }); + + var msg23 = msg("EVENT", all10); + + var part41 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr->} (%{shost})", processor_chain([ + setc("eventcategory","1802000000"), + dup22, + setc("event_description","ftpd connection"), + dup23, + ])); + + var msg24 = msg("ftpd", part41); + + var part42 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hostname->} %{node}ha_rto_stats_handler:%{fld12}", processor_chain([ + dup29, + dup23, + dup22, + ])); + + var msg25 = msg("ha_rto_stats_handler", part42); + + var part43 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name->} -- LDAP Connection not bound correctly. %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","LDAP Connection not bound correctly"), + dup23, + ])); + + var msg26 = msg("hostinit", part43); + + var part44 = match("MESSAGE#26:ifinfo", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Added entry - %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","PIC_INFO debug - Added entry"), + dup23, + ])); + + var msg27 = msg("ifinfo", part44); + + var part45 = match("MESSAGE#27:ifinfo:01", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Initializing spu listtype %{resultcode}", processor_chain([ + dup21, + dup22, + setc("event_description","PIC_INFO debug Initializing spu"), + dup23, + ])); + + var msg28 = msg("ifinfo:01", part45); + + var part46 = match("MESSAGE#28:ifinfo:02", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","PIC_INFO debug delete from list"), + dup23, + ])); + + var msg29 = msg("ifinfo:02", part46); + + var select13 = linear_select([ + msg27, + msg28, + msg29, + ]); + + var part47 = match("MESSAGE#29:ifp_ifl_anydown_change_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL anydown change event: \"%{event_type}\"", processor_chain([ + dup21, + dup22, + setc("event_description","IFL anydown change event"), + dup23, + ])); + + var msg30 = msg("ifp_ifl_anydown_change_event", part47); + + var part48 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL config: \"%{filename}\"", processor_chain([ + dup21, + dup22, + setc("event_description","ifp ifl config_event"), + dup23, + ])); + + var msg31 = msg("ifp_ifl_config_event", part48); + + var part49 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid->} zone_id %{zone}", processor_chain([ + dup21, + dup22, + setc("event_description","ifp_ifl_ext_chg"), + dup23, + ])); + + var msg32 = msg("ifp_ifl_ext_chg", part49); + + var part50 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol->} from %{saddr->} exceeded counts/min (%{result})", processor_chain([ + dup30, + dup22, + setc("event_description","connection exceeded count limit"), + dup23, + ])); + + var msg33 = msg("inetd", part50); + + var part51 = match("MESSAGE#33:inetd:01", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exited, status %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","exited"), + dup23, + ])); + + var msg34 = msg("inetd:01", part51); + + var select14 = linear_select([ + msg33, + msg34, + ]); + + var part52 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type->} current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ + dup21, + dup22, + dup31, + dup23, + ])); + + var msg35 = msg("init:04", part52); + + var part53 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type->} mode=%{protocol->} cmd=%{action->} master_mode=%{result}", processor_chain([ + dup21, + dup22, + dup31, + dup23, + ])); + + var msg36 = msg("init", part53); + + var part54 = match("MESSAGE#36:init:01", "nwparser.payload", "%{process}: failure target for routing set to %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","failure target for routing set"), + dup23, + ])); + + var msg37 = msg("init:01", part54); + + var part55 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (PID %{child_pid}) started", processor_chain([ + dup21, + dup22, + setc("event_description","ntp started"), + dup23, + ])); + + var msg38 = msg("init:02", part55); + + var part56 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info->} model %{dclass_counter1}", processor_chain([ + dup21, + dup22, + setc("event_description","product mask and model info"), + dup23, + ])); + + var msg39 = msg("init:03", part56); + + var select15 = linear_select([ + msg35, + msg36, + msg37, + msg38, + msg39, + ]); + + var part57 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode->} exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","IPC message exceeds MTU"), + dup23, + ])); + + var msg40 = msg("ipc_msg_write", part57); + + var part58 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}", processor_chain([ + dup28, + dup22, + setc("event_description","listener connection established"), + dup23, + ])); + + var msg41 = msg("connection_established", part58); + + var part59 = match("MESSAGE#41:connection_dropped/0", "nwparser.payload", "%{process}: %{p0}"); + + var part60 = match("MESSAGE#41:connection_dropped/1_0", "nwparser.p0", "%{result}, connection dropped - src %{saddr}:%{sport->} dest %{daddr}:%{dport}"); + + var part61 = match("MESSAGE#41:connection_dropped/1_1", "nwparser.p0", "%{result}: conn dropped: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}"); + + var select16 = linear_select([ + part60, + part61, + ]); + + var all11 = all_match({ + processors: [ + part59, + select16, + ], + on_success: processor_chain([ + dup27, + dup22, + setc("event_description","connection dropped"), + dup23, + ]), + }); + + var msg42 = msg("connection_dropped", all11); + + var part62 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{interface}: Asserting SONET alarm(s) %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","Asserting SONET alarm(s)"), + dup23, + ])); + + var msg43 = msg("kernel", part62); + + var part63 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface->} down: %{result}.", processor_chain([ + dup21, + dup22, + setc("event_description","interface down"), + dup23, + ])); + + var msg44 = msg("kernel:01", part63); + + var part64 = match("MESSAGE#44:kernel:02", "nwparser.payload", "%{process}: %{interface}: loopback suspected; %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","loopback suspected om interface"), + dup23, + ])); + + var msg45 = msg("kernel:02", part64); + + var part65 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{service}: soreceive() error %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","soreceive error"), + dup23, + ])); + + var msg46 = msg("kernel:03", part65); + + var part66 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service->} !VALID(state 4)->%{result}", processor_chain([ + dup21, + dup22, + setc("event_description","pfe_peer_alloc state 4"), + dup23, + ])); + + var msg47 = msg("kernel:04", part66); + + var part67 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip->} (%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ + dup21, + dup22, + dup32, + dup23, + ])); + + var msg48 = msg("kernel:05", part67); + + var part68 = match("MESSAGE#48:kernel:06", "nwparser.payload", "%{fld1->} %{hostip->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ + dup21, + dup22, + dup32, + dup23, + ])); + + var msg49 = msg("kernel:06", part68); + + var select17 = linear_select([ + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, + ]); + + var part69 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr->} on %{interface->} as %{username}", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + setc("event_description","successful user login"), + dup23, + ])); + + var msg50 = msg("successful_login", part69); + + var part70 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username->} from host %{hostip}", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup22, + setc("event_description","user login attempt"), + dup23, + ])); + + var msg51 = msg("login_attempt", part70); + + var part71 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup33, + dup34, + dup37, + dup22, + setc("event_description","PAM module return from login"), + dup23, + ])); + + var msg52 = msg("login", part71); + + var select18 = linear_select([ + msg50, + msg51, + msg52, + ]); + + var part72 = match("MESSAGE#52:lsys_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing lsys root-logical-system %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","processing lsys root-logical-system"), + dup23, + ])); + + var msg53 = msg("lsys_ssam_handler", part72); + + var part73 = match("MESSAGE#53:mcsn", "nwparser.payload", "%{process}[%{process_id}]: Removing mif from group [%{group}] %{space->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Removing mif from group"), + dup23, + ])); + + var msg54 = msg("mcsn", part73); + + var part74 = match("MESSAGE#54:mrvl_dfw_log_effuse_status", "nwparser.payload", "%{process}: Firewall rows could not be redirected on device %{device}.", processor_chain([ + dup30, + dup22, + setc("event_description","Firewall rows could not be redirected on device"), + dup23, + ])); + + var msg55 = msg("mrvl_dfw_log_effuse_status", part74); + + var part75 = match("MESSAGE#55:MRVL-L2", "nwparser.payload", "%{process}:%{action}(),%{process_id}:MFilter (%{filter}) already exists", processor_chain([ + dup30, + dup22, + setc("event_description","mfilter already exists for add"), + dup23, + ])); + + var msg56 = msg("MRVL-L2", part75); + + var part76 = match("MESSAGE#56:profile_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing profile SP-root %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","processing profile SP-root"), + dup23, + ])); + + var msg57 = msg("profile_ssam_handler", part76); + + var part77 = match("MESSAGE#57:pst_nat_binding_set_profile", "nwparser.payload", "%{node->} %{process}: %{event_source}: can't get resource bucket %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","can't get resource bucket"), + dup23, + ])); + + var msg58 = msg("pst_nat_binding_set_profile", part77); + + var part78 = match("MESSAGE#58:task_reconfigure", "nwparser.payload", "%{process}[%{process_id}]: task_reconfigure %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","reinitializing done"), + dup23, + ])); + + var msg59 = msg("task_reconfigure", part78); + + var part79 = match("MESSAGE#59:tnetd/0_0", "nwparser.payload", "%{process}[%{process_id}]:%{service}[%{fld1}]: exit status%{resultcode}"); + + var part80 = match_copy("MESSAGE#59:tnetd/0_1", "nwparser.payload", "fld3"); + + var select19 = linear_select([ + part79, + part80, + ]); + + var all12 = all_match({ + processors: [ + select19, + ], + on_success: processor_chain([ + dup21, + dup22, + dup23, + dup24, + ]), + }); + + var msg60 = msg("tnetd", all12); + + var part81 = match("MESSAGE#60:PFEMAN", "nwparser.payload", "%{process}: Session manager active", processor_chain([ + dup21, + dup22, + setc("event_description","Session manager active"), + dup23, + ])); + + var msg61 = msg("PFEMAN", part81); + + var part82 = match("MESSAGE#61:mgd", "nwparser.payload", "%{process}[%{process_id}]: Could not send message to %{service}", processor_chain([ + dup30, + dup22, + setc("event_description","Could not send message to service"), + dup23, + ])); + + var msg62 = msg("mgd", part82); + + var part83 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request came for an address matching on Wrong nh nh:%{result}, %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","Resolve request came for an address matching on Wrong nh"), + dup23, + ])); + + var msg63 = msg("Resolve", part83); + + var part84 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service->} exited with status = %{resultcode}", processor_chain([ + dup21, + dup22, + setc("event_description","service exited with status"), + dup23, + ])); + + var msg64 = msg("respawn", part84); + + var part85 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: This system does not have 3-DNS or Link Controller enabled", processor_chain([ + dup30, + dup22, + setc("event_description","system does not have 3-DNS or Link Controller enabled"), + dup23, + ])); + + var msg65 = msg("root", part85); + + var part86 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result->} for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([ + dup21, + dup22, + setc("event_description","Received data for interface"), + dup23, + ])); + + var msg66 = msg("rpd", part86); + + var part87 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr->} up on interface %{interface}", processor_chain([ + dup21, + dup22, + setc("event_description","RSVP neighbor up on interface "), + dup23, + ])); + + var msg67 = msg("rpd:01", part87); + + var part88 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr->} (%{shost}): reseting pending active connection", processor_chain([ + dup21, + dup22, + setc("event_description","reseting pending active connection"), + dup23, + ])); + + var msg68 = msg("rpd:02", part88); + + var part89 = match("MESSAGE#68:rpd_proceeding", "nwparser.payload", "%{process}: proceeding. %{param}", processor_chain([ + dup21, + dup22, + dup38, + dup23, + ])); + + var msg69 = msg("rpd_proceeding", part89); + + var select20 = linear_select([ + msg66, + msg67, + msg68, + msg69, + ]); + + var part90 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}'", processor_chain([ + dup21, + dup22, + setc("event_description","user issuing command as root"), + dup23, + ])); + + var msg70 = msg("rshd", part90); + + var part91 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on accept", processor_chain([ + dup21, + dup22, + setc("event_description","sfd waiting on accept"), + dup23, + ])); + + var msg71 = msg("sfd", part91); + + var part92 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol}", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + setc("event_description","Accepted password"), + dup23, + ])); + + var msg72 = msg("sshd", part92); + + var part93 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result}", processor_chain([ + dup27, + dup22, + setc("event_description","Received disconnect"), + dup23, + ])); + + var msg73 = msg("sshd:02", part93); + + var part94 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr}", processor_chain([ + dup30, + dup22, + setc("result","no identification string"), + setc("event_description","Did not receive identification string from peer"), + dup23, + ])); + + var msg74 = msg("sshd:03", part94); + + var part95 = match("MESSAGE#75:sshd:04", "nwparser.payload", "%{process}[%{process_id}]: Could not write ident string to %{dhost}", processor_chain([ + dup30, + dup22, + setc("event_description","Could not write ident string"), + dup23, + ])); + + var msg75 = msg("sshd:04", part95); + + var part96 = match("MESSAGE#76:sshd:05", "nwparser.payload", "%{process}[%{process_id}]: subsystem request for netconf", processor_chain([ + dup21, + dup22, + setc("event_description","subsystem request for netconf"), + dup23, + ])); + + var msg76 = msg("sshd:05", part96); + + var part97 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "sendmsg to %{saddr}(%{shost}).%{sport}: %{info}"); + + var all13 = all_match({ + processors: [ + dup39, + dup137, + part97, + ], + on_success: processor_chain([ + dup29, + dup22, + setc("event_description","send message stats"), + dup23, + ]), + }); + + var msg77 = msg("sshd:06", all13); + + var part98 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "Added radius server %{saddr}(%{shost})"); + + var all14 = all_match({ + processors: [ + dup39, + dup137, + part98, + ], + on_success: processor_chain([ + dup42, + setc("ec_theme","Configuration"), + setc("ec_activity","Modify"), + dup37, + dup22, + setc("event_description","Added radius server"), + dup23, + ]), + }); + + var msg78 = msg("sshd:07", all14); + + var part99 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space->} [%{resultcode}]authentication error", processor_chain([ + setc("eventcategory","1301020000"), + dup34, + dup43, + dup22, + setc("event_description","authentication error"), + dup23, + ])); + + var msg79 = msg("sshd:08", part99); + + var part100 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute}", processor_chain([ + dup30, + dup22, + setc("event_description","unrecognized attribute in policy"), + dup23, + ])); + + var msg80 = msg("sshd:09", part100); + + var part101 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup44, + dup34, + dup43, + dup22, + setc("event_description","PAM module return from sshd"), + dup23, + ])); + + var msg81 = msg("sshd:10", part101); + + var part102 = match("MESSAGE#82:sshd:11", "nwparser.payload", "%{process}: PAM authentication chain returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup44, + dup34, + dup43, + dup22, + setc("event_description","PAM authentication chain return"), + dup23, + ])); + + var msg82 = msg("sshd:11", part102); + + var part103 = match("MESSAGE#83:sshd:12", "nwparser.payload", "%{process}: %{severity}: can't get client address: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","can't get client address"), + dup23, + ])); + + var msg83 = msg("sshd:12", part103); + + var part104 = match("MESSAGE#84:sshd:13", "nwparser.payload", "%{process}: auth server unresponsive", processor_chain([ + dup30, + dup22, + setc("event_description","auth server unresponsive"), + dup23, + ])); + + var msg84 = msg("sshd:13", part104); + + var part105 = match("MESSAGE#85:sshd:14", "nwparser.payload", "%{process}: %{service}: No valid RADIUS responses received", processor_chain([ + dup30, + dup22, + setc("event_description","No valid RADIUS responses received"), + dup23, + ])); + + var msg85 = msg("sshd:14", part105); + + var part106 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Moving to next server: %{saddr}(%{shost}).%{sport}", processor_chain([ + dup21, + dup22, + setc("event_description","Moving to next server"), + dup23, + ])); + + var msg86 = msg("sshd:15", part106); + + var part107 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1->} sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([ + dup44, + dup34, + dup43, + dup22, + setc("event_description","Login failed for user"), + dup23, + ])); + + var msg87 = msg("sshd:16", part107); + + var select21 = linear_select([ + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + ]); + + var part108 = match("MESSAGE#72:Failed:05/0", "nwparser.payload", "%{process}[%{process_id}]: Failed password for %{p0}"); + + var part109 = match("MESSAGE#72:Failed:05/1_0", "nwparser.p0", "illegal user %{p0}"); + + var part110 = match("MESSAGE#72:Failed:05/1_1", "nwparser.p0", "invalid user %{p0}"); + + var select22 = linear_select([ + part109, + part110, + dup45, + ]); + + var part111 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{username->} from %{saddr->} port %{sport->} %{protocol}"); + + var all15 = all_match({ + processors: [ + part108, + select22, + part111, + ], + on_success: processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + setc("event_description","authentication failure"), + dup23, + ]), + }); + + var msg88 = msg("Failed:05", all15); + + var part112 = match("MESSAGE#746:Failed/0", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: Failed to resolve ipv%{p0}"); + + var part113 = match("MESSAGE#746:Failed/1_0", "nwparser.p0", "4%{p0}"); + + var part114 = match("MESSAGE#746:Failed/1_1", "nwparser.p0", "6%{p0}"); + + var select23 = linear_select([ + part113, + part114, + ]); + + var part115 = match("MESSAGE#746:Failed/2", "nwparser.p0", "%{}addresses for domain name %{sdomain}"); + + var all16 = all_match({ + processors: [ + part112, + select23, + part115, + ], + on_success: processor_chain([ + dup46, + dup47, + dup23, + dup22, + ]), + }); + + var msg89 = msg("Failed", all16); + + var part116 = match("MESSAGE#767:Failed:01", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: %{fld1}", processor_chain([ + dup46, + dup23, + dup22, + ])); + + var msg90 = msg("Failed:01", part116); + + var part117 = match("MESSAGE#768:Failed:02/0_0", "nwparser.payload", "%{fld1->} to create a route if table for Multiservice"); + + var part118 = match_copy("MESSAGE#768:Failed:02/0_1", "nwparser.payload", "fld10"); + + var select24 = linear_select([ + part117, + part118, + ]); + + var all17 = all_match({ + processors: [ + select24, + ], + on_success: processor_chain([ + dup46, + dup23, + dup22, + setf("hostname","hfld1"), + ]), + }); + + var msg91 = msg("Failed:02", all17); + + var select25 = linear_select([ + msg88, + msg89, + msg90, + msg91, + ]); + + var part119 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: restart", processor_chain([ + dup21, + dup22, + setc("event_description","syslog daemon restart"), + dup23, + ])); + + var msg92 = msg("syslogd", part119); + + var part120 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action->} User: %{username}", processor_chain([ + dup21, + dup22, + dup25, + dup23, + ])); + + var msg93 = msg("ucd-snmp", part120); + + var part121 = match("MESSAGE#90:ucd-snmp:01", "nwparser.payload", "%{process}[%{process_id}]: Received TERM or STOP signal %{space->} %{result}.", processor_chain([ + dup21, + dup22, + setc("event_description","Received TERM or STOP signal"), + dup23, + ])); + + var msg94 = msg("ucd-snmp:01", part121); + + var select26 = linear_select([ + msg93, + msg94, + ]); + + var part122 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result->} (%{resultcode})", processor_chain([ + dup27, + dup22, + setc("event_description","failed to connect to the server"), + dup23, + ])); + + var msg95 = msg("usp_ipc_client_reconnect", part122); + + var part123 = match("MESSAGE#92:usp_trace_ipc_disconnect", "nwparser.payload", "%{node->} %{process}:Trace client disconnected. %{result}", processor_chain([ + dup27, + dup22, + setc("event_description","Trace client disconnected"), + dup23, + ])); + + var msg96 = msg("usp_trace_ipc_disconnect", part123); + + var part124 = match("MESSAGE#93:usp_trace_ipc_reconnect", "nwparser.payload", "%{node->} %{process}:USP trace client cannot reconnect to server", processor_chain([ + dup30, + dup22, + setc("event_description","USP trace client cannot reconnect to server"), + dup23, + ])); + + var msg97 = msg("usp_trace_ipc_reconnect", part124); + + var part125 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_print_session_summary_output received %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","flow_print_session_summary_output received"), + dup23, + ])); + + var msg98 = msg("uspinfo", part125); + + var part126 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version->} by builder on %{event_time_string}", processor_chain([ + dup21, + dup22, + setc("event_description","Version build date"), + dup23, + ])); + + var msg99 = msg("Version", part126); + + var part127 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result->} from %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","frequency initialized from file"), + dup23, + ])); + + var msg100 = msg("xntpd", part127); + + var part128 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string->} (%{resultcode})", processor_chain([ + dup21, + dup22, + setc("event_description","nptd version build"), + dup23, + ])); + + var msg101 = msg("xntpd:01", part128); + + var part129 = match("MESSAGE#98:xntpd:02", "nwparser.payload", "%{process}: kernel time sync enabled %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","kernel time sync enabled"), + dup23, + ])); + + var msg102 = msg("xntpd:02", part129); + + var part130 = match("MESSAGE#99:xntpd:03", "nwparser.payload", "%{process}[%{process_id}]: NTP Server %{result}", processor_chain([ + dup21, + dup22, + dup32, + dup23, + ])); + + var msg103 = msg("xntpd:03", part130); + + var select27 = linear_select([ + msg100, + msg101, + msg102, + msg103, + ]); + + var part131 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1->} times", processor_chain([ + dup21, + dup22, + setc("event_description","last message repeated"), + dup23, + ])); + + var msg104 = msg("last", part131); + + var part132 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1->} times", processor_chain([ + dup48, + dup47, + dup23, + dup22, + dup24, + ])); + + var msg105 = msg("last:01", part132); + + var select28 = linear_select([ + msg104, + msg105, + ]); + + var part133 = match("MESSAGE#101:BCHIP", "nwparser.payload", "%{process->} %{device}: cannot write ucode mask reg", processor_chain([ + dup30, + dup22, + setc("event_description","cannot write ucode mask reg"), + dup23, + ])); + + var msg106 = msg("BCHIP", part133); + + var part134 = match("MESSAGE#102:CM", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}: On-line", processor_chain([ + dup21, + dup22, + setc("event_description","Slot on-line"), + dup23, + ])); + + var msg107 = msg("CM", part134); + + var part135 = match("MESSAGE#103:COS", "nwparser.payload", "%{process}: Received FC->Q map, %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","Received FC Q map"), + dup23, + ])); + + var msg108 = msg("COS", part135); + + var part136 = match("MESSAGE#104:COSFPC", "nwparser.payload", "%{process}: ifd %{resultcode}: %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","ifd error"), + dup23, + ])); + + var msg109 = msg("COSFPC", part136); + + var part137 = match("MESSAGE#105:COSMAN", "nwparser.payload", "%{process}: %{service}: delete class_to_ifl table %{dclass_counter1}, ifl %{dclass_counter2}", processor_chain([ + dup21, + dup22, + setc("event_description","delete class to ifl link"), + dup23, + ])); + + var msg110 = msg("COSMAN", part137); + + var part138 = match("MESSAGE#106:RDP", "nwparser.payload", "%{process}: Keepalive timeout for rdp.(%{interface}).(%{device}) (%{result})", processor_chain([ + dup30, + dup22, + setc("event_description","Keepalive timeout"), + dup23, + ])); + + var msg111 = msg("RDP", part138); + + var part139 = match("MESSAGE#107:SNTPD", "nwparser.payload", "%{process}: Initial time of day set", processor_chain([ + dup30, + dup22, + setc("event_description","Initial time of day set"), + dup23, + ])); + + var msg112 = msg("SNTPD", part139); + + var part140 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}, serial number S/N %{serial_number}.", processor_chain([ + dup21, + dup22, + setc("event_description","Slot serial number"), + dup23, + ])); + + var msg113 = msg("SSB", part140); + + var part141 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result->} from file %{filename}", processor_chain([ + dup30, + dup22, + setc("event_description","Unexpected error"), + dup23, + ])); + + var msg114 = msg("ACCT_ACCOUNTING_FERROR", part141); + + var part142 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to open file %{filename}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Failed to open file"), + dup23, + ])); + + var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part142); + + var part143 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename->} size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([ + dup49, + dup22, + setc("event_description","File size mismatch"), + dup23, + ])); + + var msg116 = msg("ACCT_ACCOUNTING_SMALL_FILE_SIZE", part143); + + var part144 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid statistics record: %{result}", processor_chain([ + dup49, + dup22, + setc("event_description","Invalid statistics record"), + dup23, + ])); + + var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part144); + + var part145 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} getting class usage statistics for interface %{interface}: %{result}", processor_chain([ + dup49, + dup22, + setc("event_description","Class usage statistics error for interface"), + dup23, + ])); + + var msg118 = msg("ACCT_CU_RTSLIB_error", part145); + + var part146 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_0", "nwparser.p0", "Error %{resultcode->} trying %{p0}"); + + var part147 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_1", "nwparser.p0", "trying %{p0}"); + + var select29 = linear_select([ + part146, + part147, + ]); + + var part148 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/2", "nwparser.p0", "to get hostname%{}"); + + var all18 = all_match({ + processors: [ + dup50, + select29, + part148, + ], + on_success: processor_chain([ + dup49, + dup22, + setc("event_description","error trying to get hostname"), + dup23, + ]), + }); + + var msg119 = msg("ACCT_GETHOSTNAME_error", all18); + + var part149 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed while reallocating %{obj_name}", processor_chain([ + dup51, + dup22, + setc("event_description","Memory allocation failure"), + dup23, + ])); + + var msg120 = msg("ACCT_MALLOC_FAILURE", part149); + + var part150 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} in accounting profile %{dclass_counter1->} is not defined in a firewall using this filter profile", processor_chain([ + dup30, + dup22, + setc("event_description","Accounting profile counter not defined in firewall"), + dup23, + ])); + + var msg121 = msg("ACCT_UNDEFINED_COUNTER_NAME", part150); + + var part151 = match("MESSAGE#117:ACCT_XFER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: %{disposition}", processor_chain([ + dup30, + dup22, + setc("event_description","ACCT_XFER_FAILED"), + dup23, + ])); + + var msg122 = msg("ACCT_XFER_FAILED", part151); + + var part152 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: in invoking command command to transfer file %{filename}", processor_chain([ + dup30, + dup22, + setc("event_description","POPEN FAIL invoking command command to transfer file"), + dup23, + ])); + + var msg123 = msg("ACCT_XFER_POPEN_FAIL", part152); + + var part153 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([ + dup28, + dup22, + dup52, + ])); + + var msg124 = msg("APPQOS_LOG_EVENT", part153); + + var part154 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", "%{event_type}: AppTrack session created %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username->} %{fld10}", processor_chain([ + dup28, + dup53, + dup54, + dup22, + setc("result","AppTrack session created"), + dup23, + ])); + + var msg125 = msg("APPTRACK_SESSION_CREATE", part154); + + var part155 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup28, + dup53, + dup55, + dup22, + dup52, + ])); + + var msg126 = msg("APPTRACK_SESSION_CLOSE", part155); + + var part156 = match("MESSAGE#122:APPTRACK_SESSION_CLOSE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ + dup28, + dup53, + dup55, + dup22, + dup23, + ])); + + var msg127 = msg("APPTRACK_SESSION_CLOSE:01", part156); + + var select30 = linear_select([ + msg126, + msg127, + ]); + + var part157 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup28, + dup53, + dup22, + dup52, + ])); + + var msg128 = msg("APPTRACK_SESSION_VOL_UPDATE", part157); + + var part158 = match("MESSAGE#124:APPTRACK_SESSION_VOL_UPDATE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ + dup28, + dup53, + dup22, + dup23, + ])); + + var msg129 = msg("APPTRACK_SESSION_VOL_UPDATE:01", part158); + + var select31 = linear_select([ + msg128, + msg129, + ]); + + var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup138); + + var msg131 = msg("BFDD_TRAP_STATE_UP", dup138); + + var part159 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","bgp connect error"), + dup23, + ])); + + var msg132 = msg("bgp_connect_start", part159); + + var part160 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new}", processor_chain([ + dup21, + dup22, + setc("event_description","bgp peer state change"), + dup23, + ])); + + var msg133 = msg("bgp_event", part160); + + var part161 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Connection attempt from unconfigured neighbor"), + dup23, + ])); + + var msg134 = msg("bgp_listen_accept", part161); + + var part162 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","bgp reset"), + dup23, + ])); + + var msg135 = msg("bgp_listen_reset", part162); + + var part163 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) next hop %{saddr->} local, %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","peer next hop local"), + dup23, + ])); + + var msg136 = msg("bgp_nexthop_sanity", part163); + + var part164 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{severity->} (%{action}) subcode %{version->} (%{result}) value %{disposition}", processor_chain([ + dup30, + dup22, + setc("event_description","code RED error NOTIFICATION sent"), + dup23, + ])); + + var msg137 = msg("bgp_process_caps", part164); + + var part165 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ + dup30, + dup22, + dup57, + dup23, + ])); + + var msg138 = msg("bgp_process_caps:01", part165); + + var select32 = linear_select([ + msg137, + msg138, + ]); + + var part166 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr->} (%{dhost}), %{info->} (%{protocol})", processor_chain([ + dup30, + dup22, + setc("event_description","connection collision"), + setc("result","dropping connection to peer"), + dup23, + ])); + + var msg139 = msg("bgp_pp_recv", part166); + + var part167 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}): received unexpected EOF", processor_chain([ + dup30, + dup22, + setc("event_description","peer received unexpected EOF"), + dup23, + ])); + + var msg140 = msg("bgp_pp_recv:01", part167); + + var select33 = linear_select([ + msg139, + msg140, + ]); + + var part168 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","bgp send blocked error"), + dup23, + ])); + + var msg141 = msg("bgp_send", part168); + + var part169 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","bgp timeout NOTIFICATION sent"), + dup23, + ])); + + var msg142 = msg("bgp_traffic_timeout", part169); + + var part170 = match("MESSAGE#138:BOOTPD_ARG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring unknown option %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","boot argument error"), + dup23, + ])); + + var msg143 = msg("BOOTPD_ARG_ERR", part170); + + var part171 = match("MESSAGE#139:BOOTPD_BAD_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","boot unexpected Id value"), + dup23, + ])); + + var msg144 = msg("BOOTPD_BAD_ID", part171); + + var part172 = match("MESSAGE#140:BOOTPD_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Boot string: %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","Invalid boot string"), + dup23, + ])); + + var msg145 = msg("BOOTPD_BOOTSTRING", part172); + + var part173 = match("MESSAGE#141:BOOTPD_CONFIG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file '%{filename}', %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","configuration file error"), + dup23, + ])); + + var msg146 = msg("BOOTPD_CONFIG_ERR", part173); + + var part174 = match("MESSAGE#142:BOOTPD_CONF_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open configuration file '%{filename}'", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to open configuration file"), + dup23, + ])); + + var msg147 = msg("BOOTPD_CONF_OPEN", part174); + + var part175 = match("MESSAGE#143:BOOTPD_DUP_REV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate revision: %{version}", processor_chain([ + dup30, + dup22, + setc("event_description","boot - Duplicate revision"), + dup23, + ])); + + var msg148 = msg("BOOTPD_DUP_REV", part175); + + var part176 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate slot default: %{ssid}", processor_chain([ + dup30, + dup22, + setc("event_description","boot - duplicate slot"), + dup23, + ])); + + var msg149 = msg("BOOTPD_DUP_SLOT", part176); + + var part177 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id->} for model %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","Unexpected ID for model"), + dup23, + ])); + + var msg150 = msg("BOOTPD_MODEL_CHK", part177); + + var part178 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unsupported model %{dclass_counter1}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unsupported model"), + dup23, + ])); + + var msg151 = msg("BOOTPD_MODEL_ERR", part178); + + var part179 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed", processor_chain([ + dup21, + dup22, + setc("event_description","New configuration installed"), + dup23, + ])); + + var msg152 = msg("BOOTPD_NEW_CONF", part179); + + var part180 = match("MESSAGE#148:BOOTPD_NO_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No boot string found for type %{filename}", processor_chain([ + dup30, + dup22, + setc("event_description","No boot string found"), + dup23, + ])); + + var msg153 = msg("BOOTPD_NO_BOOTSTRING", part180); + + var part181 = match("MESSAGE#149:BOOTPD_NO_CONFIG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No configuration file '%{filename}', %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","No configuration file found"), + dup23, + ])); + + var msg154 = msg("BOOTPD_NO_CONFIG", part181); + + var part182 = match("MESSAGE#150:BOOTPD_PARSE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: number parse errors on SIGHUP", processor_chain([ + dup30, + dup22, + setc("event_description","parse errors on SIGHUP"), + dup23, + ])); + + var msg155 = msg("BOOTPD_PARSE_ERR", part182); + + var part183 = match("MESSAGE#151:BOOTPD_REPARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reparsing configuration file '%{filename}'", processor_chain([ + dup21, + dup22, + setc("event_description","Reparsing configuration file"), + dup23, + ])); + + var msg156 = msg("BOOTPD_REPARSE", part183); + + var part184 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","select error"), + dup23, + ])); + + var msg157 = msg("BOOTPD_SELECT_ERR", part184); + + var part185 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result->} unreasonable", processor_chain([ + dup30, + dup22, + setc("event_description","timeout unreasonable"), + dup23, + ])); + + var msg158 = msg("BOOTPD_TIMEOUT", part185); + + var part186 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string}", processor_chain([ + dup21, + dup22, + setc("event_description","boot version built"), + dup23, + ])); + + var msg159 = msg("BOOTPD_VERSION", part186); + + var part187 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version->} built by builder on %{event_time_string}", processor_chain([ + dup58, + dup22, + setc("event_description","CHASSISD release built"), + dup23, + ])); + + var msg160 = msg("CHASSISD", part187); + + var part188 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD Unknown option"), + dup23, + ])); + + var msg161 = msg("CHASSISD_ARGUMENT_ERROR", part188); + + var part189 = match("MESSAGE#157:CHASSISD_BLOWERS_SPEED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers are now running at normal speed", processor_chain([ + dup21, + dup22, + setc("event_description","Fans and impellers are now running at normal speed"), + dup23, + ])); + + var msg162 = msg("CHASSISD_BLOWERS_SPEED", part189); + + var part190 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers being set to full speed [%{result}]", processor_chain([ + dup21, + dup22, + setc("event_description","Fans and impellers being set to full speed"), + dup23, + ])); + + var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part190); + + var part191 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([ + dup21, + dup22, + setc("event_description","reading midplane ID EEPROM"), + dup23, + ])); + + var msg164 = msg("CHASSISD_CB_READ", part191); + + var part192 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} online ack code %{dclass_counter1->} - - %{result}, %{interface}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD COMMAND ACK ERROR"), + dup23, + ])); + + var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part192); + + var part193 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition->} - %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD COMMAND ACK SF ERROR"), + dup23, + ])); + + var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part193); + + var part194 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2->} PIC %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","Cannot set no-concatenated mode for FPC"), + dup23, + ])); + + var msg167 = msg("CHASSISD_CONCAT_MODE_ERROR", part194); + + var part195 = match("MESSAGE#163:CHASSISD_CONFIG_INIT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file %{filename}; %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","CONFIG File Problem"), + dup23, + ])); + + var msg168 = msg("CHASSISD_CONFIG_INIT_ERROR", part195); + + var part196 = match("MESSAGE#164:CHASSISD_CONFIG_WARNING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: %{result}, FPC %{dclass_counter2->} %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD CONFIG WARNING"), + dup23, + ])); + + var msg169 = msg("CHASSISD_CONFIG_WARNING", part196); + + var part197 = match("MESSAGE#165:CHASSISD_EXISTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd already running; %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","chassisd already running"), + dup23, + ])); + + var msg170 = msg("CHASSISD_EXISTS", part197); + + var part198 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Killing existing chassisd and exiting", processor_chain([ + dup21, + dup22, + setc("event_description","Killing existing chassisd and exiting"), + dup23, + ])); + + var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part198); + + var part199 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","file open error"), + dup23, + ])); + + var msg172 = msg("CHASSISD_FILE_OPEN", part199); + + var part200 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD file statistics error"), + dup23, + ])); + + var msg173 = msg("CHASSISD_FILE_STAT", part200); + + var part201 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD received restart EVENT"), + dup23, + ])); + + var msg174 = msg("CHASSISD_FRU_EVENT", part201); + + var part202 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD restart WRITE_ERROR"), + dup23, + ])); + + var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part202); + + var part203 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode->} at step %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD FRU STEP ERROR"), + dup23, + ])); + + var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part203); + + var part204 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode->} - %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","Unexpected error from gettimeofday"), + dup23, + ])); + + var msg177 = msg("CHASSISD_GETTIMEOFDAY", part204); + + var part205 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading host temperature sensor", processor_chain([ + dup21, + dup22, + setc("event_description","reading host temperature sensor"), + dup23, + ])); + + var msg178 = msg("CHASSISD_HOST_TEMP_READ", part205); + + var part206 = match("MESSAGE#174:CHASSISD_IFDEV_DETACH_ALL_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ + dup21, + dup22, + setc("event_description","detaching all pseudo devices"), + dup23, + ])); + + var msg179 = msg("CHASSISD_IFDEV_DETACH_ALL_PSEUDO", part206); + + var part207 = match("MESSAGE#175:CHASSISD_IFDEV_DETACH_FPC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ + dup21, + dup22, + setc("event_description","CHASSISD IFDEV DETACH FPC"), + dup23, + ])); + + var msg180 = msg("CHASSISD_IFDEV_DETACH_FPC", part207); + + var part208 = match("MESSAGE#176:CHASSISD_IFDEV_DETACH_PIC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ + dup21, + dup22, + setc("event_description","CHASSISD IFDEV DETACH PIC"), + dup23, + ])); + + var msg181 = msg("CHASSISD_IFDEV_DETACH_PIC", part208); + + var part209 = match("MESSAGE#177:CHASSISD_IFDEV_DETACH_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ + dup21, + dup22, + setc("event_description","CHASSISD IFDEV DETACH PSEUDO"), + dup23, + ])); + + var msg182 = msg("CHASSISD_IFDEV_DETACH_PSEUDO", part209); + + var part210 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD IFDEV DETACH TLV ERROR"), + dup23, + ])); + + var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part210); + + var part211 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode->} - %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","rtslib_ifdm_get_by_index failed"), + dup23, + ])); + + var msg184 = msg("CHASSISD_IFDEV_GET_BY_INDEX_FAIL", part211); + + var part212 = match("MESSAGE#180:CHASSISD_IPC_MSG_QFULL_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Message Queue full"), + dup23, + ])); + + var msg185 = msg("CHASSISD_IPC_MSG_QFULL_ERROR", part212); + + var part213 = match("MESSAGE#181:CHASSISD_IPC_UNEXPECTED_RECV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received unexpected message from %{service}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Received unexpected message"), + dup23, + ])); + + var msg186 = msg("CHASSISD_IPC_UNEXPECTED_RECV", part213); + + var part214 = match("MESSAGE#182:CHASSISD_IPC_WRITE_ERR_NO_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection pipe %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","FRU has no connection pipe"), + dup23, + ])); + + var msg187 = msg("CHASSISD_IPC_WRITE_ERR_NO_PIPE", part214); + + var part215 = match("MESSAGE#183:CHASSISD_IPC_WRITE_ERR_NULL_ARGS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection arguments %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","FRU has no connection arguments"), + dup23, + ])); + + var msg188 = msg("CHASSISD_IPC_WRITE_ERR_NULL_ARGS", part215); + + var part216 = match("MESSAGE#184:CHASSISD_MAC_ADDRESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd MAC address allocation error", processor_chain([ + dup30, + dup22, + setc("event_description","chassisd MAC address allocation error"), + dup23, + ])); + + var msg189 = msg("CHASSISD_MAC_ADDRESS_ERROR", part216); + + var part217 = match("MESSAGE#185:CHASSISD_MAC_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using default MAC address base", processor_chain([ + dup21, + dup22, + setc("event_description","Using default MAC address base"), + dup23, + ])); + + var msg190 = msg("CHASSISD_MAC_DEFAULT", part217); + + var part218 = match("MESSAGE#186:CHASSISD_MBUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} %{resultcode}: management bus failed sanity test", processor_chain([ + dup30, + dup22, + setc("event_description","management bus failed sanity test"), + dup23, + ])); + + var msg191 = msg("CHASSISD_MBUS_ERROR", part218); + + var part219 = match("MESSAGE#187:CHASSISD_PARSE_COMPLETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using new configuration", processor_chain([ + dup21, + dup22, + setc("event_description","Using new configuration"), + dup23, + ])); + + var msg192 = msg("CHASSISD_PARSE_COMPLETE", part219); + + var part220 = match("MESSAGE#188:CHASSISD_PARSE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{resultcode->} %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","CHASSISD PARSE ERROR"), + dup23, + ])); + + var msg193 = msg("CHASSISD_PARSE_ERROR", part220); + + var part221 = match("MESSAGE#189:CHASSISD_PARSE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Parsing configuration file '%{filename}'", processor_chain([ + dup21, + dup22, + setc("event_description","Parsing configuration file"), + dup23, + ])); + + var msg194 = msg("CHASSISD_PARSE_INIT", part221); + + var part222 = match("MESSAGE#190:CHASSISD_PIDFILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open PID file '%{filename}': %{result->} %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to open PID file"), + dup23, + ])); + + var msg195 = msg("CHASSISD_PIDFILE_OPEN", part222); + + var part223 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Pipe error: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","Pipe error"), + dup23, + ])); + + var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part223); + + var part224 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1->} not powering up", processor_chain([ + dup59, + dup22, + setc("event_description","device not powering up"), + dup23, + ])); + + var msg197 = msg("CHASSISD_POWER_CHECK", part224); + + var part225 = match("MESSAGE#193:CHASSISD_RECONNECT_SUCCESSFUL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Successfully reconnected on soft restart", processor_chain([ + dup21, + dup22, + setc("event_description","Successful reconnect on soft restart"), + dup23, + ])); + + var msg198 = msg("CHASSISD_RECONNECT_SUCCESSFUL", part225); + + var part226 = match("MESSAGE#194:CHASSISD_RELEASE_MASTERSHIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Release mastership notification", processor_chain([ + dup21, + dup22, + setc("event_description","Release mastership notification"), + dup23, + ])); + + var msg199 = msg("CHASSISD_RELEASE_MASTERSHIP", part226); + + var part227 = match("MESSAGE#195:CHASSISD_RE_INIT_INVALID_RE_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: re_init: re %{resultcode}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","re_init Invalid RE slot"), + dup23, + ])); + + var msg200 = msg("CHASSISD_RE_INIT_INVALID_RE_SLOT", part227); + + var part228 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine the mount point for root directory: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to determine mount point for root directory"), + dup23, + ])); + + var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part228); + + var part229 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","ifmsg sequence gap"), + dup23, + ])); + + var msg202 = msg("CHASSISD_RTS_SEQ_ERROR", part229); + + var part230 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ + setc("eventcategory","1603040000"), + dup22, + setc("event_description","Version mismatch"), + dup23, + ])); + + var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part230); + + var part231 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","Serial ID read error"), + dup23, + ])); + + var msg204 = msg("CHASSISD_SERIAL_ID", part231); + + var part232 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: fpga download not complete: val %{resultcode}, %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","fpga download not complete"), + dup23, + ])); + + var msg205 = msg("CHASSISD_SMB_ERROR", part232); + + var part233 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result->} (%{info})", processor_chain([ + dup58, + dup22, + setc("event_description","SNMP Trap6 generated"), + dup23, + ])); + + var msg206 = msg("CHASSISD_SNMP_TRAP6", part233); + + var part234 = match("MESSAGE#202:CHASSISD_SNMP_TRAP7", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP Trap7 generated"), + dup23, + ])); + + var msg207 = msg("CHASSISD_SNMP_TRAP7", part234); + + var part235 = match("MESSAGE#203:CHASSISD_SNMP_TRAP10", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP trap - FRU power on"), + dup23, + ])); + + var msg208 = msg("CHASSISD_SNMP_TRAP10", part235); + + var part236 = match("MESSAGE#204:CHASSISD_TERM_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received SIGTERM request, %{result}", processor_chain([ + dup60, + dup22, + setc("event_description","Received SIGTERM request"), + dup23, + ])); + + var msg209 = msg("CHASSISD_TERM_SIGNAL", part236); + + var part237 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Taking PIC offline - - FPC slot %{dclass_counter1}, PIC slot %{dclass_counter2}", processor_chain([ + dup21, + dup22, + setc("event_description","Taking PIC offline"), + dup23, + ])); + + var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part237); + + var part238 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} returned %{resultcode}: %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","UNEXPECTED EXIT"), + dup23, + ])); + + var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part238); + + var part239 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1->} unsupported with this version of chassisd", processor_chain([ + dup59, + dup22, + setc("event_description","Model number unsupported with this version of chassisd"), + dup23, + ])); + + var msg212 = msg("CHASSISD_UNSUPPORTED_MODEL", part239); + + var part240 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ + dup59, + dup22, + setc("event_description","Chassisd Version mismatch"), + dup23, + ])); + + var msg213 = msg("CHASSISD_VERSION_MISMATCH", part240); + + var part241 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([ + dup59, + dup22, + setc("event_description","CHASSISD HIGH TEMP CONDITION"), + dup61, + dup62, + ])); + + var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part241); + + var part242 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent->} RESTART mode %{event_state->} new master=%{obj_name->} old failover=%{change_old->} new failover = %{change_new}", processor_chain([ + dup21, + dup22, + setc("event_description","process RESTART mode"), + dup23, + ])); + + var msg215 = msg("clean_process", part242); + + var part243 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group->} Linklocal MAC:%{macaddr}", processor_chain([ + dup21, + dup22, + setc("event_description","Chassis Linklocal to MAC"), + dup23, + ])); + + var msg216 = msg("CM_JAVA", part243); + + var part244 = match("MESSAGE#212:DCD_AS_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, + dup22, + setc("event_description","DCD must be run as root"), + dup23, + ])); + + var msg217 = msg("DCD_AS_ROOT", part244); + + var part245 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Filter library initialization failed", processor_chain([ + dup30, + dup22, + setc("event_description","Filter library initialization failed"), + dup23, + ])); + + var msg218 = msg("DCD_FILTER_LIB_ERROR", part245); + + var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup139); + + var part246 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([ + dup30, + dup22, + setc("event_description","errors while parsing configuration file"), + dup23, + ])); + + var msg220 = msg("DCD_PARSE_EMERGENCY", part246); + + var part247 = match("MESSAGE#216:DCD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing filter index file", processor_chain([ + dup30, + dup22, + setc("event_description","errors while parsing filter index file"), + dup23, + ])); + + var msg221 = msg("DCD_PARSE_FILTER_EMERGENCY", part247); + + var part248 = match("MESSAGE#217:DCD_PARSE_MINI_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration overlay", processor_chain([ + dup30, + dup22, + setc("event_description","errors while parsing configuration overlay"), + dup23, + ])); + + var msg222 = msg("DCD_PARSE_MINI_EMERGENCY", part248); + + var part249 = match("MESSAGE#218:DCD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: An unhandled state was encountered during interface parsing", processor_chain([ + dup30, + dup22, + setc("event_description","unhandled state was encountered during interface parsing"), + dup23, + ])); + + var msg223 = msg("DCD_PARSE_STATE_EMERGENCY", part249); + + var part250 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing policer indexfile", processor_chain([ + dup30, + dup22, + setc("event_description","errors while parsing policer indexfile"), + dup23, + ])); + + var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part250); + + var part251 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename->} after %{dclass_counter1->} retries last error=%{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","Failed to pull file"), + dup23, + ])); + + var msg225 = msg("DCD_PULL_LOG_FAILURE", part251); + + var part252 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","DFWD ARGUMENT ERROR"), + dup23, + ])); + + var msg226 = msg("DFWD_ARGUMENT_ERROR", part252); + + var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup139); + + var part253 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([ + dup30, + dup22, + setc("event_description","errors encountered while parsing filter index file"), + dup23, + ])); + + var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part253); + + var part254 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered unhandled state while parsing interface", processor_chain([ + dup30, + dup22, + setc("event_description","encountered unhandled state while parsing interface"), + dup23, + ])); + + var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part254); + + var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup140); + + var msg231 = msg("ECCD_DUPLICATE", dup141); + + var part255 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","ECCD LOOP EXIT FAILURE"), + dup23, + ])); + + var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part255); + + var part256 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, + dup22, + setc("event_description","ECCD Must be run as root"), + dup23, + ])); + + var msg233 = msg("ECCD_NOT_ROOT", part256); + + var part257 = match("MESSAGE#229:ECCD_PCI_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: open() failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","ECCD PCI FILE OPEN FAILED"), + dup23, + ])); + + var msg234 = msg("ECCD_PCI_FILE_OPEN_FAILED", part257); + + var part258 = match("MESSAGE#230:ECCD_PCI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","PCI read failure"), + dup23, + ])); + + var msg235 = msg("ECCD_PCI_READ_FAILED", part258); + + var part259 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","PCI write failure"), + dup23, + ])); + + var msg236 = msg("ECCD_PCI_WRITE_FAILED", part259); + + var msg237 = msg("ECCD_PID_FILE_LOCK", dup142); + + var msg238 = msg("ECCD_PID_FILE_UPDATE", dup143); + + var part260 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","ECCD TRACE FILE OPEN FAILURE"), + dup23, + ])); + + var msg239 = msg("ECCD_TRACE_FILE_OPEN_FAILED", part260); + + var part261 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","ECCD Usage"), + dup23, + ])); + + var msg240 = msg("ECCD_usage", part261); + + var part262 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} viewed security audit log with arguments: %{param}", processor_chain([ + dup21, + dup22, + setc("event_description","User viewed security audit log with arguments"), + dup23, + ])); + + var msg241 = msg("EVENTD_AUDIT_SHOW", part262); + + var part263 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr->} destination %{daddr->} ipid %{fld11->} succeed", processor_chain([ + dup21, + dup22, + dup23, + ])); + + var msg242 = msg("FLOW_REASSEMBLE_SUCCEED", part263); + + var part264 = match("MESSAGE#238:FSAD_CHANGE_FILE_OWNER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to change owner of file `%{filename}' to user %{username}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to change owner of file"), + dup23, + ])); + + var msg243 = msg("FSAD_CHANGE_FILE_OWNER", part264); + + var part265 = match("MESSAGE#239:FSAD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","FSAD CONFIG ERROR"), + dup23, + ])); + + var msg244 = msg("FSAD_CONFIG_ERROR", part265); + + var part266 = match("MESSAGE#240:FSAD_CONNTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection timed out to the client (%{shost}, %{saddr}) having request type %{obj_type}", processor_chain([ + dup30, + dup22, + setc("event_description","Connection timed out to client"), + dup23, + ])); + + var msg245 = msg("FSAD_CONNTIMEDOUT", part266); + + var part267 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","FSAD_FAILED"), + dup23, + ])); + + var msg246 = msg("FSAD_FAILED", part267); + + var part268 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname->} for file `%{filename}' timed out", processor_chain([ + dup30, + dup22, + setc("event_description","Fetch to server to get file timed out"), + dup23, + ])); + + var msg247 = msg("FSAD_FETCHTIMEDOUT", part268); + + var part269 = match("MESSAGE#243:FSAD_FILE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: fn failed for file `%{filename}' with error message %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","fn failed for file"), + dup23, + ])); + + var msg248 = msg("FSAD_FILE_FAILED", part269); + + var part270 = match("MESSAGE#244:FSAD_FILE_REMOVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to remove file `%{filename}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to remove file"), + dup23, + ])); + + var msg249 = msg("FSAD_FILE_REMOVE", part270); + + var part271 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to rename file `%{filename}' to `%{resultcode}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to rename file"), + dup23, + ])); + + var msg250 = msg("FSAD_FILE_RENAME", part271); + + var part272 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed for file pathname %{filename}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","stat failed for file"), + dup23, + ])); + + var msg251 = msg("FSAD_FILE_STAT", part272); + + var part273 = match("MESSAGE#247:FSAD_FILE_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to sync file %{filename}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to sync file"), + dup23, + ])); + + var msg252 = msg("FSAD_FILE_SYNC", part273); + + var part274 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Upper limit reached in fsad for handling connections", processor_chain([ + dup30, + dup22, + setc("event_description","Upper limit reached in fsad"), + dup23, + ])); + + var msg253 = msg("FSAD_MAXCONN", part274); + + var part275 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed in the function %{action->} (%{resultcode})", processor_chain([ + dup51, + dup22, + setc("event_description","FSAD MEMORYALLOC FAILED"), + dup23, + ])); + + var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part275); + + var part276 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, + dup22, + setc("event_description","FSAD must be run as root"), + dup23, + ])); + + var msg255 = msg("FSAD_NOT_ROOT", part276); + + var part277 = match("MESSAGE#251:FSAD_PARENT_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: invalid directory: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","invalid directory"), + dup23, + ])); + + var msg256 = msg("FSAD_PARENT_DIRECTORY", part277); + + var part278 = match("MESSAGE#252:FSAD_PATH_IS_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File path cannot be a directory (%{filename})", processor_chain([ + dup30, + dup22, + setc("event_description","File path cannot be a directory"), + dup23, + ])); + + var msg257 = msg("FSAD_PATH_IS_DIRECTORY", part278); + + var part279 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Not a regular file (%{filename})", processor_chain([ + dup30, + dup22, + setc("event_description","Not a regular file"), + dup23, + ])); + + var msg258 = msg("FSAD_PATH_IS_SPECIAL", part279); + + var part280 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type->} at (%{saddr}, %{sport})", processor_chain([ + dup30, + dup22, + setc("event_description","fsad received error message from client"), + dup23, + ])); + + var msg259 = msg("FSAD_RECVERROR", part280); + + var part281 = match("MESSAGE#255:FSAD_TERMINATED_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open file %{filename}` closed due to %{result}", processor_chain([ + dup27, + dup22, + setc("event_description","FSAD TERMINATED CONNECTION"), + dup23, + ])); + + var msg260 = msg("FSAD_TERMINATED_CONNECTION", part281); + + var part282 = match("MESSAGE#256:FSAD_TERMINATING_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received terminating %{resultcode}; %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Received terminating signal"), + dup23, + ])); + + var msg261 = msg("FSAD_TERMINATING_SIGNAL", part282); + + var part283 = match("MESSAGE#257:FSAD_TRACEOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open operation on trace file `%{filename}' returned error %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Open operation on trace file failed"), + dup23, + ])); + + var msg262 = msg("FSAD_TRACEOPEN_FAILED", part283); + + var part284 = match("MESSAGE#258:FSAD_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage, %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","Incorrect FSAD usage"), + dup23, + ])); + + var msg263 = msg("FSAD_USAGE", part284); + + var part285 = match("MESSAGE#259:GGSN_ALARM_TRAP_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","GGSN ALARM TRAP FAILED"), + dup23, + ])); + + var msg264 = msg("GGSN_ALARM_TRAP_FAILED", part285); + + var part286 = match("MESSAGE#260:GGSN_ALARM_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","GGSN ALARM TRAP SEND FAILED"), + dup23, + ])); + + var msg265 = msg("GGSN_ALARM_TRAP_SEND", part286); + + var part287 = match("MESSAGE#261:GGSN_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown trap request type %{obj_type}", processor_chain([ + dup30, + dup22, + setc("event_description","Unknown trap request type"), + dup23, + ])); + + var msg266 = msg("GGSN_TRAP_SEND", part287); + + var part288 = match("MESSAGE#262:JADE_AUTH_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authorization failed: %{result}", processor_chain([ + dup69, + dup34, + setc("ec_subject","Service"), + dup43, + dup22, + setc("event_description","Authorization failed"), + dup23, + ])); + + var msg267 = msg("JADE_AUTH_ERROR", part288); + + var part289 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: CLI %{resultcode->} %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","JADE EXEC ERROR"), + dup23, + ])); + + var msg268 = msg("JADE_EXEC_ERROR", part289); + + var part290 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username->} does not exist", processor_chain([ + dup30, + dup22, + setc("event_description","Local user does not exist"), + dup23, + ])); + + var msg269 = msg("JADE_NO_LOCAL_USER", part290); + + var part291 = match("MESSAGE#265:JADE_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","JADE PAM error"), + dup23, + ])); + + var msg270 = msg("JADE_PAM_ERROR", part291); + + var part292 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get local username from PAM: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to get local username from PAM"), + dup23, + ])); + + var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part292); + + var part293 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr->} from %{smacaddr->} to %{dmacaddr}", processor_chain([ + dup30, + dup22, + setc("event_description","arp info overwritten"), + dup23, + ])); + + var msg272 = msg("KERN_ARP_ADDR_CHANGE", part293); + + var part294 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5}", processor_chain([ + dup30, + dup22, + setc("event_description","security association has been established"), + dup23, + ])); + + var msg273 = msg("KMD_PM_SA_ESTABLISHED", part294); + + var part295 = match("MESSAGE#269:L2CPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialized", processor_chain([ + dup21, + dup22, + setc("event_description","Task Reinitialized"), + dup61, + dup23, + ])); + + var msg274 = msg("L2CPD_TASK_REINIT", part295); + + var part296 = match("MESSAGE#270:LIBJNX_EXEC_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal='%{obj_type}' %{result}, command '%{action}'", processor_chain([ + dup21, + dup22, + dup70, + dup23, + ])); + + var msg275 = msg("LIBJNX_EXEC_EXITED", part296); + + var part297 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Child exec failed for command"), + dup23, + ])); + + var msg276 = msg("LIBJNX_EXEC_FAILED", part297); + + var msg277 = msg("LIBJNX_EXEC_PIPE", dup144); + + var part298 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([ + dup30, + dup22, + setc("event_description","Command received signal"), + dup23, + ])); + + var msg278 = msg("LIBJNX_EXEC_SIGNALED", part298); + + var part299 = match("MESSAGE#274:LIBJNX_EXEC_WEXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ + dup21, + dup22, + dup72, + dup23, + ])); + + var msg279 = msg("LIBJNX_EXEC_WEXIT", part299); + + var part300 = match("MESSAGE#275:LIBJNX_FILE_COPY_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: copy_file_to_transfer_dir failed to copy from source to destination", processor_chain([ + dup73, + dup22, + setc("event_description","copy_file_to_transfer_dir failed to copy"), + dup23, + ])); + + var msg280 = msg("LIBJNX_FILE_COPY_FAILED", part300); + + var part301 = match("MESSAGE#276:LIBJNX_PRIV_LOWER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lower privilege level: %{result}", processor_chain([ + dup73, + dup22, + setc("event_description","Unable to lower privilege level"), + dup23, + ])); + + var msg281 = msg("LIBJNX_PRIV_LOWER_FAILED", part301); + + var part302 = match("MESSAGE#277:LIBJNX_PRIV_RAISE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to raise privilege level: %{result}", processor_chain([ + dup73, + dup22, + setc("event_description","Unable to raise privilege level"), + dup23, + ])); + + var msg282 = msg("LIBJNX_PRIV_RAISE_FAILED", part302); + + var part303 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup73, + dup22, + setc("event_description","rcp failed"), + dup23, + ])); + + var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part303); + + var part304 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1->} -f %{action}: %{result}", processor_chain([ + dup73, + dup22, + setc("event_description","ROTATE COMPRESS EXEC FAILED"), + dup23, + ])); + + var msg284 = msg("LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", part304); + + var part305 = match("MESSAGE#280:LIBSERVICED_CLIENT_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client connection error: %{result}", processor_chain([ + dup74, + dup22, + setc("event_description","Client connection error"), + dup23, + ])); + + var msg285 = msg("LIBSERVICED_CLIENT_CONNECTION", part305); + + var part306 = match("MESSAGE#281:LIBSERVICED_OUTBOUND_REQUEST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Outbound request failed for command [%{action}]: %{result}", processor_chain([ + dup73, + dup22, + setc("event_description","Outbound request failed for command"), + dup23, + ])); + + var msg286 = msg("LIBSERVICED_OUTBOUND_REQUEST", part306); + + var part307 = match("MESSAGE#282:LIBSERVICED_SNMP_LOST_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection closed while receiving from client %{dclass_counter1}", processor_chain([ + dup27, + dup22, + setc("event_description","Connection closed while receiving from client"), + dup23, + ])); + + var msg287 = msg("LIBSERVICED_SNMP_LOST_CONNECTION", part307); + + var part308 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: unable to bind socket %{ssid}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","unable to bind socket"), + dup23, + ])); + + var msg288 = msg("LIBSERVICED_SOCKET_BIND", part308); + + var part309 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid->} to management routing instance: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to attach socket to management routing instance"), + dup23, + ])); + + var msg289 = msg("LIBSERVICED_SOCKET_PRIVATIZE", part309); + + var part310 = match("MESSAGE#285:LICENSE_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","LICENSE EXPIRED"), + dup23, + ])); + + var msg290 = msg("LICENSE_EXPIRED", part310); + + var part311 = match("MESSAGE#286:LICENSE_EXPIRED_KEY_DELETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License key \"%{filename}\" has expired.", processor_chain([ + dup21, + dup22, + setc("event_description","License key has expired"), + dup23, + ])); + + var msg291 = msg("LICENSE_EXPIRED_KEY_DELETED", part311); + + var part312 = match("MESSAGE#287:LICENSE_NEARING_EXPIRY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License for feature %{disposition->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","License key expiration soon"), + dup23, + ])); + + var msg292 = msg("LICENSE_NEARING_EXPIRY", part312); + + var part313 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client aborted login", processor_chain([ + dup30, + dup22, + setc("event_description","client aborted login"), + dup23, + ])); + + var msg293 = msg("LOGIN_ABORTED", part313); + + var part314 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username->} from host %{dhost}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + dup23, + ])); + + var msg294 = msg("LOGIN_FAILED", part314); + + var part315 = match("MESSAGE#290:LOGIN_FAILED_INCORRECT_PASSWORD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect password for user %{username}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Incorrect password for user"), + dup23, + ])); + + var msg295 = msg("LOGIN_FAILED_INCORRECT_PASSWORD", part315); + + var part316 = match("MESSAGE#291:LOGIN_FAILED_SET_CONTEXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set context for user %{username}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Failed to set context for user"), + dup23, + ])); + + var msg296 = msg("LOGIN_FAILED_SET_CONTEXT", part316); + + var part317 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set login ID for user %{username}: %{dhost}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Failed to set login ID for user"), + dup23, + ])); + + var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part317); + + var part318 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Unable to resolve hostname"), + dup23, + ])); + + var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part318); + + var part319 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{event_type}: %{p0}"); + + var part320 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{username->} logged in from host %{dhost->} on %{p0}"); + + var part321 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}"); + + var select34 = linear_select([ + part321, + dup45, + ]); + + var part322 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{terminal}"); + + var all19 = all_match({ + processors: [ + dup39, + dup137, + part319, + dup145, + part320, + select34, + part322, + ], + on_success: processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + setc("event_description","Successful Login"), + dup23, + ]), + }); + + var msg299 = msg("LOGIN_INFORMATION", all19); + + var part323 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","No entry in local password file for user"), + dup23, + ])); + + var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part323); + + var part324 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Invalid username"), + dup23, + ])); + + var msg301 = msg("LOGIN_MALFORMED_USER", part324); + + var part325 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_0", "nwparser.p0", "PAM authentication error for user %{p0}"); + + var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_1", "nwparser.p0", "Failed password for user %{p0}"); + + var select35 = linear_select([ + part325, + part326, + ]); + + var part327 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{username}"); + + var all20 = all_match({ + processors: [ + dup50, + select35, + part327, + ], + on_success: processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","PAM authentication error for user"), + dup23, + ]), + }); + + var msg302 = msg("LOGIN_PAM_AUTHENTICATION_ERROR", all20); + + var part328 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failure while authenticating user %{username}: %{dhost}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + setc("event_description","PAM authentication failure"), + setc("result","Failure while authenticating user"), + dup23, + ])); + + var msg303 = msg("LOGIN_PAM_ERROR", part328); + + var part329 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Too many retries while authenticating user"), + dup23, + ])); + + var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part329); + + var part330 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} authenticated but has no local login ID", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","User authenticated but has no local login ID"), + dup23, + ])); + + var msg305 = msg("LOGIN_PAM_NONLOCAL_USER", part330); + + var part331 = match("MESSAGE#301:LOGIN_PAM_STOP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to end PAM session: %{info}", processor_chain([ + setc("eventcategory","1303000000"), + dup34, + dup43, + dup22, + setc("event_description","Failed to end PAM session"), + dup23, + ])); + + var msg306 = msg("LOGIN_PAM_STOP", part331); + + var part332 = match("MESSAGE#302:LOGIN_PAM_USER_UNKNOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Attempt to authenticate unknown user %{username}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Attempt to authenticate unknown user"), + dup23, + ])); + + var msg307 = msg("LOGIN_PAM_USER_UNKNOWN", part332); + + var part333 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Forcing change of expired password for user %{username}>", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Forcing change of expired password for user"), + dup23, + ])); + + var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part333); + + var part334 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username->} from host %{shost->} on %{terminal->} was refused: %{info}", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup75, + setc("result","Login of user refused"), + dup23, + ])); + + var msg309 = msg("LOGIN_REFUSED", part334); + + var part335 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} logged in as root from host %{shost->} on %{terminal}", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + setc("event_description","successful login as root"), + setc("result","User logged in as root"), + dup23, + ])); + + var msg310 = msg("LOGIN_ROOT", part335); + + var part336 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1->} seconds", processor_chain([ + dup44, + dup34, + dup36, + dup43, + dup22, + dup75, + setc("result","Login attempt timed out"), + dup23, + ])); + + var msg311 = msg("LOGIN_TIMED_OUT", part336); + + var part337 = match("MESSAGE#307:MIB2D_ATM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","MIB2D ATM ERROR"), + dup23, + ])); + + var msg312 = msg("MIB2D_ATM_ERROR", part337); + + var part338 = match("MESSAGE#308:MIB2D_CONFIG_CHECK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","CONFIG CHECK FAILED"), + dup23, + ])); + + var msg313 = msg("MIB2D_CONFIG_CHECK_FAILED", part338); + + var part339 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}': %{result}", processor_chain([ + dup30, + dup22, + dup78, + dup23, + ])); + + var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part339); + + var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup146); + + var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup146); + + var part340 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","mib2d initialization failure"), + dup23, + ])); + + var msg317 = msg("MIB2D_INIT_FAILURE", part340); + + var part341 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","MIB2D KVM FAILURE"), + dup23, + ])); + + var msg318 = msg("MIB2D_KVM_FAILURE", part341); + + var part342 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2->} index (%{result})", processor_chain([ + dup30, + dup22, + setc("event_description","MIB2D RTSLIB READ FAILURE"), + dup23, + ])); + + var msg319 = msg("MIB2D_RTSLIB_READ_FAILURE", part342); + + var part343 = match("MESSAGE#315:MIB2D_RTSLIB_SEQ_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: sequence mismatch (%{result}), %{action}", processor_chain([ + dup30, + dup22, + setc("event_description","RTSLIB sequence mismatch"), + dup23, + ])); + + var msg320 = msg("MIB2D_RTSLIB_SEQ_MISMATCH", part343); + + var part344 = match("MESSAGE#316:MIB2D_SYSCTL_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","MIB2D SYSCTL FAILURE"), + dup23, + ])); + + var msg321 = msg("MIB2D_SYSCTL_FAILURE", part344); + + var part345 = match("MESSAGE#317:MIB2D_TRAP_HEADER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: trap_request_header failed", processor_chain([ + dup30, + dup22, + setc("event_description","trap_request_header failed"), + dup23, + ])); + + var msg322 = msg("MIB2D_TRAP_HEADER_FAILURE", part345); + + var part346 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","MIB2D TRAP SEND FAILURE"), + dup23, + ])); + + var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part346); + + var part347 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new->} sighupped=%{result}", processor_chain([ + dup21, + dup22, + setc("event_description","user sighupped"), + dup23, + ])); + + var msg324 = msg("Multiuser", part347); + + var part348 = match("MESSAGE#320:NASD_AUTHENTICATION_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate authentication handle: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to allocate authentication handle"), + dup23, + ])); + + var msg325 = msg("NASD_AUTHENTICATION_CREATE_FAILED", part348); + + var part349 = match("MESSAGE#321:NASD_CHAP_AUTHENTICATION_IN_PROGRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}, authentication already in progress", processor_chain([ + dup80, + dup34, + dup43, + dup22, + setc("event_description","authentication already in progress"), + dup23, + ])); + + var msg326 = msg("NASD_CHAP_AUTHENTICATION_IN_PROGRESS", part349); + + var part350 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: unable to obtain hostname for outgoing CHAP message: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","unable to obtain hostname for outgoing CHAP message"), + dup23, + ])); + + var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part350); + + var part351 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename->} expected CHAP ID: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","CHAP INVALID_CHAP IDENTIFIER"), + dup23, + ])); + + var msg328 = msg("NASD_CHAP_INVALID_CHAP_IDENTIFIER", part351); + + var part352 = match("MESSAGE#324:NASD_CHAP_INVALID_OPCODE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}.%{dclass_counter1}: invalid operation code received %{filename}, CHAP ID: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","CHAP INVALID OPCODE"), + dup23, + ])); + + var msg329 = msg("NASD_CHAP_INVALID_OPCODE", part352); + + var part353 = match("MESSAGE#325:NASD_CHAP_LOCAL_NAME_UNAVAILABLE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine value for '%{username}' in outgoing CHAP packet", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to determine value for username in outgoing CHAP packet"), + dup23, + ])); + + var msg330 = msg("NASD_CHAP_LOCAL_NAME_UNAVAILABLE", part353); + + var part354 = match("MESSAGE#326:NASD_CHAP_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}", processor_chain([ + dup30, + dup22, + setc("event_description","CHAP MESSAGE UNEXPECTED"), + dup23, + ])); + + var msg331 = msg("NASD_CHAP_MESSAGE_UNEXPECTED", part354); + + var part355 = match("MESSAGE#327:NASD_CHAP_REPLAY_ATTACK_DETECTED", "nwparser.payload", "%{process}[%{ssid}]: %{event_type}: %{interface}.%{dclass_counter1}: received %{filename->} %{result}.%{info}", processor_chain([ + dup81, + dup22, + setc("event_description","CHAP REPLAY ATTACK DETECTED"), + dup23, + ])); + + var msg332 = msg("NASD_CHAP_REPLAY_ATTACK_DETECTED", part355); + + var part356 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine last modified time of JUNOS configuration database: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to determine last modified time of JUNOS configuration database"), + dup23, + ])); + + var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part356); + + var msg334 = msg("NASD_DAEMONIZE_FAILED", dup140); + + var part357 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to allocate database object"), + dup23, + ])); + + var msg335 = msg("NASD_DB_ALLOC_FAILURE", part357); + + var part358 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{filename}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","DB TABLE CREATE FAILURE"), + dup23, + ])); + + var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part358); + + var msg337 = msg("NASD_DUPLICATE", dup141); + + var part359 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","EVLIB CREATE FAILURE"), + dup23, + ])); + + var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part359); + + var part360 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} value: %{result}, error: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","EVLIB EXIT FAILURE"), + dup23, + ])); + + var msg339 = msg("NASD_EVLIB_EXIT_FAILURE", part360); + + var part361 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate LOCAL module handle: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to allocate LOCAL module handle"), + dup23, + ])); + + var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part361); + + var part362 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, + dup22, + setc("event_description","NASD must be run as root"), + dup23, + ])); + + var msg341 = msg("NASD_NOT_ROOT", part362); + + var msg342 = msg("NASD_PID_FILE_LOCK", dup142); + + var msg343 = msg("NASD_PID_FILE_UPDATE", dup143); + + var part363 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","POST CONFIGURE EVENT FAILED"), + dup23, + ])); + + var msg344 = msg("NASD_POST_CONFIGURE_EVENT_FAILED", part363); + + var part364 = match("MESSAGE#340:NASD_PPP_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","PPP READ FAILURE"), + dup23, + ])); + + var msg345 = msg("NASD_PPP_READ_FAILURE", part364); + + var part365 = match("MESSAGE#341:NASD_PPP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send message: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to send message"), + dup23, + ])); + + var msg346 = msg("NASD_PPP_SEND_FAILURE", part365); + + var part366 = match("MESSAGE#342:NASD_PPP_SEND_PARTIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send all of message: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to send all of message"), + dup23, + ])); + + var msg347 = msg("NASD_PPP_SEND_PARTIAL", part366); + + var part367 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unrecognized authentication protocol: %{protocol}", processor_chain([ + dup30, + dup22, + setc("event_description","Unrecognized authentication protocol"), + dup23, + ])); + + var msg348 = msg("NASD_PPP_UNRECOGNIZED", part367); + + var part368 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} when allocating password for RADIUS: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RADIUS password allocation failure"), + dup23, + ])); + + var msg349 = msg("NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", part368); + + var part369 = match("MESSAGE#345:NASD_RADIUS_CONFIG_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RADIUS CONFIG FAILED"), + dup23, + ])); + + var msg350 = msg("NASD_RADIUS_CONFIG_FAILED", part369); + + var part370 = match("MESSAGE#346:NASD_RADIUS_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate RADIUS module handle: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to allocate RADIUS module handle"), + dup23, + ])); + + var msg351 = msg("NASD_RADIUS_CREATE_FAILED", part370); + + var part371 = match("MESSAGE#347:NASD_RADIUS_CREATE_REQUEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RADIUS CREATE REQUEST FAILED"), + dup23, + ])); + + var msg352 = msg("NASD_RADIUS_CREATE_REQUEST_FAILED", part371); + + var part372 = match("MESSAGE#348:NASD_RADIUS_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain hostname for outgoing RADIUS message: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to obtain hostname for outgoing RADIUS message"), + dup23, + ])); + + var msg353 = msg("NASD_RADIUS_GETHOSTNAME_FAILED", part372); + + var part373 = match("MESSAGE#349:NASD_RADIUS_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown response from RADIUS server: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unknown response from RADIUS server"), + dup23, + ])); + + var msg354 = msg("NASD_RADIUS_MESSAGE_UNEXPECTED", part373); + + var part374 = match("MESSAGE#350:NASD_RADIUS_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RADIUS OPEN FAILED"), + dup23, + ])); + + var msg355 = msg("NASD_RADIUS_OPEN_FAILED", part374); + + var part375 = match("MESSAGE#351:NASD_RADIUS_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RADIUS SELECT FAILED"), + dup23, + ])); + + var msg356 = msg("NASD_RADIUS_SELECT_FAILED", part375); + + var part376 = match("MESSAGE#352:NASD_RADIUS_SET_TIMER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RADIUS SET TIMER FAILED"), + dup23, + ])); + + var msg357 = msg("NASD_RADIUS_SET_TIMER_FAILED", part376); + + var part377 = match("MESSAGE#353:NASD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TRACE FILE OPEN FAILED"), + dup23, + ])); + + var msg358 = msg("NASD_TRACE_FILE_OPEN_FAILED", part377); + + var part378 = match("MESSAGE#354:NASD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","NASD Usage"), + dup23, + ])); + + var msg359 = msg("NASD_usage", part378); + + var part379 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event_type}:%{action}: %{event_description}: The %{result}", processor_chain([ + dup21, + dup22, + dup23, + ])); + + var msg360 = msg("NOTICE", part379); + + var part380 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ + dup21, + dup22, + dup82, + dup23, + ])); + + var msg361 = msg("PFE_FW_SYSLOG_IP", part380); + + var part381 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ + dup21, + dup22, + dup82, + dup23, + ])); + + var msg362 = msg("PFE_FW_SYSLOG_IP:01", part381); + + var select36 = linear_select([ + msg361, + msg362, + ]); + + var part382 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ + dup21, + dup22, + setc("event_description","Next-hop resolution requests throttled"), + dup23, + ])); + + var msg363 = msg("PFE_NH_RESOLVE_THROTTLED", part382); + + var part383 = match("MESSAGE#359:PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup21, + dup22, + setc("event_description","PING TEST COMPLETED"), + dup23, + ])); + + var msg364 = msg("PING_TEST_COMPLETED", part383); + + var part384 = match("MESSAGE#360:PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup21, + dup22, + setc("event_description","PING TEST FAILED"), + dup23, + ])); + + var msg365 = msg("PING_TEST_FAILED", part384); + + var part385 = match("MESSAGE#361:process_mode/2", "nwparser.p0", "%{p0}"); + + var part386 = match("MESSAGE#361:process_mode/3_0", "nwparser.p0", "%{event_type}: %{p0}"); + + var part387 = match("MESSAGE#361:process_mode/3_1", "nwparser.p0", "%{event_type->} %{p0}"); + + var select37 = linear_select([ + part386, + part387, + ]); + + var part388 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "mode=%{protocol->} cmd=%{action->} master_mode=%{result}"); + + var all21 = all_match({ + processors: [ + dup39, + dup137, + part385, + select37, + part388, + ], + on_success: processor_chain([ + dup21, + dup22, + dup83, + dup23, + ]), + }); + + var msg366 = msg("process_mode", all21); + + var part389 = match("MESSAGE#362:process_mode:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ + dup21, + dup22, + dup83, + dup23, + ])); + + var msg367 = msg("process_mode:01", part389); + + var select38 = linear_select([ + msg366, + msg367, + ]); + + var part390 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} exiting with status %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","process exit with status"), + dup23, + ])); + + var msg368 = msg("PWC_EXIT", part390); + + var part391 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} released child %{child_pid->} from %{dclass_counter1->} state", processor_chain([ + dup21, + dup22, + setc("event_description","Process released child from state"), + dup23, + ])); + + var msg369 = msg("PWC_HOLD_RELEASE", part391); + + var part392 = match("MESSAGE#365:PWC_INVALID_RUNS_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}, not %{resultcode}", processor_chain([ + dup21, + dup22, + setc("event_description","invalid runs argument"), + dup23, + ])); + + var msg370 = msg("PWC_INVALID_RUNS_ARGUMENT", part392); + + var part393 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","INVALID TIMEOUT ARGUMENT"), + dup23, + ])); + + var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part393); + + var part394 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} received terminating signal", processor_chain([ + dup21, + dup22, + setc("event_description","pwc process received terminating signal"), + dup23, + ])); + + var msg372 = msg("PWC_KILLED_BY_SIGNAL", part394); + + var part395 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode->} to child %{child_pid}", processor_chain([ + dup30, + dup22, + setc("event_description","pwc is sending kill event to child"), + dup23, + ])); + + var msg373 = msg("PWC_KILL_EVENT", part395); + + var part396 = match("MESSAGE#369:PWC_KILL_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to kill process %{child_pid}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to kill process"), + dup23, + ])); + + var msg374 = msg("PWC_KILL_FAILED", part396); + + var part397 = match("MESSAGE#370:PWC_KQUEUE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: kevent failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","kevent failed"), + dup23, + ])); + + var msg375 = msg("PWC_KQUEUE_ERROR", part397); + + var part398 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create kqueue: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to create kqueue"), + dup23, + ])); + + var msg376 = msg("PWC_KQUEUE_INIT", part398); + + var part399 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent->} for purpose: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Failed to register kqueue filter"), + dup23, + ])); + + var msg377 = msg("PWC_KQUEUE_REGISTER_FILTER", part399); + + var part400 = match("MESSAGE#373:PWC_LOCKFILE_BAD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file has bad format: %{agent}", processor_chain([ + dup30, + dup22, + setc("event_description","PID lock file has bad format"), + dup23, + ])); + + var msg378 = msg("PWC_LOCKFILE_BAD_FORMAT", part400); + + var part401 = match("MESSAGE#374:PWC_LOCKFILE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file had error: %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","PID lock file error"), + dup23, + ])); + + var msg379 = msg("PWC_LOCKFILE_ERROR", part401); + + var part402 = match("MESSAGE#375:PWC_LOCKFILE_MISSING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not found: %{agent}", processor_chain([ + dup30, + dup22, + setc("event_description","PID lock file not found"), + dup23, + ])); + + var msg380 = msg("PWC_LOCKFILE_MISSING", part402); + + var part403 = match("MESSAGE#376:PWC_LOCKFILE_NOT_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not locked: %{agent}", processor_chain([ + dup30, + dup22, + setc("event_description","PID lock file not locked"), + dup23, + ])); + + var msg381 = msg("PWC_LOCKFILE_NOT_LOCKED", part403); + + var part404 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No process specified", processor_chain([ + dup30, + dup22, + setc("event_description","No process specified for PWC"), + dup23, + ])); + + var msg382 = msg("PWC_NO_PROCESS", part404); + + var part405 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} child %{child_pid->} exited with status %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","pwc process exited with status"), + dup23, + ])); + + var msg383 = msg("PWC_PROCESS_EXIT", part405); + + var part406 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} forcing hold down of child %{child_pid->} until signal", processor_chain([ + dup21, + dup22, + setc("event_description","Process forcing hold down of child until signalled"), + dup23, + ])); + + var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part406); + + var part407 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} until signal", processor_chain([ + dup21, + dup22, + setc("event_description","Process holding down child until signalled"), + dup23, + ])); + + var msg385 = msg("PWC_PROCESS_HOLD", part407); + + var part408 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} will not down child %{child_pid->} because of %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Process not holding down child"), + dup23, + ])); + + var msg386 = msg("PWC_PROCESS_HOLD_SKIPPED", part408); + + var part409 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create child process with pidpopen: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Failed to create child process with pidpopen"), + dup23, + ])); + + var msg387 = msg("PWC_PROCESS_OPEN", part409); + + var part410 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Process holding down child"), + dup23, + ])); + + var msg388 = msg("PWC_PROCESS_TIMED_HOLD", part410); + + var part411 = match("MESSAGE#384:PWC_PROCESS_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child timed out %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Child process timed out"), + dup23, + ])); + + var msg389 = msg("PWC_PROCESS_TIMEOUT", part411); + + var part412 = match("MESSAGE#385:PWC_SIGNAL_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: signal(%{agent}) failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","signal failure"), + dup23, + ])); + + var msg390 = msg("PWC_SIGNAL_INIT", part412); + + var part413 = match("MESSAGE#386:PWC_SOCKET_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to connect socket to %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to connect socket to service"), + dup23, + ])); + + var msg391 = msg("PWC_SOCKET_CONNECT", part413); + + var part414 = match("MESSAGE#387:PWC_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create socket: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Failed to create socket"), + dup23, + ])); + + var msg392 = msg("PWC_SOCKET_CREATE", part414); + + var part415 = match("MESSAGE#388:PWC_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to set socket option %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to set socket option"), + dup23, + ])); + + var msg393 = msg("PWC_SOCKET_OPTION", part415); + + var part416 = match("MESSAGE#389:PWC_STDOUT_WRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Write to stdout failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Write to stdout failed"), + dup23, + ])); + + var msg394 = msg("PWC_STDOUT_WRITE", part416); + + var part417 = match("MESSAGE#390:PWC_SYSTEM_CALL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","PWC SYSTEM CALL"), + dup23, + ])); + + var msg395 = msg("PWC_SYSTEM_CALL", part417); + + var part418 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown kill option [%{agent}]", processor_chain([ + dup30, + dup22, + setc("event_description","Unknown kill option"), + dup23, + ])); + + var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part418); + + var part419 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed", processor_chain([ + dup30, + dup22, + setc("event_description","Multicast address not allowed"), + dup23, + ])); + + var msg397 = msg("RMOPD_ADDRESS_MULTICAST_INVALID", part419); + + var part420 = match("MESSAGE#393:RMOPD_ADDRESS_SOURCE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Source address invalid: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RMOPD ADDRESS SOURCE INVALID"), + dup23, + ])); + + var msg398 = msg("RMOPD_ADDRESS_SOURCE_INVALID", part420); + + var part421 = match("MESSAGE#394:RMOPD_ADDRESS_STRING_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to convert numeric address to string: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to convert numeric address to string"), + dup23, + ])); + + var msg399 = msg("RMOPD_ADDRESS_STRING_FAILURE", part421); + + var part422 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rmop_util_set_address status message: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","rmop_util_set_address status message invalid"), + dup23, + ])); + + var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part422); + + var msg401 = msg("RMOPD_DUPLICATE", dup141); + + var part423 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([ + dup30, + dup22, + setc("event_description","Only IPv4 source address is supported"), + dup23, + ])); + + var msg402 = msg("RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", part423); + + var part424 = match("MESSAGE#398:RMOPD_ICMP_SENDMSG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{fld1}: No route to host", processor_chain([ + dup30, + dup22, + setc("event_description","No route to host"), + dup23, + ])); + + var msg403 = msg("RMOPD_ICMP_SENDMSG_FAILURE", part424); + + var part425 = match("MESSAGE#399:RMOPD_IFINDEX_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifindex: %{interface}", processor_chain([ + dup30, + dup22, + setc("event_description","IFINDEX NOT ACTIVE"), + dup23, + ])); + + var msg404 = msg("RMOPD_IFINDEX_NOT_ACTIVE", part425); + + var part426 = match("MESSAGE#400:RMOPD_IFINDEX_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","IFINDEX NO INFO"), + dup23, + ])); + + var msg405 = msg("RMOPD_IFINDEX_NO_INFO", part426); + + var part427 = match("MESSAGE#401:RMOPD_IFNAME_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifname: %{interface}", processor_chain([ + dup30, + dup22, + setc("event_description","RMOPD IFNAME NOT ACTIVE"), + dup23, + ])); + + var msg406 = msg("RMOPD_IFNAME_NOT_ACTIVE", part427); + + var part428 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","IFNAME NO INFO"), + dup23, + ])); + + var msg407 = msg("RMOPD_IFNAME_NO_INFO", part428); + + var part429 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, + dup22, + setc("event_description","RMOPD Must be run as root"), + dup23, + ])); + + var msg408 = msg("RMOPD_NOT_ROOT", part429); + + var part430 = match("MESSAGE#404:RMOPD_ROUTING_INSTANCE_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for routing instance %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","No information for routing instance"), + dup23, + ])); + + var msg409 = msg("RMOPD_ROUTING_INSTANCE_NO_INFO", part430); + + var part431 = match("MESSAGE#405:RMOPD_TRACEROUTE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TRACEROUTE ERROR"), + dup23, + ])); + + var msg410 = msg("RMOPD_TRACEROUTE_ERROR", part431); + + var part432 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","RMOPD usage"), + dup23, + ])); + + var msg411 = msg("RMOPD_usage", part432); + + var part433 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RPD ABORT"), + dup23, + ])); + + var msg412 = msg("RPD_ABORT", part433); + + var part434 = match("MESSAGE#408:RPD_ACTIVE_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Exiting with active tasks: %{agent}", processor_chain([ + dup30, + dup22, + setc("event_description","RPD exiting with active tasks"), + dup23, + ])); + + var msg413 = msg("RPD_ACTIVE_TERMINATE", part434); + + var part435 = match("MESSAGE#409:RPD_ASSERT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","RPD Assertion failed"), + dup23, + ])); + + var msg414 = msg("RPD_ASSERT", part435); + + var part436 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Soft assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","RPD Soft assertion failed"), + dup23, + ])); + + var msg415 = msg("RPD_ASSERT_SOFT", part436); + + var part437 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}", processor_chain([ + dup21, + dup22, + setc("event_description","RPD EXIT"), + dup23, + ])); + + var msg416 = msg("RPD_EXIT", part437); + + var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup147); + + var msg418 = msg("RPD_IFL_NAMECOLLISION", dup147); + + var part438 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","IS-IS lost adjacency"), + dup23, + ])); + + var msg419 = msg("RPD_ISIS_ADJDOWN", part438); + + var part439 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface}", processor_chain([ + dup21, + dup22, + setc("event_description","IS-IS new adjacency"), + dup23, + ])); + + var msg420 = msg("RPD_ISIS_ADJUP", part439); + + var part440 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface->} without an address", processor_chain([ + dup30, + dup22, + setc("event_description","IS-IS new adjacency without an address"), + dup23, + ])); + + var msg421 = msg("RPD_ISIS_ADJUPNOIP", part440); + + var part441 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1->} LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([ + dup30, + dup22, + setc("event_description","IS-IS LSP checksum error on iterface"), + dup23, + ])); + + var msg422 = msg("RPD_ISIS_LSPCKSUM", part441); + + var part442 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS database overload", processor_chain([ + dup30, + dup22, + setc("event_description","IS-IS database overload"), + dup23, + ])); + + var msg423 = msg("RPD_ISIS_OVERLOAD", part442); + + var part443 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent->} message with unsupported address family %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","message with unsupported address family received"), + dup23, + ])); + + var msg424 = msg("RPD_KRT_AFUNSUPRT", part443); + + var part444 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, error", processor_chain([ + dup30, + dup22, + setc("event_description","RPD KRT CCC IFL MODIFY"), + dup23, + ])); + + var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part444); + + var part445 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1->} table ID %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","received deleted routing table from kernel"), + dup23, + ])); + + var msg426 = msg("RPD_KRT_DELETED_RTT", part445); + + var part446 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifa generation mismatch -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","ifa generation mismatch"), + dup23, + ])); + + var msg427 = msg("RPD_KRT_IFA_GENERATION", part446); + + var part447 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} CHANGE for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ + dup30, + dup22, + setc("event_description","CHANGE for ifd failed"), + dup23, + ])); + + var msg428 = msg("RPD_KRT_IFDCHANGE", part447); + + var part448 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} SERVICE: %{service->} for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ + dup30, + dup22, + setc("event_description","GET SERVICE failure on interface"), + dup23, + ])); + + var msg429 = msg("RPD_KRT_IFDEST_GET", part448); + + var part449 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} GET index for ifd interface failed, error \"%{result}\"", processor_chain([ + dup30, + dup22, + setc("event_description","GET index for ifd interface failed"), + dup23, + ])); + + var msg430 = msg("RPD_KRT_IFDGET", part449); + + var part450 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1->} generation mismatch -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","ifd generation mismatch"), + dup23, + ])); + + var msg431 = msg("RPD_KRT_IFD_GENERATION", part450); + + var part451 = match("MESSAGE#427:RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","KRT IFL CELL RELAY MODE INVALID"), + dup23, + ])); + + var msg432 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", part451); + + var part452 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","KRT IFL CELL RELAY MODE UNSPECIFIED"), + dup23, + ])); + + var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part452); + + var part453 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface->} generation mismatch -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","ifl generation mismatch"), + dup23, + ])); + + var msg434 = msg("RPD_KRT_IFL_GENERATION", part453); + + var part454 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1->} for route %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","lost interface for route"), + dup23, + ])); + + var msg435 = msg("RPD_KRT_KERNEL_BAD_ROUTE", part454); + + var part455 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: number of next hops (%{dclass_counter1}) exceeded the maximum allowed (%{dclass_counter2}) -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","number of next hops exceeded the maximum"), + dup23, + ])); + + var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part455); + + var part456 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1->} for interface %{interface}", processor_chain([ + dup30, + dup22, + setc("event_description","No device for interface"), + dup23, + ])); + + var msg437 = msg("RPD_KRT_NOIFD", part456); + + var part457 = match("MESSAGE#433:RPD_KRT_UNKNOWN_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received routing table message for unknown table with kernel ID %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","received routing table message for unknown table"), + dup23, + ])); + + var msg438 = msg("RPD_KRT_UNKNOWN_RTT", part457); + + var part458 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket version mismatch (%{info}) -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Routing socket version mismatch"), + dup23, + ])); + + var msg439 = msg("RPD_KRT_VERSION", part458); + + var part459 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info->} -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Routing socket message type not supported by kernel"), + dup23, + ])); + + var msg440 = msg("RPD_KRT_VERSIONNONE", part459); + + var part460 = match("MESSAGE#436:RPD_KRT_VERSIONOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is older than expected (%{info}) -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Routing socket message type version is older than expected"), + dup23, + ])); + + var msg441 = msg("RPD_KRT_VERSIONOLD", part460); + + var part461 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate session ID detected from %{daddr}, interface %{interface}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Duplicate session ID detected"), + dup23, + ])); + + var msg442 = msg("RPD_LDP_INTF_BLOCKED", part461); + + var part462 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface->} is now %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","LDP interface now unblocked"), + dup23, + ])); + + var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part462); + + var part463 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ + setc("eventcategory","1603030000"), + dup22, + setc("event_description","LDP neighbor down"), + dup23, + ])); + + var msg444 = msg("RPD_LDP_NBRDOWN", part463); + + var part464 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","LDP neighbor up"), + dup23, + ])); + + var msg445 = msg("RPD_LDP_NBRUP", part464); + + var part465 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is down, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","LDP session down"), + dup23, + ])); + + var msg446 = msg("RPD_LDP_SESSIONDOWN", part465); + + var part466 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is up", processor_chain([ + dup21, + dup22, + setc("event_description","LDP session up"), + dup23, + ])); + + var msg447 = msg("RPD_LDP_SESSIONUP", part466); + + var part467 = match("MESSAGE#443:RPD_LOCK_FLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to obtain a lock"), + dup23, + ])); + + var msg448 = msg("RPD_LOCK_FLOCKED", part467); + + var part468 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to obtain service lock"), + dup23, + ])); + + var msg449 = msg("RPD_LOCK_LOCKED", part468); + + var part469 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","MPLS LSP CHANGE"), + dup23, + ])); + + var msg450 = msg("RPD_MPLS_LSP_CHANGE", part469); + + var part470 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","MPLS LSP DOWN"), + dup23, + ])); + + var msg451 = msg("RPD_MPLS_LSP_DOWN", part470); + + var part471 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","MPLS LSP SWITCH"), + dup23, + ])); + + var msg452 = msg("RPD_MPLS_LSP_SWITCH", part471); + + var part472 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ + dup21, + dup22, + setc("event_description","MPLS LSP UP"), + dup23, + ])); + + var msg453 = msg("RPD_MPLS_LSP_UP", part472); + + var part473 = match("MESSAGE#449:RPD_MSDP_PEER_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","MSDP PEER DOWN"), + dup23, + ])); + + var msg454 = msg("RPD_MSDP_PEER_DOWN", part473); + + var part474 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","MSDP PEER UP"), + dup23, + ])); + + var msg455 = msg("RPD_MSDP_PEER_UP", part474); + + var part475 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","OSPF neighbor down"), + dup23, + ])); + + var msg456 = msg("RPD_OSPF_NBRDOWN", part475); + + var part476 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","OSPF neighbor up"), + dup23, + ])); + + var msg457 = msg("RPD_OSPF_NBRUP", part476); + + var part477 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1->} KB of memory, %{info}", processor_chain([ + dup51, + dup22, + setc("event_description","OS MEMHIGH"), + dup23, + ])); + + var msg458 = msg("RPD_OS_MEMHIGH", part477); + + var part478 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr->} timeout interface %{interface}", processor_chain([ + dup30, + dup22, + setc("event_description","PIM neighbor down"), + setc("result","timeout"), + dup23, + ])); + + var msg459 = msg("RPD_PIM_NBRDOWN", part478); + + var part479 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr->} interface %{interface}", processor_chain([ + dup21, + dup22, + setc("event_description","PIM neighbor up"), + dup23, + ])); + + var msg460 = msg("RPD_PIM_NBRUP", part479); + + var part480 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, + dup22, + setc("event_description","Bad checksum for router solicitation"), + dup23, + ])); + + var msg461 = msg("RPD_RDISC_CKSUM", part480); + + var part481 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1->} on %{interface->} -- %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Ignoring interface"), + dup23, + ])); + + var msg462 = msg("RPD_RDISC_NOMULTI", part481); + + var part482 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to locate interface for router"), + dup23, + ])); + + var msg463 = msg("RPD_RDISC_NORECVIF", part482); + + var part483 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, + dup22, + setc("event_description","Expected multicast for router solicitation"), + dup23, + ])); + + var msg464 = msg("RPD_RDISC_SOLICITADDR", part483); + + var part484 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, + dup22, + setc("event_description","Nonzero ICMP code for router solicitation"), + dup23, + ])); + + var msg465 = msg("RPD_RDISC_SOLICITICMP", part484); + + var part485 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, + dup22, + setc("event_description","Insufficient length for router solicitation"), + dup23, + ])); + + var msg466 = msg("RPD_RDISC_SOLICITLEN", part485); + + var part486 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr->} (%{interface})", processor_chain([ + dup30, + dup22, + setc("event_description","RIP update with invalid authentication"), + dup23, + ])); + + var msg467 = msg("RPD_RIP_AUTH", part486); + + var part487 = match("MESSAGE#463:RPD_RIP_JOIN_BROADCAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get broadcast address %{interface}; %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RIP - unable to get broadcast address"), + dup23, + ])); + + var msg468 = msg("RPD_RIP_JOIN_BROADCAST", part487); + + var part488 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to join multicast group %{interface}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RIP - Unable to join multicast group"), + dup23, + ])); + + var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part488); + + var part489 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface->} index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([ + dup21, + dup22, + setc("event_description","RIP interface up"), + dup23, + ])); + + var msg470 = msg("RPD_RT_IFUP", part489); + + var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup148); + + var part490 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([ + dup30, + dup22, + setc("event_description","excessive runtime after action of module"), + dup23, + ])); + + var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part490); + + var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup148); + + var part491 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([ + dup30, + dup22, + setc("event_description","task extended runtime"), + dup23, + ])); + + var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part491); + + var part492 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} termination signal received", processor_chain([ + dup30, + dup22, + setc("event_description","termination signal received for service"), + dup23, + ])); + + var msg475 = msg("RPD_SIGNAL_TERMINATE", part492); + + var part493 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1->} version version built %{dclass_counter2}", processor_chain([ + dup21, + dup22, + setc("event_description","version built"), + dup23, + ])); + + var msg476 = msg("RPD_START", part493); + + var part494 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: detail: %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","system command"), + dup23, + ])); + + var msg477 = msg("RPD_SYSTEM", part494); + + var part495 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2->} by builder", processor_chain([ + dup21, + dup22, + setc("event_description","Commencing routing updates"), + dup23, + ])); + + var msg478 = msg("RPD_TASK_BEGIN", part495); + + var part496 = match("MESSAGE#474:RPD_TASK_CHILDKILLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","task killed by signal"), + dup23, + ])); + + var msg479 = msg("RPD_TASK_CHILDKILLED", part496); + + var part497 = match("MESSAGE#475:RPD_TASK_CHILDSTOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","task stopped by signal"), + dup23, + ])); + + var msg480 = msg("RPD_TASK_CHILDSTOPPED", part497); + + var part498 = match("MESSAGE#476:RPD_TASK_FORK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork task: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to fork task"), + dup23, + ])); + + var msg481 = msg("RPD_TASK_FORK", part498); + + var part499 = match("MESSAGE#477:RPD_TASK_GETWD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: getwd: %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","RPD TASK GETWD"), + dup23, + ])); + + var msg482 = msg("RPD_TASK_GETWD", part499); + + var part500 = match("MESSAGE#478:RPD_TASK_NOREINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialization not possible", processor_chain([ + dup30, + dup22, + setc("event_description","Reinitialization not possible"), + dup23, + ])); + + var msg483 = msg("RPD_TASK_NOREINIT", part500); + + var part501 = match("MESSAGE#479:RPD_TASK_PIDCLOSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to close and remove %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to close and remove task"), + dup23, + ])); + + var msg484 = msg("RPD_TASK_PIDCLOSED", part501); + + var part502 = match("MESSAGE#480:RPD_TASK_PIDFLOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: flock(%{agent}, %{action}): %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RPD TASK PIDFLOCK"), + dup23, + ])); + + var msg485 = msg("RPD_TASK_PIDFLOCK", part502); + + var part503 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to write %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to write"), + dup23, + ])); + + var msg486 = msg("RPD_TASK_PIDWRITE", part503); + + var msg487 = msg("RPD_TASK_REINIT", dup149); + + var part504 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([ + dup21, + dup22, + setc("event_description","ignoring task signal"), + dup23, + ])); + + var msg488 = msg("RPD_TASK_SIGNALIGNORE", part504); + + var part505 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1->} (%{agent}) failed, err %{resultcode->} (%{result})", processor_chain([ + dup30, + dup22, + setc("event_description","COS IPC op failed"), + dup23, + ])); + + var msg489 = msg("RT_COS", part505); + + var part506 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/2", "nwparser.p0", "%{fld5}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); + + var part507 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{fld10}\" dst-nat-rule-%{p0}"); + + var part508 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_0", "nwparser.p0", "type=%{fld21->} dst-nat-rule-name=\"%{p0}"); + + var select39 = linear_select([ + part508, + dup91, + ]); + + var part509 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/6", "nwparser.p0", "\"%{fld11->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{fld13}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); + + var part510 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" encrypted=%{fld8->} %{p0}"); + + var select40 = linear_select([ + part510, + dup45, + ]); + + var all22 = all_match({ + processors: [ + dup87, + dup150, + part506, + dup151, + part507, + select39, + part509, + select40, + dup92, + ], + on_success: processor_chain([ + dup28, + dup53, + dup54, + dup22, + dup52, + ]), + }); + + var msg490 = msg("RT_FLOW_SESSION_CREATE:02", all22); + + var part511 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_0", "nwparser.p0", " service-name=\"%{service}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-type=\"%{fld20}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-type=\"%{fld10}\" dst-nat-rule-name=\"%{rule_template}\"%{p0}"); + + var select41 = linear_select([ + part511, + dup45, + ]); + + var part512 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/2", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\"%{p0}"); + + var part513 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_0", "nwparser.p0", " source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" username=\"%{username}\" roles=\"%{fld50}\" packet-incoming-interface=\"%{dinterface}\" application=\"%{application}\" nested-application=\"%{fld7}\" encrypted=\"%{fld8}\"%{p0}"); + + var select42 = linear_select([ + part513, + dup45, + ]); + + var all23 = all_match({ + processors: [ + dup87, + select41, + part512, + select42, + dup92, + ], + on_success: processor_chain([ + dup28, + dup53, + dup54, + dup22, + dup52, + ]), + }); + + var msg491 = msg("RT_FLOW_SESSION_CREATE", all23); + + var part514 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_0", "nwparser.payload", "%{process}: %{event_type}: session created %{p0}"); + + var part515 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_1", "nwparser.payload", "%{event_type}: session created %{p0}"); + + var select43 = linear_select([ + part514, + part515, + ]); + + var part516 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{p0}"); + + var part517 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_0", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{protocol->} %{fld15->} UNKNOWN UNKNOWN"); + + var part518 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_1", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{fld15}"); + + var part519 = match_copy("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_2", "nwparser.p0", "info"); + + var select44 = linear_select([ + part517, + part518, + part519, + ]); + + var all24 = all_match({ + processors: [ + select43, + part516, + select44, + ], + on_success: processor_chain([ + dup28, + dup53, + dup54, + dup22, + setc("event_description","session created"), + dup23, + ]), + }); + + var msg492 = msg("RT_FLOW_SESSION_CREATE:01", all24); + + var select45 = linear_select([ + msg490, + msg491, + msg492, + ]); + + var part520 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/2", "nwparser.p0", "%{fld5}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); + + var part521 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_0", "nwparser.p0", " encrypted=\"%{fld16}\" reason=\"%{result}\" src-vrf-grp=\"%{fld99}\" dst-vrf-grp=\"%{fld98}\"%{p0}"); + + var part522 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_1", "nwparser.p0", " encrypted=%{fld16->} reason=\"%{result}\"%{p0}"); + + var select46 = linear_select([ + part521, + part522, + dup45, + ]); + + var all25 = all_match({ + processors: [ + dup87, + dup150, + part520, + select46, + dup92, + ], + on_success: processor_chain([ + dup93, + dup53, + dup94, + dup22, + dup52, + ]), + }); + + var msg493 = msg("RT_FLOW_SESSION_DENY:02", all25); + + var part523 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([ + dup93, + dup53, + dup94, + dup22, + dup52, + ])); + + var msg494 = msg("RT_FLOW_SESSION_DENY", part523); + + var part524 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone->} HTTP %{info}"); + + var all26 = all_match({ + processors: [ + dup152, + part524, + ], + on_success: processor_chain([ + dup27, + dup53, + dup94, + dup22, + dup97, + dup23, + ]), + }); + + var msg495 = msg("RT_FLOW_SESSION_DENY:03", all26); + + var part525 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}"); + + var all27 = all_match({ + processors: [ + dup152, + part525, + ], + on_success: processor_chain([ + dup27, + dup53, + dup94, + dup22, + dup97, + dup23, + ]), + }); + + var msg496 = msg("RT_FLOW_SESSION_DENY:01", all27); + + var select47 = linear_select([ + msg493, + msg494, + msg495, + msg496, + ]); + + var select48 = linear_select([ + dup103, + dup45, + ]); + + var all28 = all_match({ + processors: [ + dup98, + dup150, + dup99, + dup151, + dup100, + dup153, + dup102, + select48, + dup92, + ], + on_success: processor_chain([ + dup27, + dup53, + dup55, + dup104, + dup22, + dup52, + ]), + }); + + var msg497 = msg("RT_FLOW_SESSION_CLOSE:01", all28); + + var part526 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup27, + dup53, + dup55, + dup22, + dup52, + ])); + + var msg498 = msg("RT_FLOW_SESSION_CLOSE", part526); + + var part527 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_0", "nwparser.payload", "%{process}: %{event_type}: session closed %{p0}"); + + var part528 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_1", "nwparser.payload", "%{event_type}: session closed %{p0}"); + + var select49 = linear_select([ + part527, + part528, + ]); + + var part529 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/1", "nwparser.p0", "%{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{info}"); + + var all29 = all_match({ + processors: [ + select49, + part529, + ], + on_success: processor_chain([ + dup27, + dup53, + dup55, + dup22, + setc("event_description","session closed"), + dup23, + ]), + }); + + var msg499 = msg("RT_FLOW_SESSION_CLOSE:02", all29); + + var part530 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_1", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\" %{p0}"); + + var select50 = linear_select([ + dup103, + part530, + dup45, + ]); + + var part531 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] session closed %{fld60}: %{fld51}/%{fld52}->%{fld53}/%{fld54->} %{fld55->} %{fld56}/%{fld57}->%{fld58}/%{fld59->} %{info}"); + + var all30 = all_match({ + processors: [ + dup98, + dup150, + dup99, + dup151, + dup100, + dup153, + dup102, + select50, + part531, + ], + on_success: processor_chain([ + dup27, + dup53, + dup55, + dup104, + dup22, + dup52, + dup61, + ]), + }); + + var msg500 = msg("RT_FLOW_SESSION_CLOSE:03", all30); + + var select51 = linear_select([ + msg497, + msg498, + msg499, + msg500, + ]); + + var part532 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: %{event_type}: Fragmented traffic! source:%{saddr}, destination: %{daddr}, protocol-id: %{protocol}, zone name: %{zone}, interface name: %{interface}", processor_chain([ + dup30, + dup22, + setc("event_description","Fragmented traffic"), + dup23, + ])); + + var msg501 = msg("RT_SCREEN_IP", part532); + + var part533 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var msg502 = msg("RT_SCREEN_IP:01", part533); + + var select52 = linear_select([ + msg501, + msg502, + ]); + + var msg503 = msg("RT_SCREEN_TCP", dup154); + + var part534 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part534); + + var msg505 = msg("RT_SCREEN_UDP", dup154); + + var part535 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([ + dup27, + dup22, + setc("event_description","attempt to connect to interface failed"), + dup23, + ])); + + var msg506 = msg("SERVICED_CLIENT_CONNECT", part535); + + var part536 = match("MESSAGE#502:SERVICED_CLIENT_DISCONNECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unexpected termination of connection to interface", processor_chain([ + dup27, + dup22, + setc("event_description","unexpected termination of connection"), + dup23, + ])); + + var msg507 = msg("SERVICED_CLIENT_DISCONNECTED", part536); + + var part537 = match("MESSAGE#503:SERVICED_CLIENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: client interface connection failure: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","client interface connection failure"), + dup23, + ])); + + var msg508 = msg("SERVICED_CLIENT_ERROR", part537); + + var part538 = match("MESSAGE#504:SERVICED_COMMAND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: remote command execution failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","remote command execution failed"), + dup23, + ])); + + var msg509 = msg("SERVICED_COMMAND_FAILED", part538); + + var part539 = match("MESSAGE#505:SERVICED_COMMIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: client failed to commit configuration with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","client commit configuration failed"), + dup23, + ])); + + var msg510 = msg("SERVICED_COMMIT_FAILED", part539); + + var part540 = match("MESSAGE#506:SERVICED_CONFIGURATION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: configuration process failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","configuration process failed"), + dup23, + ])); + + var msg511 = msg("SERVICED_CONFIGURATION_FAILED", part540); + + var part541 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SERVICED CONFIG ERROR"), + dup23, + ])); + + var msg512 = msg("SERVICED_CONFIG_ERROR", part541); + + var part542 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} failed to read path with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","service failed to read path"), + dup23, + ])); + + var msg513 = msg("SERVICED_CONFIG_FILE", part542); + + var part543 = match("MESSAGE#509:SERVICED_CONNECTION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SERVICED CONNECTION ERROR"), + dup23, + ])); + + var msg514 = msg("SERVICED_CONNECTION_ERROR", part543); + + var part544 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: GGSN services disabled: object: %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","GGSN services disabled"), + dup23, + ])); + + var msg515 = msg("SERVICED_DISABLED_GGSN", part544); + + var msg516 = msg("SERVICED_DUPLICATE", dup141); + + var part545 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","event function failed"), + dup23, + ])); + + var msg517 = msg("SERVICED_EVENT_FAILED", part545); + + var part546 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: initialization failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","service initialization failed"), + dup23, + ])); + + var msg518 = msg("SERVICED_INIT_FAILED", part546); + + var part547 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1->} bytes %{bytes}]: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","memory allocation failure"), + dup23, + ])); + + var msg519 = msg("SERVICED_MALLOC_FAILURE", part547); + + var part548 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","NETWORK FAILURE"), + dup23, + ])); + + var msg520 = msg("SERVICED_NETWORK_FAILURE", part548); + + var part549 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, + dup22, + setc("event_description","SERVICED must be run as root"), + dup23, + ])); + + var msg521 = msg("SERVICED_NOT_ROOT", part549); + + var msg522 = msg("SERVICED_PID_FILE_LOCK", dup142); + + var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup143); + + var part550 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","routing socket sequence error"), + dup23, + ])); + + var msg524 = msg("SERVICED_RTSOCK_SEQUENCE", part550); + + var part551 = match("MESSAGE#520:SERVICED_SIGNAL_HANDLER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: set up of signal name handler failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","set up of signal name handler failed"), + dup23, + ])); + + var msg525 = msg("SERVICED_SIGNAL_HANDLER", part551); + + var part552 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket create failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","socket create failed with error"), + dup23, + ])); + + var msg526 = msg("SERVICED_SOCKET_CREATE", part552); + + var part553 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2->} failed with error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","socket function failed"), + dup23, + ])); + + var msg527 = msg("SERVICED_SOCKET_IO", part553); + + var part554 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unable to set socket option %{dclass_counter2}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","unable to set socket option"), + dup23, + ])); + + var msg528 = msg("SERVICED_SOCKET_OPTION", part554); + + var part555 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","STDLIB FAILURE"), + dup23, + ])); + + var msg529 = msg("SERVICED_STDLIB_FAILURE", part555); + + var part556 = match("MESSAGE#525:SERVICED_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Incorrect service usage"), + dup23, + ])); + + var msg530 = msg("SERVICED_USAGE", part556); + + var part557 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: object has unexpected value %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","object has unexpected value"), + dup23, + ])); + + var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part557); + + var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup155); + + var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup155); + + var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup155); + + var part558 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([ + dup21, + dup22, + setc("event_description","AgentX subagent connected"), + dup61, + dup23, + ])); + + var msg535 = msg("SNMP_NS_LOG_INFO", part558); + + var part559 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1->} rows", processor_chain([ + dup21, + dup22, + setc("event_description","ns_subagent registering rows"), + dup61, + dup23, + ])); + + var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part559); + + var part560 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} access group %{group}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD ACCESS GROUP ERROR"), + dup23, + ])); + + var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part560); + + var part561 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to unknown community name (%{pool_name})", processor_chain([ + dup30, + dup22, + dup105, + setc("result","unauthorized SNMP community to unknown community name"), + dup23, + ])); + + var msg538 = msg("SNMPD_AUTH_FAILURE", part561); + + var part562 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr->} to unknown (%{pool_name})", processor_chain([ + dup30, + dup22, + dup105, + setc("result","failed input interface authorization to unknown"), + dup23, + ])); + + var msg539 = msg("SNMPD_AUTH_FAILURE:01", part562); + + var part563 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to %{saddr->} (%{pool_name})", processor_chain([ + dup30, + dup22, + dup105, + setc("result","unauthorized SNMP community "), + dup23, + ])); + + var msg540 = msg("SNMPD_AUTH_FAILURE:02", part563); + + var part564 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([ + dup30, + dup22, + dup105, + dup61, + dup62, + ])); + + var msg541 = msg("SNMPD_AUTH_FAILURE:03", part564); + + var select53 = linear_select([ + msg538, + msg539, + msg540, + msg541, + ]); + + var part565 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: request exceeded community privileges", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP request exceeded community privileges"), + dup23, + ])); + + var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part565); + + var part566 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr->} not allowed", processor_chain([ + dup48, + dup22, + setc("event_description","SNMPD AUTH RESTRICTED ADDRESS"), + setc("result","request not allowed"), + dup23, + ])); + + var msg543 = msg("SNMPD_AUTH_RESTRICTED_ADDRESS", part566); + + var part567 = match("MESSAGE#538:SNMPD_AUTH_WRONG_PDU_TYPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: unauthorized SNMP PDU type: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","unauthorized SNMP PDU type"), + dup23, + ])); + + var msg544 = msg("SNMPD_AUTH_WRONG_PDU_TYPE", part567); + + var part568 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration database has errors", processor_chain([ + dup30, + dup22, + setc("event_description","Configuration database has errors"), + dup23, + ])); + + var msg545 = msg("SNMPD_CONFIG_ERROR", part568); + + var part569 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} context %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD CONTEXT ERROR"), + dup23, + ])); + + var msg546 = msg("SNMPD_CONTEXT_ERROR", part569); + + var part570 = match("MESSAGE#541:SNMPD_ENGINE_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD ENGINE FILE FAILURE"), + dup23, + ])); + + var msg547 = msg("SNMPD_ENGINE_FILE_FAILURE", part570); + + var part571 = match("MESSAGE#542:SNMPD_ENGINE_PROCESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: from-path: undecodable/unmatched subagent response", processor_chain([ + dup30, + dup22, + setc("event_description"," from-path - SNMP undecodable/unmatched subagent response"), + dup23, + ])); + + var msg548 = msg("SNMPD_ENGINE_PROCESS_ERROR", part571); + + var part572 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: fopen %{dclass_counter2}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD FILE FAILURE"), + dup23, + ])); + + var msg549 = msg("SNMPD_FILE_FAILURE", part572); + + var part573 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} group: '%{group}' user '%{username}' model '%{version}'", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD GROUP ERROR"), + dup23, + ])); + + var msg550 = msg("SNMPD_GROUP_ERROR", part573); + + var part574 = match("MESSAGE#545:SNMPD_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: snmpd initialization failure: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","snmpd initialization failure"), + dup23, + ])); + + var msg551 = msg("SNMPD_INIT_FAILED", part574); + + var part575 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system_default_inaddr: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","LIBJUNIPER FAILURE"), + dup23, + ])); + + var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part575); + + var part576 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","LOOPBACK ADDR ERROR"), + dup23, + ])); + + var msg553 = msg("SNMPD_LOOPBACK_ADDR_ERROR", part576); + + var part577 = match("MESSAGE#548:SNMPD_MEMORY_FREED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: called for freed - already freed", processor_chain([ + dup30, + dup22, + setc("event_description","duplicate memory free"), + dup23, + ])); + + var msg554 = msg("SNMPD_MEMORY_FREED", part577); + + var part578 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: radix_add failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","radix_add failed"), + dup23, + ])); + + var msg555 = msg("SNMPD_RADIX_FAILURE", part578); + + var part579 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1->} failure: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD RECEIVE FAILURE"), + dup23, + ])); + + var msg556 = msg("SNMPD_RECEIVE_FAILURE", part579); + + var part580 = match("MESSAGE#551:SNMPD_RMONFILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","RMONFILE FAILURE"), + dup23, + ])); + + var msg557 = msg("SNMPD_RMONFILE_FAILURE", part580); + + var part581 = match("MESSAGE#552:SNMPD_RMON_COOKIE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Null cookie", processor_chain([ + dup30, + dup22, + setc("event_description","Null cookie"), + dup23, + ])); + + var msg558 = msg("SNMPD_RMON_COOKIE", part581); + + var part582 = match("MESSAGE#553:SNMPD_RMON_EVENTLOG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","RMON EVENTLOG"), + dup23, + ])); + + var msg559 = msg("SNMPD_RMON_EVENTLOG", part582); + + var part583 = match("MESSAGE#554:SNMPD_RMON_IOERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Received io error, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Received io error"), + dup23, + ])); + + var msg560 = msg("SNMPD_RMON_IOERROR", part583); + + var part584 = match("MESSAGE#555:SNMPD_RMON_MIBERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: internal Get request error: description, %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","internal Get request error"), + dup23, + ])); + + var msg561 = msg("SNMPD_RMON_MIBERROR", part584); + + var part585 = match("MESSAGE#556:SNMPD_RTSLIB_ASYNC_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: sequence mismatch %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","sequence mismatch"), + dup23, + ])); + + var msg562 = msg("SNMPD_RTSLIB_ASYNC_EVENT", part585); + + var part586 = match("MESSAGE#557:SNMPD_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send send-type (index1) failure: %{result}", processor_chain([ + dup30, + dup22, + dup106, + dup23, + ])); + + var msg563 = msg("SNMPD_SEND_FAILURE", part586); + + var part587 = match("MESSAGE#558:SNMPD_SEND_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send to (%{saddr}) failure: %{result}", processor_chain([ + dup30, + dup22, + dup106, + dup23, + ])); + + var msg564 = msg("SNMPD_SEND_FAILURE:01", part587); + + var select54 = linear_select([ + msg563, + msg564, + ]); + + var part588 = match("MESSAGE#559:SNMPD_SOCKET_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket failure: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD SOCKET FAILURE"), + dup23, + ])); + + var msg565 = msg("SNMPD_SOCKET_FAILURE", part588); + + var part589 = match("MESSAGE#560:SNMPD_SUBAGENT_NO_BUFFERS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No buffers available for subagent (%{agent})", processor_chain([ + dup30, + dup22, + setc("event_description","No buffers available for subagent"), + dup23, + ])); + + var msg566 = msg("SNMPD_SUBAGENT_NO_BUFFERS", part589); + + var part590 = match("MESSAGE#561:SNMPD_SUBAGENT_SEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Send to subagent failed (%{agent}): %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Send to subagent failed"), + dup23, + ])); + + var msg567 = msg("SNMPD_SUBAGENT_SEND_FAILED", part590); + + var part591 = match("MESSAGE#562:SNMPD_SYSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system function '%{dclass_counter1}' failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","system function failed"), + dup23, + ])); + + var msg568 = msg("SNMPD_SYSLIB_FAILURE", part591); + + var part592 = match("MESSAGE#563:SNMPD_THROTTLE_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: cleared all throttled traps", processor_chain([ + dup21, + dup22, + setc("event_description","cleared all throttled traps"), + dup23, + ])); + + var msg569 = msg("SNMPD_THROTTLE_QUEUE_DRAINED", part592); + + var part593 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: cold start", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP trap: cold start"), + dup23, + ])); + + var msg570 = msg("SNMPD_TRAP_COLD_START", part593); + + var part594 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode->} (%{result})", processor_chain([ + dup30, + dup22, + dup107, + dup23, + ])); + + var msg571 = msg("SNMPD_TRAP_GEN_FAILURE", part594); + + var part595 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{dclass_counter2->} %{result}", processor_chain([ + dup30, + dup22, + dup107, + dup23, + ])); + + var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part595); + + var part596 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result->} (%{dclass_counter2}) received", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD TRAP INVALID DATA"), + dup23, + ])); + + var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part596); + + var part597 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info->} (%{result})", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD TRAP ERROR"), + dup23, + ])); + + var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part597); + + var part598 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2->} to %{obj_name->} queue, %{dclass_counter1->} traps in queue", processor_chain([ + dup21, + dup22, + setc("event_description","Adding trap to queue"), + dup23, + ])); + + var msg575 = msg("SNMPD_TRAP_QUEUED", part598); + + var part599 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name->} sent successfully", processor_chain([ + dup21, + dup22, + setc("event_description","traps queued - sent successfully"), + dup23, + ])); + + var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part599); + + var part600 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1->} attempts, deleting %{dclass_counter2->} traps queued to %{obj_name}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"), + dup23, + ])); + + var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part600); + + var part601 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2->} from %{obj_name->} queue", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP TRAP maximum queue size exceeded"), + dup23, + ])); + + var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part601); + + var part602 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1->} traps", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP traps throttled"), + dup23, + ])); + + var msg579 = msg("SNMPD_TRAP_THROTTLED", part602); + + var part603 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type->} )", processor_chain([ + dup30, + dup22, + setc("event_description","unknown SNMP trap type requested"), + dup23, + ])); + + var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part603); + + var part604 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1->} varbind to be VT_NUMBER (%{resultcode->} )", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"), + dup23, + ])); + + var msg581 = msg("SNMPD_TRAP_VARBIND_TYPE_ERROR", part604); + + var part605 = match("MESSAGE#576:SNMPD_TRAP_VERSION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: invalid version signature (%{result})", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD TRAP ERROR - invalid version signature"), + dup23, + ])); + + var msg582 = msg("SNMPD_TRAP_VERSION_ERROR", part605); + + var part606 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: warm start", processor_chain([ + dup21, + dup22, + setc("event_description","SNMPD TRAP WARM START"), + dup23, + ])); + + var msg583 = msg("SNMPD_TRAP_WARM_START", part606); + + var part607 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} user '%{username}' %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMPD USER ERROR"), + dup23, + ])); + + var msg584 = msg("SNMPD_USER_ERROR", part607); + + var part608 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: deleting view %{dclass_counter2->} %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP deleting view"), + dup23, + ])); + + var msg585 = msg("SNMPD_VIEW_DELETE", part608); + + var part609 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} installing default %{dclass_counter1->} view %{dclass_counter2}", processor_chain([ + dup21, + dup22, + setc("event_description","installing default SNMP view"), + dup23, + ])); + + var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part609); + + var part610 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2->} oid %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","oid parsing failed for SNMP view"), + dup23, + ])); + + var msg587 = msg("SNMPD_VIEW_OID_PARSE", part610); + + var part611 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP_GET_ERROR 1"), + dup23, + ])); + + var msg588 = msg("SNMP_GET_ERROR1", part611); + + var part612 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP GET ERROR 2"), + dup23, + ])); + + var msg589 = msg("SNMP_GET_ERROR2", part612); + + var part613 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP GET ERROR 3"), + dup23, + ])); + + var msg590 = msg("SNMP_GET_ERROR3", part613); + + var part614 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP GET ERROR 4"), + dup23, + ])); + + var msg591 = msg("SNMP_GET_ERROR4", part614); + + var part615 = match("MESSAGE#586:SNMP_RTSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: rtslib-error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP RTSLIB FAILURE"), + dup23, + ])); + + var msg592 = msg("SNMP_RTSLIB_FAILURE", part615); + + var part616 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ + dup30, + dup22, + dup108, + dup23, + ])); + + var msg593 = msg("SNMP_TRAP_LINK_DOWN", part616); + + var part617 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([ + dup30, + dup22, + dup108, + dup61, + dup62, + ])); + + var msg594 = msg("SNMP_TRAP_LINK_DOWN:01", part617); + + var select55 = linear_select([ + msg593, + msg594, + ]); + + var part618 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ + dup21, + dup22, + dup109, + dup23, + ])); + + var msg595 = msg("SNMP_TRAP_LINK_UP", part618); + + var part619 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([ + dup21, + dup22, + dup109, + dup61, + dup62, + ])); + + var msg596 = msg("SNMP_TRAP_LINK_UP:01", part619); + + var select56 = linear_select([ + msg595, + msg596, + ]); + + var part620 = match("MESSAGE#589:SNMP_TRAP_PING_PROBE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP TRAP PING PROBE FAILED"), + dup23, + ])); + + var msg597 = msg("SNMP_TRAP_PING_PROBE_FAILED", part620); + + var part621 = match("MESSAGE#590:SNMP_TRAP_PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP TRAP PING TEST COMPLETED"), + dup23, + ])); + + var msg598 = msg("SNMP_TRAP_PING_TEST_COMPLETED", part621); + + var part622 = match("MESSAGE#591:SNMP_TRAP_PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP TRAP PING TEST FAILED"), + dup23, + ])); + + var msg599 = msg("SNMP_TRAP_PING_TEST_FAILED", part622); + + var part623 = match("MESSAGE#592:SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP TRAP TRACE ROUTE PATH CHANGE"), + dup23, + ])); + + var msg600 = msg("SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", part623); + + var part624 = match("MESSAGE#593:SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup21, + dup22, + setc("event_description","SNMP TRAP TRACE ROUTE TEST COMPLETED"), + dup23, + ])); + + var msg601 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", part624); + + var part625 = match("MESSAGE#594:SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup30, + dup22, + setc("event_description","SNMP TRAP TRACE ROUTE TEST FAILED"), + dup23, + ])); + + var msg602 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", part625); + + var part626 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{process}: %{event_type}: Login failed for user '%{username}' from host '%{saddr}'", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup110, + dup23, + ])); + + var msg603 = msg("SSHD_LOGIN_FAILED", part626); + + var part627 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([ + dup44, + dup34, + dup35, + dup36, + dup43, + dup22, + dup110, + dup61, + dup52, + setf("process","hfld33"), + ])); + + var msg604 = msg("SSHD_LOGIN_FAILED:01", part627); + + var select57 = linear_select([ + msg603, + msg604, + ]); + + var part628 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent->} addr %{daddr}+%{dport}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","task connect failure"), + dup23, + ])); + + var msg605 = msg("task_connect", part628); + + var msg606 = msg("TASK_TASK_REINIT", dup149); + + var part629 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Unexpected address family"), + dup23, + ])); + + var msg607 = msg("TFTPD_AF_ERR", part629); + + var part630 = match("MESSAGE#603:TFTPD_BIND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: bind: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD BIND ERROR"), + dup23, + ])); + + var msg608 = msg("TFTPD_BIND_ERR", part630); + + var part631 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD CONNECT ERROR"), + dup23, + ])); + + var msg609 = msg("TFTPD_CONNECT_ERR", part631); + + var part632 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol->} from address %{daddr->} port %{dport->} file %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","TFTPD CONNECT INFO"), + dup23, + ])); + + var msg610 = msg("TFTPD_CONNECT_INFO", part632); + + var part633 = match("MESSAGE#606:TFTPD_CREATE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: check_space %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD CREATE ERROR"), + dup23, + ])); + + var msg611 = msg("TFTPD_CREATE_ERR", part633); + + var part634 = match("MESSAGE#607:TFTPD_FIO_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD FIO ERR"), + dup23, + ])); + + var msg612 = msg("TFTPD_FIO_ERR", part634); + + var part635 = match("MESSAGE#608:TFTPD_FORK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fork: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD FORK ERROR"), + dup23, + ])); + + var msg613 = msg("TFTPD_FORK_ERR", part635); + + var part636 = match("MESSAGE#609:TFTPD_NAK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: nak error %{resultcode}, %{dclass_counter1}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD NAK ERROR"), + dup23, + ])); + + var msg614 = msg("TFTPD_NAK_ERR", part636); + + var part637 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}', error: %{result}", processor_chain([ + dup30, + dup22, + dup78, + dup23, + ])); + + var msg615 = msg("TFTPD_OPEN_ERR", part637); + + var part638 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1->} blocks of %{dclass_counter2->} size for file '%{filename}'", processor_chain([ + dup21, + dup22, + setc("event_description","TFTPD RECVCOMPLETE INFO"), + dup23, + ])); + + var msg616 = msg("TFTPD_RECVCOMPLETE_INFO", part638); + + var part639 = match("MESSAGE#612:TFTPD_RECVFROM_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recvfrom: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD RECVFROM ERROR"), + dup23, + ])); + + var msg617 = msg("TFTPD_RECVFROM_ERR", part639); + + var part640 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recv: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD RECV ERROR"), + dup23, + ])); + + var msg618 = msg("TFTPD_RECV_ERR", part640); + + var part641 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1->} blocks of %{dclass_counter2->} and %{info->} for file '%{filename}'", processor_chain([ + dup21, + dup22, + setc("event_description","TFTPD SENDCOMPLETE INFO"), + dup23, + ])); + + var msg619 = msg("TFTPD_SENDCOMPLETE_INFO", part641); + + var part642 = match("MESSAGE#615:TFTPD_SEND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: send: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD SEND ERROR"), + dup23, + ])); + + var msg620 = msg("TFTPD_SEND_ERR", part642); + + var part643 = match("MESSAGE#616:TFTPD_SOCKET_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: socket: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD SOCKET ERROR"), + dup23, + ])); + + var msg621 = msg("TFTPD_SOCKET_ERR", part643); + + var part644 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: statfs %{agent}, error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","TFTPD STATFS ERROR"), + dup23, + ])); + + var msg622 = msg("TFTPD_STATFS_ERR", part644); + + var part645 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1->} to interface %{interface}", processor_chain([ + dup21, + dup22, + setc("event_description","adding neighbor to interface"), + dup23, + ])); + + var msg623 = msg("TNP", part645); + + var part646 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33->} started", processor_chain([ + dup21, + dup22, + setc("event_description","tracing to file"), + dup23, + call({ + dest: "nwparser.filename", + fn: RMQ, + args: [ + field("fld33"), + ], + }), + ])); + + var msg624 = msg("trace_on", part646); + + var part647 = match("MESSAGE#620:trace_rotate", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rotating %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","trace rotating file"), + dup23, + ])); + + var msg625 = msg("trace_rotate", part647); + + var part648 = match("MESSAGE#621:transfer-file", "nwparser.payload", "%{process}: %{event_type}: Transferred %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","transfered file"), + dup23, + ])); + + var msg626 = msg("transfer-file", part648); + + var part649 = match("MESSAGE#622:ttloop", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer died: %{result}: %{resultcode}", processor_chain([ + dup30, + dup22, + setc("event_description","ttloop - peer died"), + dup23, + ])); + + var msg627 = msg("ttloop", part649); + + var part650 = match("MESSAGE#623:UI_AUTH_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated user '%{username}' at permission level '%{privilege}'", processor_chain([ + dup80, + dup34, + dup35, + dup37, + dup22, + setc("event_description","Authenticated user"), + dup23, + ])); + + var msg628 = msg("UI_AUTH_EVENT", part650); + + var part651 = match("MESSAGE#624:UI_AUTH_INVALID_CHALLENGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received invalid authentication challenge for user '%{username}': response", processor_chain([ + dup30, + dup22, + setc("event_description","Received invalid authentication challenge for user response"), + dup23, + ])); + + var msg629 = msg("UI_AUTH_INVALID_CHALLENGE", part651); + + var part652 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch boot time: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to fetch boot time"), + dup23, + ])); + + var msg630 = msg("UI_BOOTTIME_FAILED", part652); + + var part653 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} path unknown", processor_chain([ + dup30, + dup22, + setc("event_description","user path unknown"), + dup23, + ])); + + var msg631 = msg("UI_CFG_AUDIT_NEW", part653); + + var part654 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename->} security policies %{policyname}] %{info}", processor_chain([ + dup42, + dup22, + setc("event_description"," user Inserted Security Policies in config"), + dup23, + ])); + + var msg632 = msg("UI_CFG_AUDIT_NEW:01", part654); + + var select58 = linear_select([ + msg631, + msg632, + ]); + + var part655 = match("MESSAGE#628:UI_CFG_AUDIT_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' delete: [%{filename}]", processor_chain([ + dup21, + dup22, + setc("event_description","User deleted file"), + setc("action","delete"), + dup23, + ])); + + var msg633 = msg("UI_CFG_AUDIT_OTHER", part655); + + var part656 = match("MESSAGE#629:UI_CFG_AUDIT_OTHER:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' rollback: %{filename}", processor_chain([ + dup21, + dup22, + setc("event_description","User rollback file"), + dup23, + ])); + + var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part656); + + var part657 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\""); + + var select59 = linear_select([ + part657, + dup112, + ]); + + var all31 = all_match({ + processors: [ + dup111, + select59, + ], + on_success: processor_chain([ + dup21, + dup22, + setc("event_description","User set"), + dup23, + ]), + }); + + var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31); + + var part658 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([ + dup21, + dup22, + setc("event_description","User config replace"), + setc("action","replace"), + dup23, + ])); + + var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part658); + + var part659 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}]", processor_chain([ + setc("eventcategory","1701070000"), + dup22, + setc("event_description","User deactivating group(s)"), + setc("action","deactivate"), + dup23, + ])); + + var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part659); + + var part660 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([ + dup113, + dup22, + setc("event_description","User updates config file"), + setc("action","update"), + dup23, + ])); + + var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part660); + + var select60 = linear_select([ + msg633, + msg634, + msg635, + msg636, + msg637, + msg638, + ]); + + var part661 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}"); + + var select61 = linear_select([ + part661, + dup114, + ]); + + var all32 = all_match({ + processors: [ + dup111, + select61, + dup115, + ], + on_success: processor_chain([ + dup21, + dup22, + dup116, + dup23, + ]), + }); + + var msg639 = msg("UI_CFG_AUDIT_SET:01", all32); + + var part662 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}"); + + var select62 = linear_select([ + part662, + dup114, + ]); + + var all33 = all_match({ + processors: [ + dup111, + select62, + dup115, + ], + on_success: processor_chain([ + dup21, + dup22, + dup116, + dup23, + ]), + }); + + var msg640 = msg("UI_CFG_AUDIT_SET:02", all33); + + var part663 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ + dup21, + dup22, + setc("event_description","User replace config application(s)"), + dup23, + ])); + + var msg641 = msg("UI_CFG_AUDIT_SET", part663); + + var select63 = linear_select([ + msg639, + msg640, + msg641, + ]); + + var part664 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]"); + + var all34 = all_match({ + processors: [ + dup117, + dup156, + part664, + ], + on_success: processor_chain([ + dup113, + dup22, + dup120, + dup23, + ]), + }); + + var msg642 = msg("UI_CFG_AUDIT_SET_SECRET:01", all34); + + var part665 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]"); + + var all35 = all_match({ + processors: [ + dup117, + dup156, + part665, + ], + on_success: processor_chain([ + dup113, + dup22, + dup120, + dup23, + ]), + }); + + var msg643 = msg("UI_CFG_AUDIT_SET_SECRET:02", all35); + + var part666 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([ + dup21, + dup22, + setc("event_description","UI CFG AUDIT SET SECRET"), + dup23, + ])); + + var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part666); + + var select64 = linear_select([ + msg642, + msg643, + msg644, + ]); + + var part667 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([ + dup30, + dup22, + setc("event_description","Too many arguments for child process"), + dup23, + ])); + + var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part667); + + var part668 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to switch to local user"), + dup23, + ])); + + var msg646 = msg("UI_CHILD_CHANGE_USER", part668); + + var part669 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Child exec failed"), + dup23, + ])); + + var msg647 = msg("UI_CHILD_EXEC", part669); + + var part670 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ + dup30, + dup22, + setc("event_description","Child exited"), + dup23, + ])); + + var msg648 = msg("UI_CHILD_EXITED", part670); + + var part671 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to append to log"), + dup23, + ])); + + var msg649 = msg("UI_CHILD_FOPEN", part671); + + var part672 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to create pipe for command"), + dup23, + ])); + + var msg650 = msg("UI_CHILD_PIPE_FAILED", part672); + + var part673 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([ + dup21, + dup22, + dup61, + setc("event_description","Child received signal"), + dup23, + ])); + + var msg651 = msg("UI_CHILD_SIGNALED", part673); + + var part674 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([ + dup21, + dup22, + setc("event_description","Child stopped"), + dup23, + ])); + + var msg652 = msg("UI_CHILD_STOPPED", part674); + + var part675 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([ + dup21, + dup22, + setc("event_description","Starting child"), + dup23, + ])); + + var msg653 = msg("UI_CHILD_START", part675); + + var part676 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Cleanup child"), + dup23, + ])); + + var msg654 = msg("UI_CHILD_STATUS", part676); + + var part677 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","waitpid failed"), + dup23, + ])); + + var msg655 = msg("UI_CHILD_WAITPID", part677); + + var part678 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Idle timeout for user exceeded"), + dup23, + ])); + + var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part678); + + var part679 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([ + dup21, + dup22, + dup121, + dup23, + ])); + + var msg657 = msg("UI_CMDLINE_READ_LINE", part679); + + var part680 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Command execution failed"), + dup23, + ])); + + var msg658 = msg("UI_CMDSET_EXEC_FAILED", part680); + + var part681 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to fork command"), + dup23, + ])); + + var msg659 = msg("UI_CMDSET_FORK_FAILED", part681); + + var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup144); + + var part682 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([ + dup30, + dup22, + dup70, + dup23, + ])); + + var msg661 = msg("UI_CMDSET_STOPPED", part682); + + var part683 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([ + dup30, + dup22, + dup72, + dup23, + ])); + + var msg662 = msg("UI_CMDSET_WEXITED", part683); + + var part684 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Invalid regexp command"), + dup23, + ])); + + var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part684); + + var part685 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info})"); + + var part686 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action}"); + + var select65 = linear_select([ + part685, + part686, + ]); + + var all36 = all_match({ + processors: [ + dup117, + select65, + ], + on_success: processor_chain([ + dup21, + dup22, + dup122, + dup23, + ]), + }); + + var msg664 = msg("UI_COMMIT", all36); + + var part687 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([ + dup21, + dup22, + dup122, + dup23, + ])); + + var msg665 = msg("UI_COMMIT_AT", part687); + + var part688 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([ + dup21, + dup22, + setc("event_description","User commit successful"), + dup23, + ])); + + var msg666 = msg("UI_COMMIT_AT_COMPLETED", part688); + + var part689 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([ + dup30, + dup22, + setc("event_description","User commit failed"), + dup23, + ])); + + var msg667 = msg("UI_COMMIT_AT_FAILED", part689); + + var part690 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to compress file"), + dup23, + ])); + + var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part690); + + var part691 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([ + dup21, + dup22, + setc("event_description","UI COMMIT CONFIRMED"), + dup23, + ])); + + var msg669 = msg("UI_COMMIT_CONFIRMED", part691); + + var part692 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}"); + + var part693 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1}"); + + var part694 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes"); + + var select66 = linear_select([ + part693, + part694, + ]); + + var all37 = all_match({ + processors: [ + part692, + select66, + ], + on_success: processor_chain([ + dup21, + dup22, + setc("event_description","COMMIT must be confirmed within # minutes"), + dup23, + ]), + }); + + var msg670 = msg("UI_COMMIT_CONFIRMED_REMINDER", all37); + + var part695 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "'%{username}' performed '%{action}'"); + + var all38 = all_match({ + processors: [ + dup50, + dup145, + part695, + ], + on_success: processor_chain([ + dup21, + dup22, + setc("event_description","user performed commit confirm"), + dup23, + ]), + }); + + var msg671 = msg("UI_COMMIT_CONFIRMED_TIMED", all38); + + var part696 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Skipped empty object"), + dup23, + ])); + + var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part696); + + var part697 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","COMMIT NOT CONFIRMED"), + dup23, + ])); + + var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part697); + + var part698 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}"); + + var part699 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}"); + + var select67 = linear_select([ + part698, + part699, + ]); + + var part700 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}"); + + var all39 = all_match({ + processors: [ + dup50, + select67, + part700, + ], + on_success: processor_chain([ + dup21, + dup22, + setc("event_description","Commit operation in progress"), + dup23, + ]), + }); + + var msg674 = msg("UI_COMMIT_PROGRESS", all39); + + var part701 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","COMMIT QUIT"), + dup23, + ])); + + var msg675 = msg("UI_COMMIT_QUIT", part701); + + var part702 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([ + dup30, + dup22, + setc("event_description","Automatic rollback failed"), + dup23, + ])); + + var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part702); + + var part703 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ + dup21, + dup22, + setc("event_description","COMMIT SYNC"), + dup23, + ])); + + var msg677 = msg("UI_COMMIT_SYNC", part703); + + var part704 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","All logins to local configuration database were terminated"), + dup23, + ])); + + var msg678 = msg("UI_COMMIT_SYNC_FORCE", part704); + + var part705 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}"); + + var part706 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}"); + + var part707 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}"); + + var select68 = linear_select([ + part706, + part707, + ]); + + var part708 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "statement: %{info->} %{p0}"); + + var part709 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} "); + + var select69 = linear_select([ + part709, + dup112, + ]); + + var all40 = all_match({ + processors: [ + part705, + select68, + part708, + select69, + ], + on_success: processor_chain([ + dup30, + dup22, + setc("event_description","CONFIGURATION ERROR"), + dup23, + ]), + }); + + var msg679 = msg("UI_CONFIGURATION_ERROR", all40); + + var part710 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "socket connection accept failed: %{result}"); + + var all41 = all_match({ + processors: [ + dup50, + dup157, + part710, + ], + on_success: processor_chain([ + dup30, + dup22, + setc("event_description","socket connection accept failed"), + dup23, + ]), + }); + + var msg680 = msg("UI_DAEMON_ACCEPT_FAILED", all41); + + var part711 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to create session child"), + dup23, + ])); + + var msg681 = msg("UI_DAEMON_FORK_FAILED", part711); + + var part712 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","DAEMON SELECT FAILED"), + dup23, + ])); + + var msg682 = msg("UI_DAEMON_SELECT_FAILED", part712); + + var part713 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "socket create failed: %{result}"); + + var all42 = all_match({ + processors: [ + dup50, + dup157, + part713, + ], + on_success: processor_chain([ + dup30, + dup22, + setc("event_description","socket create failed"), + dup23, + ]), + }); + + var msg683 = msg("UI_DAEMON_SOCKET_FAILED", all42); + + var part714 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to reaccess database file"), + dup23, + ])); + + var msg684 = msg("UI_DBASE_ACCESS_FAILED", part714); + + var part715 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([ + dup30, + dup22, + setc("event_description","Database is out of data"), + dup23, + ])); + + var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part715); + + var part716 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to extend database file"), + dup23, + ])); + + var msg686 = msg("UI_DBASE_EXTEND_FAILED", part716); + + var part717 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + setc("event_description","User entering configuration mode"), + dup23, + ])); + + var msg687 = msg("UI_DBASE_LOGIN_EVENT", part717); + + var part718 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([ + dup125, + dup34, + dup35, + dup126, + dup37, + dup22, + setc("event_description","User exiting configuration mode"), + dup23, + ])); + + var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part718); + + var part719 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Database header extent mismatch"), + dup23, + ])); + + var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part719); + + var part720 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Database header major version number mismatch"), + dup23, + ])); + + var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part720); + + var part721 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Database header minor version number mismatch"), + dup23, + ])); + + var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part721); + + var part722 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([ + dup30, + dup22, + setc("event_description","Database header sequence numbers mismatch"), + dup23, + ])); + + var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part722); + + var part723 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup30, + dup22, + setc("event_description","Database header size mismatch"), + dup23, + ])); + + var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part723); + + var part724 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Database open failed"), + dup23, + ])); + + var msg694 = msg("UI_DBASE_OPEN_FAILED", part724); + + var part725 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([ + dup30, + dup22, + setc("event_description","DBASE REBUILD FAILED"), + dup23, + ])); + + var msg695 = msg("UI_DBASE_REBUILD_FAILED", part725); + + var part726 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([ + dup30, + dup22, + setc("event_description","Automatic rebuild of the database failed"), + dup23, + ])); + + var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part726); + + var part727 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}"); + + var select70 = linear_select([ + dup76, + part727, + ]); + + var part728 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{username->} rebuild/rollback of the database '%{filename}' started"); + + var all43 = all_match({ + processors: [ + dup50, + select70, + part728, + ], + on_success: processor_chain([ + dup21, + dup22, + setc("event_description","DBASE REBUILD STARTED"), + dup23, + ]), + }); + + var msg697 = msg("UI_DBASE_REBUILD_STARTED", all43); + + var part729 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([ + dup21, + dup22, + setc("event_description","user attempting database re-creation"), + dup23, + ])); + + var msg698 = msg("UI_DBASE_RECREATE", part729); + + var part730 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([ + dup30, + dup22, + setc("event_description","Reopen of the database failed"), + dup23, + ])); + + var msg699 = msg("UI_DBASE_REOPEN_FAILED", part730); + + var part731 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([ + dup30, + dup22, + setc("event_description","Users have the same UID"), + dup23, + ])); + + var msg700 = msg("UI_DUPLICATE_UID", part731); + + var part732 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([ + setc("eventcategory","1401050100"), + dup22, + setc("event_description","User used JUNOScript client to run command"), + dup23, + ])); + + var msg701 = msg("UI_JUNOSCRIPT_CMD", part732); + + var part733 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","JUNOScript error"), + dup23, + ])); + + var msg702 = msg("UI_JUNOSCRIPT_ERROR", part733); + + var part734 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([ + dup21, + dup22, + setc("event_description","User command"), + dup23, + ])); + + var msg703 = msg("UI_LOAD_EVENT", part734); + + var part735 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([ + setc("eventcategory","1701040000"), + dup22, + setc("event_description","Loading default config from file"), + dup23, + ])); + + var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part735); + + var part736 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + dup127, + dup128, + dup23, + ])); + + var msg705 = msg("UI_LOGIN_EVENT:01", part736); + + var part737 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([ + dup33, + dup34, + dup35, + dup36, + dup37, + dup22, + dup127, + dup23, + ])); + + var msg706 = msg("UI_LOGIN_EVENT", part737); + + var select71 = linear_select([ + msg705, + msg706, + ]); + + var part738 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([ + dup125, + dup34, + dup35, + dup126, + dup37, + dup22, + setc("event_description","User logout"), + dup23, + ])); + + var msg707 = msg("UI_LOGOUT_EVENT", part738); + + var part739 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([ + dup30, + dup22, + setc("event_description","Lost connection to daemon"), + dup23, + ])); + + var msg708 = msg("UI_LOST_CONN", part739); + + var part740 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([ + dup21, + dup22, + setc("event_description","MASTERSHIP EVENT"), + dup23, + ])); + + var msg709 = msg("UI_MASTERSHIP_EVENT", part740); + + var part741 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([ + dup21, + dup22, + setc("event_description","Terminating operation"), + dup23, + ])); + + var msg710 = msg("UI_MGD_TERMINATE", part741); + + var part742 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([ + dup29, + dup22, + setc("event_description","User used NETCONF client to run command"), + dup23, + ])); + + var msg711 = msg("UI_NETCONF_CMD", part742); + + var part743 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","read failed for peer"), + dup23, + ])); + + var msg712 = msg("UI_READ_FAILED", part743); + + var part744 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([ + dup30, + dup22, + setc("event_description","Timeout on read of peer"), + dup23, + ])); + + var msg713 = msg("UI_READ_TIMEOUT", part744); + + var part745 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([ + dup60, + dup22, + setc("event_description","System reboot or halt"), + dup23, + ])); + + var msg714 = msg("UI_REBOOT_EVENT", part745); + + var part746 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([ + dup29, + dup22, + setc("event_description","user restarting daemon"), + dup23, + ])); + + var msg715 = msg("UI_RESTART_EVENT", part746); + + var part747 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Schema is out of date"), + dup23, + ])); + + var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part747); + + var part748 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Schema major version mismatch"), + dup23, + ])); + + var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part748); + + var part749 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Schema minor version mismatch"), + dup23, + ])); + + var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part749); + + var part750 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([ + dup30, + dup22, + setc("event_description","Schema header sequence numbers mismatch"), + dup23, + ])); + + var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part750); + + var part751 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([ + dup30, + dup22, + setc("event_description","Schema sequence number mismatch"), + dup23, + ])); + + var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part751); + + var part752 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([ + dup21, + dup22, + setc("event_description","Configuration synchronization with remote Routing Engine"), + dup23, + ])); + + var msg721 = msg("UI_SYNC_OTHER_RE", part752); + + var part753 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([ + dup30, + dup22, + dup129, + dup23, + ])); + + var msg722 = msg("UI_TACPLUS_ERROR", part753); + + var part754 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([ + dup30, + dup22, + setc("event_description","Unable to fetch system version"), + dup23, + ])); + + var msg723 = msg("UI_VERSION_FAILED", part754); + + var part755 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([ + dup21, + dup22, + setc("event_description","Re-establishing connection to peer"), + dup23, + ])); + + var msg724 = msg("UI_WRITE_RECONNECT", part755); + + var part756 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([ + dup21, + dup22, + setc("event_description","Interface new master for User"), + dup23, + ])); + + var msg725 = msg("VRRPD_NEWMASTER_TRAP", part756); + + var part757 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([ + dup69, + dup34, + dup35, + dup43, + dup22, + setc("event_description","Unable to authenticate client"), + dup23, + ])); + + var msg726 = msg("WEB_AUTH_FAIL", part757); + + var part758 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([ + dup80, + dup34, + dup35, + dup37, + dup22, + setc("event_description","Authenticated client"), + dup23, + ])); + + var msg727 = msg("WEB_AUTH_SUCCESS", part758); + + var part759 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([ + setc("eventcategory","1001030300"), + dup22, + setc("event_description","web request from unauthorized interface"), + dup23, + ])); + + var msg728 = msg("WEB_INTERFACE_UNAUTH", part759); + + var part760 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([ + dup74, + dup22, + setc("event_description","Unable to read from client"), + dup23, + ])); + + var msg729 = msg("WEB_READ", part760); + + var part761 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([ + setc("eventcategory","1204020100"), + dup22, + setc("event_description","failed to check web request"), + dup23, + ])); + + var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part761); + + var part762 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ + dup74, + dup53, + dup43, + dup22, + dup52, + ])); + + var msg731 = msg("FLOW_REASSEMBLE_FAIL", part762); + + var part763 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([ + dup29, + dup22, + setc("event_description","Bridge Address"), + dup23, + ])); + + var msg732 = msg("eswd", part763); + + var part764 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([ + dup29, + dup22, + setc("event_description","ESWD STP State Change Info"), + dup23, + ])); + + var msg733 = msg("eswd:01", part764); + + var select72 = linear_select([ + msg732, + msg733, + ]); + + var part765 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([ + dup29, + dup22, + dup26, + dup23, + ])); + + var msg734 = msg("/usr/sbin/cron", part765); + + var part766 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([ + dup29, + dup22, + setc("event_description","Link status change event"), + dup23, + ])); + + var msg735 = msg("chassism:02", part766); + + var part767 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([ + dup29, + dup22, + setc("event_description","ifd process flaps"), + dup23, + ])); + + var msg736 = msg("chassism:01", part767); + + var part768 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([ + dup29, + dup22, + setc("event_description","IFCM "), + dup23, + ])); + + var msg737 = msg("chassism", part768); + + var select73 = linear_select([ + msg735, + msg736, + msg737, + ]); + + var msg738 = msg("WEBFILTER_URL_PERMITTED", dup158); + + var part769 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part769); + + var part770 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part770); + + var part771 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part771); + + var select74 = linear_select([ + msg738, + msg739, + msg740, + msg741, + ]); + + var msg742 = msg("WEBFILTER_URL_BLOCKED", dup158); + + var part772 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part772); + + var select75 = linear_select([ + msg742, + msg743, + ]); + + var part773 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([ + dup46, + dup47, + dup23, + dup22, + dup128, + ])); + + var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part773); + + var part774 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([ + dup46, + dup47, + dup23, + ])); + + var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part774); + + var part775 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([ + dup46, + dup47, + dup23, + dup22, + dup128, + ])); + + var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part775); + + var part776 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([ + dup46, + dup47, + dup23, + dup22, + dup128, + ])); + + var msg747 = msg("SECINTEL_ERROR_OTHERS", part776); + + var part777 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([ + dup48, + dup47, + dup23, + dup22, + dup128, + ])); + + var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part777); + + var part778 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([ + dup46, + dup47, + dup23, + dup22, + dup128, + ])); + + var msg749 = msg("LACPD_TIMEOUT", part778); + + var msg750 = msg("cli", dup159); + + var msg751 = msg("pfed", dup159); + + var msg752 = msg("idpinfo", dup159); + + var msg753 = msg("kmd", dup159); + + var part779 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg754 = msg("node:01", part779); + + var part780 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg755 = msg("node:02", part780); + + var part781 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg756 = msg("node:03", part781); + + var part782 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg757 = msg("node:04", part782); + + var select76 = linear_select([ + dup131, + dup132, + ]); + + var part783 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}"); + + var select77 = linear_select([ + dup132, + dup131, + ]); + + var part784 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}"); + + var all44 = all_match({ + processors: [ + dup130, + select76, + part783, + select77, + part784, + ], + on_success: processor_chain([ + dup21, + dup23, + dup22, + ]), + }); + + var msg758 = msg("node:05", all44); + + var part785 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}"); + + var part786 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}"); + + var select78 = linear_select([ + part785, + part786, + ]); + + var all45 = all_match({ + processors: [ + dup130, + select78, + ], + on_success: processor_chain([ + dup21, + dup23, + dup22, + ]), + }); + + var msg759 = msg("node:06", all45); + + var part787 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg760 = msg("node:07", part787); + + var part788 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg761 = msg("node:08", part788); + + var part789 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([ + dup21, + dup23, + dup22, + ])); + + var msg762 = msg("node:09", part789); + + var select79 = linear_select([ + msg754, + msg755, + msg756, + msg757, + msg758, + msg759, + msg760, + msg761, + msg762, + ]); + + var part790 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([ + dup21, + dup23, + dup22, + dup24, + ])); + + var msg763 = msg("(FPC:01", part790); + + var part791 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([ + dup21, + dup23, + dup22, + dup24, + ])); + + var msg764 = msg("(FPC:02", part791); + + var part792 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}"); + + var part793 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}"); + + var part794 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}"); + + var select80 = linear_select([ + part793, + part794, + ]); + + var part795 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "received for interface %{interface}, member of %{fld4}"); + + var all46 = all_match({ + processors: [ + part792, + select80, + part795, + ], + on_success: processor_chain([ + dup21, + dup23, + dup22, + dup24, + ]), + }); + + var msg765 = msg("(FPC:03", all46); + + var part796 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ + dup21, + dup23, + dup22, + dup24, + ])); + + var msg766 = msg("(FPC:04", part796); + + var part797 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([ + dup21, + dup23, + dup22, + dup24, + ])); + + var msg767 = msg("(FPC:05", part797); + + var part798 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([ + dup21, + dup23, + dup22, + dup24, + ])); + + var msg768 = msg("(FPC", part798); + + var select81 = linear_select([ + msg763, + msg764, + msg765, + msg766, + msg767, + msg768, + ]); + + var part799 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([ + dup48, + dup23, + dup22, + dup24, + ])); + + var msg769 = msg("tnp.bootpd", part799); + + var part800 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ + dup48, + dup52, + dup22, + dup61, + ])); + + var msg770 = msg("AAMW_ACTION_LOG", part800); + + var part801 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ + dup133, + dup52, + dup22, + dup61, + ])); + + var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part801); + + var part802 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ + dup133, + dup52, + dup22, + ])); + + var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part802); + + var part803 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ + dup81, + dup52, + dup22, + dup61, + ])); + + var msg773 = msg("IDP_ATTACK_LOG_EVENT", part803); + + var part804 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ + dup81, + dup52, + dup22, + dup61, + ])); + + var msg774 = msg("RT_SCREEN_ICMP", part804); + + var part805 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ + dup46, + dup52, + dup22, + dup61, + ])); + + var msg775 = msg("SECINTEL_ACTION_LOG", part805); + + var part806 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{fld2->} %{p0}"); + + var part807 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld3->} %{process}: qsfp-%{p0}"); + + var part808 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "qsfp-%{p0}"); + + var select82 = linear_select([ + part807, + part808, + ]); + + var part809 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{}Chan# %{interface->} %{fld5}:%{event_description}"); + + var all47 = all_match({ + processors: [ + part806, + select82, + part809, + ], + on_success: processor_chain([ + dup21, + dup22, + dup23, + ]), + }); + + var msg776 = msg("qsfp", all47); + + var part810 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([ + dup21, + dup22, + dup121, + dup23, + ])); + + var msg777 = msg("JUNOSROUTER_GENERIC:03", part810); + + var part811 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([ + dup125, + dup34, + dup35, + dup126, + dup37, + dup22, + setc("event_description","LOGOUT"), + dup23, + ])); + + var msg778 = msg("JUNOSROUTER_GENERIC:04", part811); + + var part812 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([ + dup30, + dup22, + dup129, + dup23, + ])); + + var msg779 = msg("JUNOSROUTER_GENERIC:05", part812); + + var part813 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ + dup30, + dup22, + dup57, + dup23, + ])); + + var msg780 = msg("JUNOSROUTER_GENERIC:06", part813); + + var part814 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ + dup21, + dup22, + dup38, + dup23, + ])); + + var msg781 = msg("JUNOSROUTER_GENERIC:07", part814); + + var part815 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{daddr->} (%{dhost}): code %{resultcode->} (%{action})%{p0}"); + + var part816 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", ", socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8}"); + + var part817 = match_copy("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", ""); + + var select83 = linear_select([ + part816, + part817, + ]); + + var all48 = all_match({ + processors: [ + part815, + select83, + ], + on_success: processor_chain([ + dup21, + dup22, + dup38, + dup23, + ]), + }); + + var msg782 = msg("JUNOSROUTER_GENERIC:08", all48); + + var part818 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([ + dup21, + dup22, + dup23, + ])); + + var msg783 = msg("JUNOSROUTER_GENERIC:09", part818); + + var part819 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([ + dup134, + dup23, + dup22, + setc("event_description","Interface Monitor failed "), + dup24, + ])); + + var msg784 = msg("JUNOSROUTER_GENERIC:01", part819); + + var part820 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([ + dup134, + dup23, + dup22, + setc("event_description","Interface Monitor failure recovered"), + dup24, + ])); + + var msg785 = msg("JUNOSROUTER_GENERIC:02", part820); + + var part821 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([ + dup134, + dup23, + dup22, + dup24, + ])); + + var msg786 = msg("JUNOSROUTER_GENERIC", part821); + + var select84 = linear_select([ + msg777, + msg778, + msg779, + msg780, + msg781, + msg782, + msg783, + msg784, + msg785, + msg786, + ]); + + var chain1 = processor_chain([ + select5, + msgid_select({ + "(FPC": select81, + "/usr/libexec/telnetd": msg2, + "/usr/sbin/cron": msg734, + "/usr/sbin/sshd": msg1, + "AAMWD_NETWORK_CONNECT_FAILED": msg745, + "AAMW_ACTION_LOG": msg770, + "AAMW_HOST_INFECTED_EVENT_LOG": msg771, + "AAMW_MALWARE_EVENT_LOG": msg772, + "ACCT_ACCOUNTING_FERROR": msg114, + "ACCT_ACCOUNTING_FOPEN_ERROR": msg115, + "ACCT_ACCOUNTING_SMALL_FILE_SIZE": msg116, + "ACCT_BAD_RECORD_FORMAT": msg117, + "ACCT_CU_RTSLIB_error": msg118, + "ACCT_GETHOSTNAME_error": msg119, + "ACCT_MALLOC_FAILURE": msg120, + "ACCT_UNDEFINED_COUNTER_NAME": msg121, + "ACCT_XFER_FAILED": msg122, + "ACCT_XFER_POPEN_FAIL": msg123, + "APPQOS_LOG_EVENT": msg124, + "APPTRACK_SESSION_CLOSE": select30, + "APPTRACK_SESSION_CREATE": msg125, + "APPTRACK_SESSION_VOL_UPDATE": select31, + "BCHIP": msg106, + "BFDD_TRAP_STATE_DOWN": msg130, + "BFDD_TRAP_STATE_UP": msg131, + "BOOTPD_ARG_ERR": msg143, + "BOOTPD_BAD_ID": msg144, + "BOOTPD_BOOTSTRING": msg145, + "BOOTPD_CONFIG_ERR": msg146, + "BOOTPD_CONF_OPEN": msg147, + "BOOTPD_DUP_REV": msg148, + "BOOTPD_DUP_SLOT": msg149, + "BOOTPD_MODEL_CHK": msg150, + "BOOTPD_MODEL_ERR": msg151, + "BOOTPD_NEW_CONF": msg152, + "BOOTPD_NO_BOOTSTRING": msg153, + "BOOTPD_NO_CONFIG": msg154, + "BOOTPD_PARSE_ERR": msg155, + "BOOTPD_REPARSE": msg156, + "BOOTPD_SELECT_ERR": msg157, + "BOOTPD_TIMEOUT": msg158, + "BOOTPD_VERSION": msg159, + "CHASSISD": msg160, + "CHASSISD_ARGUMENT_ERROR": msg161, + "CHASSISD_BLOWERS_SPEED": msg162, + "CHASSISD_BLOWERS_SPEED_FULL": msg163, + "CHASSISD_CB_READ": msg164, + "CHASSISD_COMMAND_ACK_ERROR": msg165, + "CHASSISD_COMMAND_ACK_SF_ERROR": msg166, + "CHASSISD_CONCAT_MODE_ERROR": msg167, + "CHASSISD_CONFIG_INIT_ERROR": msg168, + "CHASSISD_CONFIG_WARNING": msg169, + "CHASSISD_EXISTS": msg170, + "CHASSISD_EXISTS_TERM_OTHER": msg171, + "CHASSISD_FILE_OPEN": msg172, + "CHASSISD_FILE_STAT": msg173, + "CHASSISD_FRU_EVENT": msg174, + "CHASSISD_FRU_IPC_WRITE_ERROR_EXT": msg175, + "CHASSISD_FRU_STEP_ERROR": msg176, + "CHASSISD_GETTIMEOFDAY": msg177, + "CHASSISD_HIGH_TEMP_CONDITION": msg214, + "CHASSISD_HOST_TEMP_READ": msg178, + "CHASSISD_IFDEV_DETACH_ALL_PSEUDO": msg179, + "CHASSISD_IFDEV_DETACH_FPC": msg180, + "CHASSISD_IFDEV_DETACH_PIC": msg181, + "CHASSISD_IFDEV_DETACH_PSEUDO": msg182, + "CHASSISD_IFDEV_DETACH_TLV_ERROR": msg183, + "CHASSISD_IFDEV_GET_BY_INDEX_FAIL": msg184, + "CHASSISD_IPC_MSG_QFULL_ERROR": msg185, + "CHASSISD_IPC_UNEXPECTED_RECV": msg186, + "CHASSISD_IPC_WRITE_ERR_NO_PIPE": msg187, + "CHASSISD_IPC_WRITE_ERR_NULL_ARGS": msg188, + "CHASSISD_MAC_ADDRESS_ERROR": msg189, + "CHASSISD_MAC_DEFAULT": msg190, + "CHASSISD_MBUS_ERROR": msg191, + "CHASSISD_PARSE_COMPLETE": msg192, + "CHASSISD_PARSE_ERROR": msg193, + "CHASSISD_PARSE_INIT": msg194, + "CHASSISD_PIDFILE_OPEN": msg195, + "CHASSISD_PIPE_WRITE_ERROR": msg196, + "CHASSISD_POWER_CHECK": msg197, + "CHASSISD_RECONNECT_SUCCESSFUL": msg198, + "CHASSISD_RELEASE_MASTERSHIP": msg199, + "CHASSISD_RE_INIT_INVALID_RE_SLOT": msg200, + "CHASSISD_ROOT_MOUNT_ERROR": msg201, + "CHASSISD_RTS_SEQ_ERROR": msg202, + "CHASSISD_SBOARD_VERSION_MISMATCH": msg203, + "CHASSISD_SERIAL_ID": msg204, + "CHASSISD_SMB_ERROR": msg205, + "CHASSISD_SNMP_TRAP10": msg208, + "CHASSISD_SNMP_TRAP6": msg206, + "CHASSISD_SNMP_TRAP7": msg207, + "CHASSISD_TERM_SIGNAL": msg209, + "CHASSISD_TRACE_PIC_OFFLINE": msg210, + "CHASSISD_UNEXPECTED_EXIT": msg211, + "CHASSISD_UNSUPPORTED_MODEL": msg212, + "CHASSISD_VERSION_MISMATCH": msg213, + "CM": msg107, + "CM_JAVA": msg216, + "COS": msg108, + "COSFPC": msg109, + "COSMAN": msg110, + "CRON": msg16, + "CROND": select11, + "Cmerror": msg17, + "DCD_AS_ROOT": msg217, + "DCD_FILTER_LIB_ERROR": msg218, + "DCD_MALLOC_FAILED_INIT": msg219, + "DCD_PARSE_EMERGENCY": msg220, + "DCD_PARSE_FILTER_EMERGENCY": msg221, + "DCD_PARSE_MINI_EMERGENCY": msg222, + "DCD_PARSE_STATE_EMERGENCY": msg223, + "DCD_POLICER_PARSE_EMERGENCY": msg224, + "DCD_PULL_LOG_FAILURE": msg225, + "DFWD_ARGUMENT_ERROR": msg226, + "DFWD_MALLOC_FAILED_INIT": msg227, + "DFWD_PARSE_FILTER_EMERGENCY": msg228, + "DFWD_PARSE_STATE_EMERGENCY": msg229, + "ECCD_DAEMONIZE_FAILED": msg230, + "ECCD_DUPLICATE": msg231, + "ECCD_LOOP_EXIT_FAILURE": msg232, + "ECCD_NOT_ROOT": msg233, + "ECCD_PCI_FILE_OPEN_FAILED": msg234, + "ECCD_PCI_READ_FAILED": msg235, + "ECCD_PCI_WRITE_FAILED": msg236, + "ECCD_PID_FILE_LOCK": msg237, + "ECCD_PID_FILE_UPDATE": msg238, + "ECCD_TRACE_FILE_OPEN_FAILED": msg239, + "ECCD_usage": msg240, + "EVENT": msg23, + "EVENTD_AUDIT_SHOW": msg241, + "FLOW_REASSEMBLE_FAIL": msg731, + "FLOW_REASSEMBLE_SUCCEED": msg242, + "FSAD_CHANGE_FILE_OWNER": msg243, + "FSAD_CONFIG_ERROR": msg244, + "FSAD_CONNTIMEDOUT": msg245, + "FSAD_FAILED": msg246, + "FSAD_FETCHTIMEDOUT": msg247, + "FSAD_FILE_FAILED": msg248, + "FSAD_FILE_REMOVE": msg249, + "FSAD_FILE_RENAME": msg250, + "FSAD_FILE_STAT": msg251, + "FSAD_FILE_SYNC": msg252, + "FSAD_MAXCONN": msg253, + "FSAD_MEMORYALLOC_FAILED": msg254, + "FSAD_NOT_ROOT": msg255, + "FSAD_PARENT_DIRECTORY": msg256, + "FSAD_PATH_IS_DIRECTORY": msg257, + "FSAD_PATH_IS_SPECIAL": msg258, + "FSAD_RECVERROR": msg259, + "FSAD_TERMINATED_CONNECTION": msg260, + "FSAD_TERMINATING_SIGNAL": msg261, + "FSAD_TRACEOPEN_FAILED": msg262, + "FSAD_USAGE": msg263, + "Failed": select25, + "GGSN_ALARM_TRAP_FAILED": msg264, + "GGSN_ALARM_TRAP_SEND": msg265, + "GGSN_TRAP_SEND": msg266, + "IDP_ATTACK_LOG_EVENT": msg773, + "JADE_AUTH_ERROR": msg267, + "JADE_EXEC_ERROR": msg268, + "JADE_NO_LOCAL_USER": msg269, + "JADE_PAM_ERROR": msg270, + "JADE_PAM_NO_LOCAL_USER": msg271, + "JSRPD_HA_CONTROL_LINK_UP": msg748, + "JUNOSROUTER_GENERIC": select84, + "KERN_ARP_ADDR_CHANGE": msg272, + "KMD_PM_SA_ESTABLISHED": msg273, + "L2CPD_TASK_REINIT": msg274, + "LACPD_TIMEOUT": msg749, + "LIBJNX_EXEC_EXITED": msg275, + "LIBJNX_EXEC_FAILED": msg276, + "LIBJNX_EXEC_PIPE": msg277, + "LIBJNX_EXEC_SIGNALED": msg278, + "LIBJNX_EXEC_WEXIT": msg279, + "LIBJNX_FILE_COPY_FAILED": msg280, + "LIBJNX_PRIV_LOWER_FAILED": msg281, + "LIBJNX_PRIV_RAISE_FAILED": msg282, + "LIBJNX_REPLICATE_RCP_EXEC_FAILED": msg283, + "LIBJNX_ROTATE_COMPRESS_EXEC_FAILED": msg284, + "LIBSERVICED_CLIENT_CONNECTION": msg285, + "LIBSERVICED_OUTBOUND_REQUEST": msg286, + "LIBSERVICED_SNMP_LOST_CONNECTION": msg287, + "LIBSERVICED_SOCKET_BIND": msg288, + "LIBSERVICED_SOCKET_PRIVATIZE": msg289, + "LICENSE_EXPIRED": msg290, + "LICENSE_EXPIRED_KEY_DELETED": msg291, + "LICENSE_NEARING_EXPIRY": msg292, + "LOGIN_ABORTED": msg293, + "LOGIN_FAILED": msg294, + "LOGIN_FAILED_INCORRECT_PASSWORD": msg295, + "LOGIN_FAILED_SET_CONTEXT": msg296, + "LOGIN_FAILED_SET_LOGIN": msg297, + "LOGIN_HOSTNAME_UNRESOLVED": msg298, + "LOGIN_INFORMATION": msg299, + "LOGIN_INVALID_LOCAL_USER": msg300, + "LOGIN_MALFORMED_USER": msg301, + "LOGIN_PAM_AUTHENTICATION_ERROR": msg302, + "LOGIN_PAM_ERROR": msg303, + "LOGIN_PAM_MAX_RETRIES": msg304, + "LOGIN_PAM_NONLOCAL_USER": msg305, + "LOGIN_PAM_STOP": msg306, + "LOGIN_PAM_USER_UNKNOWN": msg307, + "LOGIN_PASSWORD_EXPIRED": msg308, + "LOGIN_REFUSED": msg309, + "LOGIN_ROOT": msg310, + "LOGIN_TIMED_OUT": msg311, + "MIB2D_ATM_ERROR": msg312, + "MIB2D_CONFIG_CHECK_FAILED": msg313, + "MIB2D_FILE_OPEN_FAILURE": msg314, + "MIB2D_IFD_IFINDEX_FAILURE": msg315, + "MIB2D_IFL_IFINDEX_FAILURE": msg316, + "MIB2D_INIT_FAILURE": msg317, + "MIB2D_KVM_FAILURE": msg318, + "MIB2D_RTSLIB_READ_FAILURE": msg319, + "MIB2D_RTSLIB_SEQ_MISMATCH": msg320, + "MIB2D_SYSCTL_FAILURE": msg321, + "MIB2D_TRAP_HEADER_FAILURE": msg322, + "MIB2D_TRAP_SEND_FAILURE": msg323, + "MRVL-L2": msg56, + "Multiuser": msg324, + "NASD_AUTHENTICATION_CREATE_FAILED": msg325, + "NASD_CHAP_AUTHENTICATION_IN_PROGRESS": msg326, + "NASD_CHAP_GETHOSTNAME_FAILED": msg327, + "NASD_CHAP_INVALID_CHAP_IDENTIFIER": msg328, + "NASD_CHAP_INVALID_OPCODE": msg329, + "NASD_CHAP_LOCAL_NAME_UNAVAILABLE": msg330, + "NASD_CHAP_MESSAGE_UNEXPECTED": msg331, + "NASD_CHAP_REPLAY_ATTACK_DETECTED": msg332, + "NASD_CONFIG_GET_LAST_MODIFIED_FAILED": msg333, + "NASD_DAEMONIZE_FAILED": msg334, + "NASD_DB_ALLOC_FAILURE": msg335, + "NASD_DB_TABLE_CREATE_FAILURE": msg336, + "NASD_DUPLICATE": msg337, + "NASD_EVLIB_CREATE_FAILURE": msg338, + "NASD_EVLIB_EXIT_FAILURE": msg339, + "NASD_LOCAL_CREATE_FAILED": msg340, + "NASD_NOT_ROOT": msg341, + "NASD_PID_FILE_LOCK": msg342, + "NASD_PID_FILE_UPDATE": msg343, + "NASD_POST_CONFIGURE_EVENT_FAILED": msg344, + "NASD_PPP_READ_FAILURE": msg345, + "NASD_PPP_SEND_FAILURE": msg346, + "NASD_PPP_SEND_PARTIAL": msg347, + "NASD_PPP_UNRECOGNIZED": msg348, + "NASD_RADIUS_ALLOCATE_PASSWORD_FAILED": msg349, + "NASD_RADIUS_CONFIG_FAILED": msg350, + "NASD_RADIUS_CREATE_FAILED": msg351, + "NASD_RADIUS_CREATE_REQUEST_FAILED": msg352, + "NASD_RADIUS_GETHOSTNAME_FAILED": msg353, + "NASD_RADIUS_MESSAGE_UNEXPECTED": msg354, + "NASD_RADIUS_OPEN_FAILED": msg355, + "NASD_RADIUS_SELECT_FAILED": msg356, + "NASD_RADIUS_SET_TIMER_FAILED": msg357, + "NASD_TRACE_FILE_OPEN_FAILED": msg358, + "NASD_usage": msg359, + "NOTICE": msg360, + "PFEMAN": msg61, + "PFE_FW_SYSLOG_IP": select36, + "PFE_NH_RESOLVE_THROTTLED": msg363, + "PING_TEST_COMPLETED": msg364, + "PING_TEST_FAILED": msg365, + "PKID_UNABLE_TO_GET_CRL": msg746, + "PWC_EXIT": msg368, + "PWC_HOLD_RELEASE": msg369, + "PWC_INVALID_RUNS_ARGUMENT": msg370, + "PWC_INVALID_TIMEOUT_ARGUMENT": msg371, + "PWC_KILLED_BY_SIGNAL": msg372, + "PWC_KILL_EVENT": msg373, + "PWC_KILL_FAILED": msg374, + "PWC_KQUEUE_ERROR": msg375, + "PWC_KQUEUE_INIT": msg376, + "PWC_KQUEUE_REGISTER_FILTER": msg377, + "PWC_LOCKFILE_BAD_FORMAT": msg378, + "PWC_LOCKFILE_ERROR": msg379, + "PWC_LOCKFILE_MISSING": msg380, + "PWC_LOCKFILE_NOT_LOCKED": msg381, + "PWC_NO_PROCESS": msg382, + "PWC_PROCESS_EXIT": msg383, + "PWC_PROCESS_FORCED_HOLD": msg384, + "PWC_PROCESS_HOLD": msg385, + "PWC_PROCESS_HOLD_SKIPPED": msg386, + "PWC_PROCESS_OPEN": msg387, + "PWC_PROCESS_TIMED_HOLD": msg388, + "PWC_PROCESS_TIMEOUT": msg389, + "PWC_SIGNAL_INIT": msg390, + "PWC_SOCKET_CONNECT": msg391, + "PWC_SOCKET_CREATE": msg392, + "PWC_SOCKET_OPTION": msg393, + "PWC_STDOUT_WRITE": msg394, + "PWC_SYSTEM_CALL": msg395, + "PWC_UNKNOWN_KILL_OPTION": msg396, + "RDP": msg111, + "RMOPD_ADDRESS_MULTICAST_INVALID": msg397, + "RMOPD_ADDRESS_SOURCE_INVALID": msg398, + "RMOPD_ADDRESS_STRING_FAILURE": msg399, + "RMOPD_ADDRESS_TARGET_INVALID": msg400, + "RMOPD_DUPLICATE": msg401, + "RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED": msg402, + "RMOPD_ICMP_SENDMSG_FAILURE": msg403, + "RMOPD_IFINDEX_NOT_ACTIVE": msg404, + "RMOPD_IFINDEX_NO_INFO": msg405, + "RMOPD_IFNAME_NOT_ACTIVE": msg406, + "RMOPD_IFNAME_NO_INFO": msg407, + "RMOPD_NOT_ROOT": msg408, + "RMOPD_ROUTING_INSTANCE_NO_INFO": msg409, + "RMOPD_TRACEROUTE_ERROR": msg410, + "RMOPD_usage": msg411, + "RPD_ABORT": msg412, + "RPD_ACTIVE_TERMINATE": msg413, + "RPD_ASSERT": msg414, + "RPD_ASSERT_SOFT": msg415, + "RPD_EXIT": msg416, + "RPD_IFL_INDEXCOLLISION": msg417, + "RPD_IFL_NAMECOLLISION": msg418, + "RPD_ISIS_ADJDOWN": msg419, + "RPD_ISIS_ADJUP": msg420, + "RPD_ISIS_ADJUPNOIP": msg421, + "RPD_ISIS_LSPCKSUM": msg422, + "RPD_ISIS_OVERLOAD": msg423, + "RPD_KRT_AFUNSUPRT": msg424, + "RPD_KRT_CCC_IFL_MODIFY": msg425, + "RPD_KRT_DELETED_RTT": msg426, + "RPD_KRT_IFA_GENERATION": msg427, + "RPD_KRT_IFDCHANGE": msg428, + "RPD_KRT_IFDEST_GET": msg429, + "RPD_KRT_IFDGET": msg430, + "RPD_KRT_IFD_GENERATION": msg431, + "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID": msg432, + "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED": msg433, + "RPD_KRT_IFL_GENERATION": msg434, + "RPD_KRT_KERNEL_BAD_ROUTE": msg435, + "RPD_KRT_NEXTHOP_OVERFLOW": msg436, + "RPD_KRT_NOIFD": msg437, + "RPD_KRT_UNKNOWN_RTT": msg438, + "RPD_KRT_VERSION": msg439, + "RPD_KRT_VERSIONNONE": msg440, + "RPD_KRT_VERSIONOLD": msg441, + "RPD_LDP_INTF_BLOCKED": msg442, + "RPD_LDP_INTF_UNBLOCKED": msg443, + "RPD_LDP_NBRDOWN": msg444, + "RPD_LDP_NBRUP": msg445, + "RPD_LDP_SESSIONDOWN": msg446, + "RPD_LDP_SESSIONUP": msg447, + "RPD_LOCK_FLOCKED": msg448, + "RPD_LOCK_LOCKED": msg449, + "RPD_MPLS_LSP_CHANGE": msg450, + "RPD_MPLS_LSP_DOWN": msg451, + "RPD_MPLS_LSP_SWITCH": msg452, + "RPD_MPLS_LSP_UP": msg453, + "RPD_MSDP_PEER_DOWN": msg454, + "RPD_MSDP_PEER_UP": msg455, + "RPD_OSPF_NBRDOWN": msg456, + "RPD_OSPF_NBRUP": msg457, + "RPD_OS_MEMHIGH": msg458, + "RPD_PIM_NBRDOWN": msg459, + "RPD_PIM_NBRUP": msg460, + "RPD_RDISC_CKSUM": msg461, + "RPD_RDISC_NOMULTI": msg462, + "RPD_RDISC_NORECVIF": msg463, + "RPD_RDISC_SOLICITADDR": msg464, + "RPD_RDISC_SOLICITICMP": msg465, + "RPD_RDISC_SOLICITLEN": msg466, + "RPD_RIP_AUTH": msg467, + "RPD_RIP_JOIN_BROADCAST": msg468, + "RPD_RIP_JOIN_MULTICAST": msg469, + "RPD_RT_IFUP": msg470, + "RPD_SCHED_CALLBACK_LONGRUNTIME": msg471, + "RPD_SCHED_CUMULATIVE_LONGRUNTIME": msg472, + "RPD_SCHED_MODULE_LONGRUNTIME": msg473, + "RPD_SCHED_TASK_LONGRUNTIME": msg474, + "RPD_SIGNAL_TERMINATE": msg475, + "RPD_START": msg476, + "RPD_SYSTEM": msg477, + "RPD_TASK_BEGIN": msg478, + "RPD_TASK_CHILDKILLED": msg479, + "RPD_TASK_CHILDSTOPPED": msg480, + "RPD_TASK_FORK": msg481, + "RPD_TASK_GETWD": msg482, + "RPD_TASK_NOREINIT": msg483, + "RPD_TASK_PIDCLOSED": msg484, + "RPD_TASK_PIDFLOCK": msg485, + "RPD_TASK_PIDWRITE": msg486, + "RPD_TASK_REINIT": msg487, + "RPD_TASK_SIGNALIGNORE": msg488, + "RT_COS": msg489, + "RT_FLOW_SESSION_CLOSE": select51, + "RT_FLOW_SESSION_CREATE": select45, + "RT_FLOW_SESSION_DENY": select47, + "RT_SCREEN_ICMP": msg774, + "RT_SCREEN_IP": select52, + "RT_SCREEN_SESSION_LIMIT": msg504, + "RT_SCREEN_TCP": msg503, + "RT_SCREEN_UDP": msg505, + "Resolve": msg63, + "SECINTEL_ACTION_LOG": msg775, + "SECINTEL_ERROR_OTHERS": msg747, + "SECINTEL_NETWORK_CONNECT_FAILED": msg744, + "SERVICED_CLIENT_CONNECT": msg506, + "SERVICED_CLIENT_DISCONNECTED": msg507, + "SERVICED_CLIENT_ERROR": msg508, + "SERVICED_COMMAND_FAILED": msg509, + "SERVICED_COMMIT_FAILED": msg510, + "SERVICED_CONFIGURATION_FAILED": msg511, + "SERVICED_CONFIG_ERROR": msg512, + "SERVICED_CONFIG_FILE": msg513, + "SERVICED_CONNECTION_ERROR": msg514, + "SERVICED_DISABLED_GGSN": msg515, + "SERVICED_DUPLICATE": msg516, + "SERVICED_EVENT_FAILED": msg517, + "SERVICED_INIT_FAILED": msg518, + "SERVICED_MALLOC_FAILURE": msg519, + "SERVICED_NETWORK_FAILURE": msg520, + "SERVICED_NOT_ROOT": msg521, + "SERVICED_PID_FILE_LOCK": msg522, + "SERVICED_PID_FILE_UPDATE": msg523, + "SERVICED_RTSOCK_SEQUENCE": msg524, + "SERVICED_SIGNAL_HANDLER": msg525, + "SERVICED_SOCKET_CREATE": msg526, + "SERVICED_SOCKET_IO": msg527, + "SERVICED_SOCKET_OPTION": msg528, + "SERVICED_STDLIB_FAILURE": msg529, + "SERVICED_USAGE": msg530, + "SERVICED_WORK_INCONSISTENCY": msg531, + "SNMPD_ACCESS_GROUP_ERROR": msg537, + "SNMPD_AUTH_FAILURE": select53, + "SNMPD_AUTH_PRIVILEGES_EXCEEDED": msg542, + "SNMPD_AUTH_RESTRICTED_ADDRESS": msg543, + "SNMPD_AUTH_WRONG_PDU_TYPE": msg544, + "SNMPD_CONFIG_ERROR": msg545, + "SNMPD_CONTEXT_ERROR": msg546, + "SNMPD_ENGINE_FILE_FAILURE": msg547, + "SNMPD_ENGINE_PROCESS_ERROR": msg548, + "SNMPD_FILE_FAILURE": msg549, + "SNMPD_GROUP_ERROR": msg550, + "SNMPD_INIT_FAILED": msg551, + "SNMPD_LIBJUNIPER_FAILURE": msg552, + "SNMPD_LOOPBACK_ADDR_ERROR": msg553, + "SNMPD_MEMORY_FREED": msg554, + "SNMPD_RADIX_FAILURE": msg555, + "SNMPD_RECEIVE_FAILURE": msg556, + "SNMPD_RMONFILE_FAILURE": msg557, + "SNMPD_RMON_COOKIE": msg558, + "SNMPD_RMON_EVENTLOG": msg559, + "SNMPD_RMON_IOERROR": msg560, + "SNMPD_RMON_MIBERROR": msg561, + "SNMPD_RTSLIB_ASYNC_EVENT": msg562, + "SNMPD_SEND_FAILURE": select54, + "SNMPD_SOCKET_FAILURE": msg565, + "SNMPD_SUBAGENT_NO_BUFFERS": msg566, + "SNMPD_SUBAGENT_SEND_FAILED": msg567, + "SNMPD_SYSLIB_FAILURE": msg568, + "SNMPD_THROTTLE_QUEUE_DRAINED": msg569, + "SNMPD_TRAP_COLD_START": msg570, + "SNMPD_TRAP_GEN_FAILURE": msg571, + "SNMPD_TRAP_GEN_FAILURE2": msg572, + "SNMPD_TRAP_INVALID_DATA": msg573, + "SNMPD_TRAP_NOT_ENOUGH_VARBINDS": msg574, + "SNMPD_TRAP_QUEUED": msg575, + "SNMPD_TRAP_QUEUE_DRAINED": msg576, + "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS": msg577, + "SNMPD_TRAP_QUEUE_MAX_SIZE": msg578, + "SNMPD_TRAP_THROTTLED": msg579, + "SNMPD_TRAP_TYPE_ERROR": msg580, + "SNMPD_TRAP_VARBIND_TYPE_ERROR": msg581, + "SNMPD_TRAP_VERSION_ERROR": msg582, + "SNMPD_TRAP_WARM_START": msg583, + "SNMPD_USER_ERROR": msg584, + "SNMPD_VIEW_DELETE": msg585, + "SNMPD_VIEW_INSTALL_DEFAULT": msg586, + "SNMPD_VIEW_OID_PARSE": msg587, + "SNMP_GET_ERROR1": msg588, + "SNMP_GET_ERROR2": msg589, + "SNMP_GET_ERROR3": msg590, + "SNMP_GET_ERROR4": msg591, + "SNMP_NS_LOG_INFO": msg535, + "SNMP_RTSLIB_FAILURE": msg592, + "SNMP_SUBAGENT_IPC_REG_ROWS": msg536, + "SNMP_TRAP_LINK_DOWN": select55, + "SNMP_TRAP_LINK_UP": select56, + "SNMP_TRAP_PING_PROBE_FAILED": msg597, + "SNMP_TRAP_PING_TEST_COMPLETED": msg598, + "SNMP_TRAP_PING_TEST_FAILED": msg599, + "SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE": msg600, + "SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED": msg601, + "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED": msg602, + "SNTPD": msg112, + "SSB": msg113, + "SSHD_LOGIN_FAILED": select57, + "SSL_PROXY_SESSION_IGNORE": msg534, + "SSL_PROXY_SSL_SESSION_ALLOW": msg532, + "SSL_PROXY_SSL_SESSION_DROP": msg533, + "TASK_TASK_REINIT": msg606, + "TFTPD_AF_ERR": msg607, + "TFTPD_BIND_ERR": msg608, + "TFTPD_CONNECT_ERR": msg609, + "TFTPD_CONNECT_INFO": msg610, + "TFTPD_CREATE_ERR": msg611, + "TFTPD_FIO_ERR": msg612, + "TFTPD_FORK_ERR": msg613, + "TFTPD_NAK_ERR": msg614, + "TFTPD_OPEN_ERR": msg615, + "TFTPD_RECVCOMPLETE_INFO": msg616, + "TFTPD_RECVFROM_ERR": msg617, + "TFTPD_RECV_ERR": msg618, + "TFTPD_SENDCOMPLETE_INFO": msg619, + "TFTPD_SEND_ERR": msg620, + "TFTPD_SOCKET_ERR": msg621, + "TFTPD_STATFS_ERR": msg622, + "TNP": msg623, + "UI_AUTH_EVENT": msg628, + "UI_AUTH_INVALID_CHALLENGE": msg629, + "UI_BOOTTIME_FAILED": msg630, + "UI_CFG_AUDIT_NEW": select58, + "UI_CFG_AUDIT_OTHER": select60, + "UI_CFG_AUDIT_SET": select63, + "UI_CFG_AUDIT_SET_SECRET": select64, + "UI_CHILD_ARGS_EXCEEDED": msg645, + "UI_CHILD_CHANGE_USER": msg646, + "UI_CHILD_EXEC": msg647, + "UI_CHILD_EXITED": msg648, + "UI_CHILD_FOPEN": msg649, + "UI_CHILD_PIPE_FAILED": msg650, + "UI_CHILD_SIGNALED": msg651, + "UI_CHILD_START": msg653, + "UI_CHILD_STATUS": msg654, + "UI_CHILD_STOPPED": msg652, + "UI_CHILD_WAITPID": msg655, + "UI_CLI_IDLE_TIMEOUT": msg656, + "UI_CMDLINE_READ_LINE": msg657, + "UI_CMDSET_EXEC_FAILED": msg658, + "UI_CMDSET_FORK_FAILED": msg659, + "UI_CMDSET_PIPE_FAILED": msg660, + "UI_CMDSET_STOPPED": msg661, + "UI_CMDSET_WEXITED": msg662, + "UI_CMD_AUTH_REGEX_INVALID": msg663, + "UI_COMMIT": msg664, + "UI_COMMIT_AT": msg665, + "UI_COMMIT_AT_COMPLETED": msg666, + "UI_COMMIT_AT_FAILED": msg667, + "UI_COMMIT_COMPRESS_FAILED": msg668, + "UI_COMMIT_CONFIRMED": msg669, + "UI_COMMIT_CONFIRMED_REMINDER": msg670, + "UI_COMMIT_CONFIRMED_TIMED": msg671, + "UI_COMMIT_EMPTY_CONTAINER": msg672, + "UI_COMMIT_NOT_CONFIRMED": msg673, + "UI_COMMIT_PROGRESS": msg674, + "UI_COMMIT_QUIT": msg675, + "UI_COMMIT_ROLLBACK_FAILED": msg676, + "UI_COMMIT_SYNC": msg677, + "UI_COMMIT_SYNC_FORCE": msg678, + "UI_CONFIGURATION_ERROR": msg679, + "UI_DAEMON_ACCEPT_FAILED": msg680, + "UI_DAEMON_FORK_FAILED": msg681, + "UI_DAEMON_SELECT_FAILED": msg682, + "UI_DAEMON_SOCKET_FAILED": msg683, + "UI_DBASE_ACCESS_FAILED": msg684, + "UI_DBASE_CHECKOUT_FAILED": msg685, + "UI_DBASE_EXTEND_FAILED": msg686, + "UI_DBASE_LOGIN_EVENT": msg687, + "UI_DBASE_LOGOUT_EVENT": msg688, + "UI_DBASE_MISMATCH_EXTENT": msg689, + "UI_DBASE_MISMATCH_MAJOR": msg690, + "UI_DBASE_MISMATCH_MINOR": msg691, + "UI_DBASE_MISMATCH_SEQUENCE": msg692, + "UI_DBASE_MISMATCH_SIZE": msg693, + "UI_DBASE_OPEN_FAILED": msg694, + "UI_DBASE_REBUILD_FAILED": msg695, + "UI_DBASE_REBUILD_SCHEMA_FAILED": msg696, + "UI_DBASE_REBUILD_STARTED": msg697, + "UI_DBASE_RECREATE": msg698, + "UI_DBASE_REOPEN_FAILED": msg699, + "UI_DUPLICATE_UID": msg700, + "UI_JUNOSCRIPT_CMD": msg701, + "UI_JUNOSCRIPT_ERROR": msg702, + "UI_LOAD_EVENT": msg703, + "UI_LOAD_JUNOS_DEFAULT_FILE_EVENT": msg704, + "UI_LOGIN_EVENT": select71, + "UI_LOGOUT_EVENT": msg707, + "UI_LOST_CONN": msg708, + "UI_MASTERSHIP_EVENT": msg709, + "UI_MGD_TERMINATE": msg710, + "UI_NETCONF_CMD": msg711, + "UI_READ_FAILED": msg712, + "UI_READ_TIMEOUT": msg713, + "UI_REBOOT_EVENT": msg714, + "UI_RESTART_EVENT": msg715, + "UI_SCHEMA_CHECKOUT_FAILED": msg716, + "UI_SCHEMA_MISMATCH_MAJOR": msg717, + "UI_SCHEMA_MISMATCH_MINOR": msg718, + "UI_SCHEMA_MISMATCH_SEQUENCE": msg719, + "UI_SCHEMA_SEQUENCE_ERROR": msg720, + "UI_SYNC_OTHER_RE": msg721, + "UI_TACPLUS_ERROR": msg722, + "UI_VERSION_FAILED": msg723, + "UI_WRITE_RECONNECT": msg724, + "VRRPD_NEWMASTER_TRAP": msg725, + "Version": msg99, + "WEBFILTER_REQUEST_NOT_CHECKED": msg730, + "WEBFILTER_URL_BLOCKED": select75, + "WEBFILTER_URL_PERMITTED": select74, + "WEB_AUTH_FAIL": msg726, + "WEB_AUTH_SUCCESS": msg727, + "WEB_INTERFACE_UNAUTH": msg728, + "WEB_READ": msg729, + "alarmd": msg3, + "bgp_connect_start": msg132, + "bgp_event": msg133, + "bgp_listen_accept": msg134, + "bgp_listen_reset": msg135, + "bgp_nexthop_sanity": msg136, + "bgp_pp_recv": select33, + "bgp_process_caps": select32, + "bgp_send": msg141, + "bgp_traffic_timeout": msg142, + "bigd": select6, + "bigpipe": select7, + "bigstart": msg9, + "cgatool": msg10, + "chassisd": msg11, + "chassism": select73, + "checkd": select8, + "clean_process": msg215, + "cli": msg750, + "cosd": msg14, + "craftd": msg15, + "cron": msg18, + "crond": msg21, + "dcd": msg22, + "eswd": select72, + "ftpd": msg24, + "ha_rto_stats_handler": msg25, + "hostinit": msg26, + "idpinfo": msg752, + "ifinfo": select13, + "ifp_ifl_anydown_change_event": msg30, + "ifp_ifl_config_event": msg31, + "ifp_ifl_ext_chg": msg32, + "inetd": select14, + "init": select15, + "ipc_msg_write": msg40, + "kernel": select17, + "kmd": msg753, + "last": select28, + "login": select18, + "lsys_ssam_handler": msg53, + "mcsn": msg54, + "mgd": msg62, + "mrvl_dfw_log_effuse_status": msg55, + "node": select79, + "pfed": msg751, + "process_mode": select38, + "profile_ssam_handler": msg57, + "pst_nat_binding_set_profile": msg58, + "qsfp": msg776, + "respawn": msg64, + "root": msg65, + "rpd": select20, + "rshd": msg70, + "sfd": msg71, + "sshd": select21, + "syslogd": msg92, + "task_connect": msg605, + "task_reconfigure": msg59, + "tnetd": msg60, + "tnp.bootpd": msg769, + "trace_on": msg624, + "trace_rotate": msg625, + "transfer-file": msg626, + "ttloop": msg627, + "ucd-snmp": select26, + "usp_ipc_client_reconnect": msg95, + "usp_trace_ipc_disconnect": msg96, + "usp_trace_ipc_reconnect": msg97, + "uspinfo": msg98, + "xntpd": select27, + }), + ]); + + var hdr43 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}"); + + var part822 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); + + var part823 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); + + var part824 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); + + var part825 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); + + var part826 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); + + var part827 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); + + var part828 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); + + var part829 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); + + var part830 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); + + var part831 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); + + var part832 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); + + var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); + + var part833 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); + + var part834 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); + + var part835 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); + + var part836 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); + + var part837 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); + + var part838 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); + + var part839 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); + + var part840 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); + + var part841 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); + + var part842 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); + + var part843 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); + + var part844 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); + + var part845 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); + + var part846 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); + + var part847 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); + + var part848 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); + + var part849 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); + + var part850 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); + + var part851 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); + + var part852 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); + + var part853 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); + + var part854 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); + + var part855 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); + + var part856 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); + + var part857 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); + + var part858 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); + + var part859 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); + + var part860 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); + + var part861 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); + + var part862 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); + + var part863 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); + + var part864 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); + + var part865 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); + + var select85 = linear_select([ + dup14, + dup15, + dup16, + dup17, + ]); + + var part866 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ + dup13, + ])); + + var select86 = linear_select([ + dup40, + dup41, + ]); + + var part867 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ + dup21, + dup22, + dup56, + dup23, + ])); + + var part868 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ + dup51, + dup22, + dup64, + dup23, + ])); + + var part869 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ + dup30, + dup22, + dup65, + dup23, + ])); + + var part870 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ + dup30, + dup22, + dup66, + dup23, + ])); + + var part871 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ + dup30, + dup22, + dup67, + dup23, + ])); + + var part872 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ + dup30, + dup22, + dup68, + dup23, + ])); + + var part873 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ + dup30, + dup22, + dup71, + dup23, + ])); + + var select87 = linear_select([ + dup76, + dup77, + ]); + + var part874 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ + dup30, + dup22, + dup79, + dup23, + ])); + + var part875 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ + dup30, + dup22, + dup84, + dup23, + ])); + + var part876 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ + dup30, + dup22, + dup85, + dup23, + ])); + + var part877 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ + dup21, + dup22, + dup86, + dup23, + ])); + + var select88 = linear_select([ + dup88, + dup89, + ]); + + var select89 = linear_select([ + dup90, + dup45, + ]); + + var select90 = linear_select([ + dup95, + dup96, + ]); + + var select91 = linear_select([ + dup101, + dup91, + ]); + + var part878 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var part879 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ + dup27, + dup22, + dup52, + ])); + + var select92 = linear_select([ + dup118, + dup119, + ]); + + var select93 = linear_select([ + dup123, + dup124, + ]); + + var part880 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ + dup30, + dup22, + dup52, + ])); + + var part881 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ + dup48, + dup47, + dup23, + dup22, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/juniper/1.1.1/data_stream/junos/elasticsearch/ingest_pipeline/default.yml b/packages/juniper/1.1.1/data_stream/junos/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..57565b4f7e --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/junos/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,71 @@ +--- +description: Pipeline for Juniper JUNOS + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: ecs.version + value: '8.0.0' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/juniper/1.1.1/data_stream/junos/fields/agent.yml b/packages/juniper/1.1.1/data_stream/junos/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/junos/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/juniper/1.1.1/data_stream/junos/fields/base-fields.yml b/packages/juniper/1.1.1/data_stream/junos/fields/base-fields.yml new file mode 100755 index 0000000000..6092398a3f --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/junos/fields/base-fields.yml @@ -0,0 +1,46 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: juniper +- name: event.dataset + type: constant_keyword + description: Event dataset + value: juniper.junos +- name: '@timestamp' + type: date + description: Event timestamp. +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/juniper/1.1.1/data_stream/junos/fields/ecs.yml b/packages/juniper/1.1.1/data_stream/junos/fields/ecs.yml new file mode 100755 index 0000000000..78ddffacce --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/junos/fields/ecs.yml @@ -0,0 +1,541 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/juniper/1.1.1/data_stream/junos/fields/fields.yml b/packages/juniper/1.1.1/data_stream/junos/fields/fields.yml new file mode 100755 index 0000000000..ea69cd79e3 --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/junos/fields/fields.yml @@ -0,0 +1,1754 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + ignore_above: 1024 + description: Server domain. +- name: network.interface.name + type: keyword diff --git a/packages/juniper/1.1.1/data_stream/junos/manifest.yml b/packages/juniper/1.1.1/data_stream/junos/manifest.yml new file mode 100755 index 0000000000..21a652b50e --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/junos/manifest.yml @@ -0,0 +1,204 @@ +title: Juniper JUNOS logs +release: experimental +type: logs +streams: + - input: udp + title: Juniper JUNOS logs + description: Collect Juniper JUNOS logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - juniper-junos + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9512 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Juniper JUNOS logs + description: Collect Juniper JUNOS logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - juniper-junos + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9512 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Juniper JUNOS logs + description: Collect Juniper JUNOS logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/juniper-junos.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - juniper-junos + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/juniper/1.1.1/data_stream/junos/sample_event.json b/packages/juniper/1.1.1/data_stream/junos/sample_event.json new file mode 100755 index 0000000000..34b395dcad --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/junos/sample_event.json @@ -0,0 +1,73 @@ +{ + "@timestamp": "2021-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "a290626c-b4c4-41a5-82c7-6477dcca1031", + "hostname": "docker-fleet-agent", + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.2" + }, + "data_stream": { + "dataset": "juniper.junos", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "1.12.0" + }, + "elastic_agent": { + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "snapshot": false, + "version": "7.16.2" + }, + "event": { + "action": "RPD_SCHED_TASK_LONGRUNTIME", + "agent_id_status": "verified", + "code": "RPD_SCHED_TASK_LONGRUNTIME", + "dataset": "juniper.junos", + "ingested": "2022-01-25T08:58:20Z", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.19.0.4:45440" + } + }, + "observer": { + "product": "Junos", + "type": "Routers", + "vendor": "Juniper" + }, + "process": { + "name": "ceroinBC.exe", + "pid": 6713 + }, + "rsa": { + "counters": { + "dclass_c1": 7309, + "dclass_c2": 5049 + }, + "internal": { + "event_desc": "task extended runtime", + "messageid": "RPD_SCHED_TASK_LONGRUNTIME" + }, + "misc": { + "client": ": exe", + "event_type": "RPD_SCHED_TASK_LONGRUNTIME", + "pid": "6713" + }, + "time": { + "day": "29", + "event_time": "2021-01-29T06:09:59.000Z", + "month": "Jan" + } + }, + "tags": [ + "juniper-junos", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/juniper/1.1.1/data_stream/netscreen/agent/stream/logfile.yml.hbs b/packages/juniper/1.1.1/data_stream/netscreen/agent/stream/logfile.yml.hbs new file mode 100755 index 0000000000..dc684103a4 --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/netscreen/agent/stream/logfile.yml.hbs @@ -0,0 +1,26357 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Juniper" + product: "Netscreen" + type: "Firewall" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} for %{p0}"); + + var dup7 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); + + var dup8 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); + + var dup9 = date_time({ + dest: "event_time", + args: ["fld1"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup10 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); + + var dup11 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); + + var dup12 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); + + var dup13 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); + + var dup14 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); + + var dup15 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); + + var dup16 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); + + var dup17 = setc("eventcategory","1502000000"); + + var dup18 = setc("eventcategory","1703000000"); + + var dup19 = setc("eventcategory","1603000000"); + + var dup20 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); + + var dup21 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); + + var dup22 = setc("eventcategory","1502050000"); + + var dup23 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); + + var dup24 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); + + var dup25 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); + + var dup26 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); + + var dup27 = setc("eventcategory","1801010000"); + + var dup28 = setc("eventcategory","1401060000"); + + var dup29 = setc("ec_subject","User"); + + var dup30 = setc("ec_activity","Logon"); + + var dup31 = setc("ec_theme","Authentication"); + + var dup32 = setc("ec_outcome","Success"); + + var dup33 = setc("eventcategory","1401070000"); + + var dup34 = setc("ec_activity","Logoff"); + + var dup35 = setc("eventcategory","1303000000"); + + var dup36 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); + + var dup37 = setc("eventcategory","1402020200"); + + var dup38 = setc("ec_theme","UserGroup"); + + var dup39 = setc("ec_outcome","Error"); + + var dup40 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); + + var dup41 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); + + var dup42 = setc("eventcategory","1402020300"); + + var dup43 = setc("ec_activity","Modify"); + + var dup44 = setc("eventcategory","1605000000"); + + var dup45 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); + + var dup46 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); + + var dup47 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); + + var dup48 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); + + var dup49 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); + + var dup50 = setc("eventcategory","1701020000"); + + var dup51 = setc("ec_theme","Configuration"); + + var dup52 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); + + var dup53 = setc("eventcategory","1301000000"); + + var dup54 = setc("ec_outcome","Failure"); + + var dup55 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); + + var dup56 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); + + var dup57 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); + + var dup58 = setc("eventcategory","1001000000"); + + var dup59 = setc("dclass_counter1_string","Number of times the attack occurred"); + + var dup60 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$OUT"), + field("saddr"), + field("daddr"), + ], + }); + + var dup61 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$OUT"), + field("saddr"), + field("daddr"), + field("sport"), + field("dport"), + ], + }); + + var dup62 = setc("eventcategory","1608010000"); + + var dup63 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); + + var dup64 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); + + var dup65 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); + + var dup66 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); + + var dup67 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); + + var dup68 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); + + var dup69 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); + + var dup70 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); + + var dup71 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); + + var dup72 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); + + var dup73 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); + + var dup74 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); + + var dup75 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); + + var dup76 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); + + var dup77 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); + + var dup78 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); + + var dup79 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); + + var dup80 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var dup81 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); + + var dup82 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); + + var dup83 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); + + var dup84 = setc("eventcategory","1002020000"); + + var dup85 = setc("eventcategory","1002000000"); + + var dup86 = setc("eventcategory","1603110000"); + + var dup87 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); + + var dup88 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); + + var dup89 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); + + var dup90 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); + + var dup91 = setc("eventcategory","1613040200"); + + var dup92 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); + + var dup93 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); + + var dup94 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); + + var dup95 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); + + var dup96 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); + + var dup97 = setc("eventcategory","1613050200"); + + var dup98 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); + + var dup99 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); + + var dup100 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); + + var dup101 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); + + var dup102 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); + + var dup103 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); + + var dup104 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); + + var dup105 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); + + var dup106 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); + + var dup107 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); + + var dup108 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); + + var dup109 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); + + var dup110 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); + + var dup111 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); + + var dup112 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); + + var dup113 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); + + var dup114 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); + + var dup115 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); + + var dup116 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); + + var dup117 = setc("eventcategory","1603090000"); + + var dup118 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); + + var dup119 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); + + var dup120 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); + + var dup121 = setc("eventcategory","1603030000"); + + var dup122 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); + + var dup123 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); + + var dup124 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); + + var dup125 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); + + var dup126 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); + + var dup127 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); + + var dup128 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); + + var dup129 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); + + var dup130 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); + + var dup131 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); + + var dup132 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var dup133 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); + + var dup134 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); + + var dup135 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); + + var dup136 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); + + var dup137 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); + + var dup138 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); + + var dup139 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); + + var dup140 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); + + var dup141 = setc("eventcategory","1702030000"); + + var dup142 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); + + var dup143 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); + + var dup144 = setc("eventcategory","1601000000"); + + var dup145 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); + + var dup146 = date_time({ + dest: "event_time", + args: ["fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup147 = setc("eventcategory","1103000000"); + + var dup148 = setc("ec_subject","NetworkComm"); + + var dup149 = setc("ec_activity","Scan"); + + var dup150 = setc("ec_theme","TEV"); + + var dup151 = setc("eventcategory","1103010000"); + + var dup152 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); + + var dup153 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); + + var dup154 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); + + var dup155 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); + + var dup156 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); + + var dup157 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); + + var dup158 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); + + var dup159 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); + + var dup160 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); + + var dup161 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); + + var dup162 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); + + var dup163 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); + + var dup164 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); + + var dup165 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); + + var dup166 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); + + var dup167 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); + + var dup168 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); + + var dup169 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); + + var dup170 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); + + var dup171 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); + + var dup172 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); + + var dup173 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); + + var dup174 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); + + var dup175 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); + + var dup176 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); + + var dup177 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); + + var dup178 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); + + var dup179 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); + + var dup180 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); + + var dup181 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); + + var dup182 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); + + var dup183 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); + + var dup184 = setc("eventcategory","1603020000"); + + var dup185 = setc("eventcategory","1803000000"); + + var dup186 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); + + var dup187 = setc("eventcategory","1603010000"); + + var dup188 = setc("eventcategory","1603100000"); + + var dup189 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); + + var dup190 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); + + var dup191 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); + + var dup192 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); + + var dup193 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); + + var dup194 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); + + var dup195 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); + + var dup196 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); + + var dup197 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); + + var dup198 = setc("eventcategory","1801030000"); + + var dup199 = setc("eventcategory","1302010200"); + + var dup200 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); + + var dup201 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); + + var dup202 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); + + var dup203 = setc("eventcategory","1304000000"); + + var dup204 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); + + var dup205 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); + + var dup206 = setc("eventcategory","1401030000"); + + var dup207 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); + + var dup208 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); + + var dup209 = setc("eventcategory","1605020000"); + + var dup210 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); + + var dup211 = setc("ec_subject","Certificate"); + + var dup212 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); + + var dup213 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); + + var dup214 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); + + var dup215 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); + + var dup216 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); + + var dup217 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); + + var dup218 = setc("ec_subject","CryptoKey"); + + var dup219 = setc("ec_subject","Configuration"); + + var dup220 = setc("ec_activity","Request"); + + var dup221 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); + + var dup222 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); + + var dup223 = setc("eventcategory","1612000000"); + + var dup224 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); + + var dup225 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); + + var dup226 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); + + var dup227 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); + + var dup228 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); + + var dup229 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); + + var dup230 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); + + var dup231 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); + + var dup232 = setc("eventcategory","1201000000"); + + var dup233 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); + + var dup234 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); + + var dup235 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); + + var dup236 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); + + var dup237 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); + + var dup238 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); + + var dup239 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var dup240 = setc("eventcategory","1401000000"); + + var dup241 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); + + var dup242 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); + + var dup243 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); + + var dup244 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); + + var dup245 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); + + var dup246 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); + + var dup247 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); + + var dup248 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); + + var dup249 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); + + var dup250 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); + + var dup251 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); + + var dup252 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); + + var dup253 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); + + var dup254 = setc("eventcategory","1608000000"); + + var dup255 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); + + var dup256 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); + + var dup257 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); + + var dup258 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); + + var dup259 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); + + var dup260 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); + + var dup261 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); + + var dup262 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); + + var dup263 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); + + var dup264 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); + + var dup265 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); + + var dup266 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); + + var dup267 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); + + var dup268 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); + + var dup269 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); + + var dup270 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); + + var dup271 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); + + var dup272 = setc("eventcategory","1805010000"); + + var dup273 = setc("eventcategory","1805000000"); + + var dup274 = date_time({ + dest: "starttime", + args: ["fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup275 = call({ + dest: "nwparser.bytes", + fn: CALC, + args: [ + field("sbytes"), + constant("+"), + field("rbytes"), + ], + }); + + var dup276 = setc("action","Deny"); + + var dup277 = setc("disposition","Deny"); + + var dup278 = setc("direction","outgoing"); + + var dup279 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$IN"), + field("saddr"), + field("daddr"), + field("sport"), + field("dport"), + ], + }); + + var dup280 = setc("direction","incoming"); + + var dup281 = setc("eventcategory","1801000000"); + + var dup282 = setf("action","disposition"); + + var dup283 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); + + var dup284 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); + + var dup285 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); + + var dup286 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); + + var dup287 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); + + var dup288 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); + + var dup289 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); + + var dup290 = setc("eventcategory","1401050200"); + + var dup291 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$IN"), + field("daddr"), + field("saddr"), + ], + }); + + var dup292 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$IN"), + field("daddr"), + field("saddr"), + field("dport"), + field("sport"), + ], + }); + + var dup293 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); + + var dup294 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); + + var dup295 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); + + var dup296 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var dup297 = setc("eventcategory","1204000000"); + + var dup298 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var dup299 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); + + var dup300 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); + + var dup301 = setc("eventcategory","1801020000"); + + var dup302 = setc("disposition","failed"); + + var dup303 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); + + var dup304 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); + + var dup305 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); + + var dup306 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); + + var dup307 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); + + var dup308 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); + + var dup309 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); + + var dup310 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); + + var dup311 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); + + var dup312 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); + + var dup313 = setc("eventcategory","1803020000"); + + var dup314 = setc("eventcategory","1613030000"); + + var dup315 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); + + var dup316 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); + + var dup317 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); + + var dup318 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); + + var dup319 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); + + var dup320 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); + + var dup321 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); + + var dup322 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); + + var dup323 = setc("event_description","Cannot connect to NSM server"); + + var dup324 = setc("eventcategory","1603040000"); + + var dup325 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); + + var dup326 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); + + var dup327 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); + + var dup328 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); + + var dup329 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); + + var dup330 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); + + var dup331 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); + + var dup332 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$OUT"), + field("daddr"), + field("saddr"), + field("dport"), + field("sport"), + ], + }); + + var dup333 = linear_select([ + dup10, + dup11, + ]); + + var dup334 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var dup335 = linear_select([ + dup13, + dup14, + ]); + + var dup336 = linear_select([ + dup15, + dup16, + ]); + + var dup337 = linear_select([ + dup56, + dup57, + ]); + + var dup338 = linear_select([ + dup65, + dup66, + ]); + + var dup339 = linear_select([ + dup68, + dup69, + ]); + + var dup340 = linear_select([ + dup71, + dup72, + ]); + + var dup341 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, + ])); + + var dup342 = linear_select([ + dup74, + dup75, + ]); + + var dup343 = linear_select([ + dup81, + dup82, + ]); + + var dup344 = linear_select([ + dup24, + dup90, + ]); + + var dup345 = linear_select([ + dup94, + dup95, + ]); + + var dup346 = linear_select([ + dup98, + dup99, + ]); + + var dup347 = linear_select([ + dup100, + dup101, + dup102, + ]); + + var dup348 = linear_select([ + dup113, + dup114, + ]); + + var dup349 = linear_select([ + dup111, + dup16, + ]); + + var dup350 = linear_select([ + dup127, + dup107, + ]); + + var dup351 = linear_select([ + dup8, + dup21, + ]); + + var dup352 = linear_select([ + dup122, + dup133, + ]); + + var dup353 = linear_select([ + dup142, + dup143, + ]); + + var dup354 = linear_select([ + dup145, + dup21, + ]); + + var dup355 = linear_select([ + dup127, + dup106, + ]); + + var dup356 = linear_select([ + dup152, + dup96, + ]); + + var dup357 = linear_select([ + dup154, + dup155, + ]); + + var dup358 = linear_select([ + dup156, + dup157, + ]); + + var dup359 = linear_select([ + dup99, + dup134, + ]); + + var dup360 = linear_select([ + dup158, + dup159, + ]); + + var dup361 = linear_select([ + dup161, + dup162, + ]); + + var dup362 = linear_select([ + dup163, + dup103, + ]); + + var dup363 = linear_select([ + dup162, + dup161, + ]); + + var dup364 = linear_select([ + dup46, + dup47, + ]); + + var dup365 = linear_select([ + dup166, + dup167, + ]); + + var dup366 = linear_select([ + dup172, + dup173, + ]); + + var dup367 = linear_select([ + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + ]); + + var dup368 = linear_select([ + dup49, + dup21, + ]); + + var dup369 = linear_select([ + dup189, + dup190, + ]); + + var dup370 = linear_select([ + dup96, + dup152, + ]); + + var dup371 = linear_select([ + dup196, + dup197, + ]); + + var dup372 = linear_select([ + dup24, + dup200, + ]); + + var dup373 = linear_select([ + dup103, + dup163, + ]); + + var dup374 = linear_select([ + dup205, + dup118, + ]); + + var dup375 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var dup376 = linear_select([ + dup212, + dup213, + ]); + + var dup377 = linear_select([ + dup215, + dup216, + ]); + + var dup378 = linear_select([ + dup222, + dup215, + ]); + + var dup379 = linear_select([ + dup224, + dup225, + ]); + + var dup380 = linear_select([ + dup231, + dup124, + ]); + + var dup381 = linear_select([ + dup229, + dup230, + ]); + + var dup382 = linear_select([ + dup233, + dup234, + ]); + + var dup383 = linear_select([ + dup236, + dup237, + ]); + + var dup384 = linear_select([ + dup242, + dup243, + ]); + + var dup385 = linear_select([ + dup245, + dup246, + ]); + + var dup386 = linear_select([ + dup247, + dup248, + ]); + + var dup387 = linear_select([ + dup249, + dup250, + ]); + + var dup388 = linear_select([ + dup251, + dup252, + ]); + + var dup389 = linear_select([ + dup260, + dup261, + ]); + + var dup390 = linear_select([ + dup264, + dup265, + ]); + + var dup391 = linear_select([ + dup268, + dup269, + ]); + + var dup392 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var dup393 = linear_select([ + dup284, + dup285, + ]); + + var dup394 = linear_select([ + dup287, + dup288, + ]); + + var dup395 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup60, + ])); + + var dup396 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup4, + dup59, + dup5, + dup9, + dup2, + dup3, + dup60, + ])); + + var dup397 = linear_select([ + dup300, + dup26, + ]); + + var dup398 = linear_select([ + dup115, + dup303, + ]); + + var dup399 = linear_select([ + dup125, + dup96, + ]); + + var dup400 = linear_select([ + dup189, + dup308, + dup309, + ]); + + var dup401 = linear_select([ + dup310, + dup16, + ]); + + var dup402 = linear_select([ + dup317, + dup318, + ]); + + var dup403 = linear_select([ + dup319, + dup315, + ]); + + var dup404 = linear_select([ + dup322, + dup250, + ]); + + var dup405 = linear_select([ + dup327, + dup329, + ]); + + var dup406 = linear_select([ + dup330, + dup129, + ]); + + var dup407 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup60, + dup282, + ])); + + var dup408 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup276, + dup277, + dup60, + ])); + + var dup409 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup60, + dup282, + ])); + + var dup410 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup276, + dup277, + dup61, + ])); + + var dup411 = all_match({ + processors: [ + dup263, + dup390, + dup266, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var dup412 = all_match({ + processors: [ + dup267, + dup391, + dup270, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var dup413 = all_match({ + processors: [ + dup80, + dup343, + dup293, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var dup414 = all_match({ + processors: [ + dup296, + dup343, + dup131, + ], + on_success: processor_chain([ + dup297, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup61, + ]), + }); + + var dup415 = all_match({ + processors: [ + dup298, + dup343, + dup131, + ], + on_success: processor_chain([ + dup297, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup61, + ]), + }); + + var hdr1 = match("HEADER#0:0001", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [No Name]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0003", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [%{hvsys}]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr3 = match("HEADER#2:0004", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var hdr4 = match("HEADER#3:0002/0", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} %{p0}"); + + var part1 = match("HEADER#3:0002/1_0", "nwparser.p0", "[No Name]system%{p0}"); + + var part2 = match("HEADER#3:0002/1_1", "nwparser.p0", "[%{hvsys}]system%{p0}"); + + var part3 = match("HEADER#3:0002/1_2", "nwparser.p0", "system%{p0}"); + + var select1 = linear_select([ + part1, + part2, + part3, + ]); + + var part4 = match("HEADER#3:0002/2", "nwparser.p0", "-%{hseverity}-%{messageid}: %{payload}"); + + var all1 = all_match({ + processors: [ + hdr4, + select1, + part4, + ], + on_success: processor_chain([ + setc("header_id","0002"), + ]), + }); + + var select2 = linear_select([ + hdr1, + hdr2, + hdr3, + all1, + ]); + + var part5 = match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} with ip address %{hostip->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1 = msg("00001", part5); + + var part6 = match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface->} with domain name %{domain->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg2 = msg("00001:01", part6); + + var part7 = match("MESSAGE#2:00001:02/1_0", "nwparser.p0", "ip address %{hostip->} in zone %{p0}"); + + var select3 = linear_select([ + part7, + dup7, + ]); + + var part8 = match("MESSAGE#2:00001:02/2", "nwparser.p0", "%{zone->} has been %{disposition}"); + + var all2 = all_match({ + processors: [ + dup6, + select3, + part8, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg3 = msg("00001:02", all2); + + var part9 = match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface changed!", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg4 = msg("00001:03", part9); + + var part10 = match("MESSAGE#4:00001:04/1_0", "nwparser.p0", "IP address %{hostip->} in zone %{p0}"); + + var select4 = linear_select([ + part10, + dup7, + ]); + + var part11 = match("MESSAGE#4:00001:04/2", "nwparser.p0", "%{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} session%{p0}"); + + var part12 = match("MESSAGE#4:00001:04/3_1", "nwparser.p0", ".%{fld1}"); + + var select5 = linear_select([ + dup8, + part12, + ]); + + var all3 = all_match({ + processors: [ + dup6, + select4, + part11, + select5, + ], + on_success: processor_chain([ + dup1, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg5 = msg("00001:04", all3); + + var part13 = match("MESSAGE#5:00001:05/0", "nwparser.payload", "%{fld2}: Address %{group_object->} for ip address %{hostip->} in zone %{zone->} has been %{disposition->} from host %{saddr->} session %{p0}"); + + var all4 = all_match({ + processors: [ + part13, + dup333, + ], + on_success: processor_chain([ + dup1, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg6 = msg("00001:05", all4); + + var part14 = match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg7 = msg("00001:06", part14); + + var msg8 = msg("00001:07", dup334); + + var part15 = match("MESSAGE#8:00001:08/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{p0}"); + + var part16 = match("MESSAGE#8:00001:08/4", "nwparser.p0", "%{} %{username}via NSRP Peer session. (%{fld1})"); + + var all5 = all_match({ + processors: [ + dup12, + dup335, + part15, + dup336, + part16, + ], + on_success: processor_chain([ + dup1, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg9 = msg("00001:08", all5); + + var part17 = match("MESSAGE#9:00001:09/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} session. (%{fld1})"); + + var all6 = all_match({ + processors: [ + dup12, + dup335, + part17, + ], + on_success: processor_chain([ + dup1, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg10 = msg("00001:09", all6); + + var select6 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + ]); + + var part18 = match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg11 = msg("00002:03", part18); + + var part19 = match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg12 = msg("00002:04", part19); + + var part20 = match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg13 = msg("00002:05", part20); + + var part21 = match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with e-mail notification of event alarms has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg14 = msg("00002:06", part21); + + var part22 = match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action->} and the LCD control keys have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg15 = msg("00002:07", part22); + + var part23 = match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{fld2->} is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg16 = msg("00002:55", part23); + + var part24 = match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg17 = msg("00002:08", part24); + + var part25 = match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg18 = msg("00002:09", part25); + + var part26 = match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg19 = msg("00002:10", part26); + + var part27 = match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg20 = msg("00002:11", part27); + + var part28 = match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg21 = msg("00002:12", part28); + + var part29 = match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been %{disposition}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg22 = msg("00002:15", part29); + + var msg23 = msg("00002:17", dup334); + + var part30 = match("MESSAGE#23:00002:18/0", "nwparser.payload", "Unexpected error from e%{p0}"); + + var part31 = match("MESSAGE#23:00002:18/1_0", "nwparser.p0", "-mail %{p0}"); + + var part32 = match("MESSAGE#23:00002:18/1_1", "nwparser.p0", "mail %{p0}"); + + var select7 = linear_select([ + part31, + part32, + ]); + + var part33 = match("MESSAGE#23:00002:18/2", "nwparser.p0", "server(%{fld2}):"); + + var all7 = all_match({ + processors: [ + part30, + select7, + part33, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg24 = msg("00002:18", all7); + + var part34 = match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute->} value has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg25 = msg("00002:19", part34); + + var part35 = match("MESSAGE#25:00002:20/0", "nwparser.payload", "Root admin password restriction of minimum %{fld2->} characters has been %{disposition->} by admin %{administrator->} %{p0}"); + + var part36 = match("MESSAGE#25:00002:20/1_0", "nwparser.p0", "from Console %{}"); + + var select8 = linear_select([ + part36, + dup20, + dup21, + ]); + + var all8 = all_match({ + processors: [ + part35, + select8, + ], + on_success: processor_chain([ + dup22, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg26 = msg("00002:20", all8); + + var part37 = match("MESSAGE#26:00002:21/0_0", "nwparser.payload", "Root admin %{p0}"); + + var part38 = match("MESSAGE#26:00002:21/0_1", "nwparser.payload", "%{fld2->} admin %{p0}"); + + var select9 = linear_select([ + part37, + part38, + ]); + + var select10 = linear_select([ + dup24, + dup25, + ]); + + var part39 = match("MESSAGE#26:00002:21/3", "nwparser.p0", "has been changed by admin %{administrator}"); + + var all9 = all_match({ + processors: [ + select9, + dup23, + select10, + part39, + ], + on_success: processor_chain([ + dup22, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg27 = msg("00002:21", all9); + + var part40 = match("MESSAGE#27:00002:22/0", "nwparser.payload", "%{change_attribute->} from %{protocol->} before administrative session disconnects has been changed from %{change_old->} to %{change_new->} by admin %{p0}"); + + var part41 = match("MESSAGE#27:00002:22/1_0", "nwparser.p0", "%{administrator->} from Console"); + + var part42 = match("MESSAGE#27:00002:22/1_1", "nwparser.p0", "%{administrator->} from host %{saddr}"); + + var select11 = linear_select([ + part41, + part42, + dup26, + ]); + + var all10 = all_match({ + processors: [ + part40, + select11, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg28 = msg("00002:22", all10); + + var part43 = match("MESSAGE#28:00002:23/0", "nwparser.payload", "Root admin access restriction through console only has been %{disposition->} by admin %{administrator->} %{p0}"); + + var part44 = match("MESSAGE#28:00002:23/1_1", "nwparser.p0", "from Console%{}"); + + var select12 = linear_select([ + dup20, + part44, + dup21, + ]); + + var all11 = all_match({ + processors: [ + part43, + select12, + ], + on_success: processor_chain([ + dup22, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg29 = msg("00002:23", all11); + + var part45 = match("MESSAGE#29:00002:24/0", "nwparser.payload", "Admin access restriction of %{protocol->} administration through tunnel only has been %{disposition->} by admin %{administrator->} from %{p0}"); + + var part46 = match("MESSAGE#29:00002:24/1_0", "nwparser.p0", "host %{saddr}"); + + var part47 = match("MESSAGE#29:00002:24/1_1", "nwparser.p0", "Console%{}"); + + var select13 = linear_select([ + part46, + part47, + ]); + + var all12 = all_match({ + processors: [ + part45, + select13, + ], + on_success: processor_chain([ + dup22, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg30 = msg("00002:24", all12); + + var part48 = match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of an %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + setc("eventcategory","1402000000"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg31 = msg("00002:25", part48); + + var part49 = match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail server %{hostip}.", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg32 = msg("00002:26", part49); + + var part50 = match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg33 = msg("00002:27", part50); + + var part51 = match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not configured.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg34 = msg("00002:28", part51); + + var part52 = match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restriction for read-write administrators has been %{disposition->} by admin %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg35 = msg("00002:29", part52); + + var part53 = match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ + dup28, + dup29, + dup30, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg36 = msg("00002:30", part53); + + var part54 = match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ + dup33, + dup29, + dup34, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg37 = msg("00002:41", part54); + + var part55 = match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} %{space->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ + dup35, + dup29, + dup30, + dup31, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg38 = msg("00002:31", part55); + + var part56 = match("MESSAGE#38:00002:32/0_0", "nwparser.payload", "E-mail notification %{p0}"); + + var part57 = match("MESSAGE#38:00002:32/0_1", "nwparser.payload", "Transparent virutal %{p0}"); + + var select14 = linear_select([ + part56, + part57, + ]); + + var part58 = match("MESSAGE#38:00002:32/1", "nwparser.p0", "wire mode has been %{disposition}"); + + var all13 = all_match({ + processors: [ + select14, + part58, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg39 = msg("00002:32", all13); + + var part59 = match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has been %{disposition->} for zone %{zone}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg40 = msg("00002:35", part59); + + var part60 = match("MESSAGE#40:00002:36/0", "nwparser.payload", "Bypass%{p0}"); + + var part61 = match("MESSAGE#40:00002:36/1_0", "nwparser.p0", "-others-IPSec %{p0}"); + + var part62 = match("MESSAGE#40:00002:36/1_1", "nwparser.p0", " non-IP traffic %{p0}"); + + var select15 = linear_select([ + part61, + part62, + ]); + + var part63 = match("MESSAGE#40:00002:36/2", "nwparser.p0", "option has been %{disposition}"); + + var all14 = all_match({ + processors: [ + part60, + select15, + part63, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg41 = msg("00002:36", all14); + + var part64 = match("MESSAGE#41:00002:37/0", "nwparser.payload", "Logging of %{p0}"); + + var part65 = match("MESSAGE#41:00002:37/1_0", "nwparser.p0", "dropped %{p0}"); + + var part66 = match("MESSAGE#41:00002:37/1_1", "nwparser.p0", "IKE %{p0}"); + + var part67 = match("MESSAGE#41:00002:37/1_2", "nwparser.p0", "SNMP %{p0}"); + + var part68 = match("MESSAGE#41:00002:37/1_3", "nwparser.p0", "ICMP %{p0}"); + + var select16 = linear_select([ + part65, + part66, + part67, + part68, + ]); + + var part69 = match("MESSAGE#41:00002:37/2", "nwparser.p0", "traffic to self has been %{disposition}"); + + var all15 = all_match({ + processors: [ + part64, + select16, + part69, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg42 = msg("00002:37", all15); + + var part70 = match("MESSAGE#42:00002:38/0", "nwparser.payload", "Logging of dropped traffic to self (excluding multicast) has been %{p0}"); + + var part71 = match("MESSAGE#42:00002:38/1_0", "nwparser.p0", "%{disposition->} on %{zone}"); + + var select17 = linear_select([ + part71, + dup36, + ]); + + var all16 = all_match({ + processors: [ + part70, + select17, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg43 = msg("00002:38", all16); + + var part72 = match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg44 = msg("00002:39", part72); + + var part73 = match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{username}' by %{administrator->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ + dup37, + dup29, + setc("ec_activity","Create"), + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg45 = msg("00002:40", part73); + + var part74 = match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requested for unknown user %{username}. Possible HA syncronization problem.", processor_chain([ + dup35, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg46 = msg("00002:44", part74); + + var part75 = match("MESSAGE#46:00002:42/0", "nwparser.payload", "%{change_attribute->} for account '%{change_old}' has been %{disposition->} to '%{change_new}' %{p0}"); + + var part76 = match("MESSAGE#46:00002:42/1_0", "nwparser.p0", "by %{administrator->} via %{p0}"); + + var select18 = linear_select([ + part76, + dup40, + ]); + + var part77 = match("MESSAGE#46:00002:42/2", "nwparser.p0", "%{logon_type->} from host %{p0}"); + + var part78 = match("MESSAGE#46:00002:42/3_0", "nwparser.p0", "%{saddr->} to %{daddr}:%{dport->} (%{p0}"); + + var part79 = match("MESSAGE#46:00002:42/3_1", "nwparser.p0", "%{saddr}:%{sport->} (%{p0}"); + + var select19 = linear_select([ + part78, + part79, + ]); + + var all17 = all_match({ + processors: [ + part75, + select18, + part77, + select19, + dup41, + ], + on_success: processor_chain([ + dup42, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg47 = msg("00002:42", all17); + + var part80 = match("MESSAGE#47:00002:43/0", "nwparser.payload", "Admin account %{disposition->} for %{p0}"); + + var part81 = match("MESSAGE#47:00002:43/1_0", "nwparser.p0", "'%{username}'%{p0}"); + + var part82 = match("MESSAGE#47:00002:43/1_1", "nwparser.p0", "\"%{username}\"%{p0}"); + + var select20 = linear_select([ + part81, + part82, + ]); + + var part83 = match("MESSAGE#47:00002:43/2", "nwparser.p0", "%{}by %{administrator->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); + + var all18 = all_match({ + processors: [ + part80, + select20, + part83, + ], + on_success: processor_chain([ + dup42, + dup29, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg48 = msg("00002:43", all18); + + var part84 = match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ + dup42, + dup29, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg49 = msg("00002:50", part84); + + var part85 = match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} %{fld2->} via %{logon_type->} (%{fld1})", processor_chain([ + dup42, + dup29, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg50 = msg("00002:51", part85); + + var part86 = match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg51 = msg("00002:45", part86); + + var part87 = match("MESSAGE#51:00002:47/0_0", "nwparser.payload", "Ping of Death attack protection %{p0}"); + + var part88 = match("MESSAGE#51:00002:47/0_1", "nwparser.payload", "Src Route IP option filtering %{p0}"); + + var part89 = match("MESSAGE#51:00002:47/0_2", "nwparser.payload", "Teardrop attack protection %{p0}"); + + var part90 = match("MESSAGE#51:00002:47/0_3", "nwparser.payload", "Land attack protection %{p0}"); + + var part91 = match("MESSAGE#51:00002:47/0_4", "nwparser.payload", "SYN flood protection %{p0}"); + + var select21 = linear_select([ + part87, + part88, + part89, + part90, + part91, + ]); + + var part92 = match("MESSAGE#51:00002:47/1", "nwparser.p0", "is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})"); + + var all19 = all_match({ + processors: [ + select21, + part92, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg52 = msg("00002:47", all19); + + var part93 = match("MESSAGE#52:00002:48/0", "nwparser.payload", "Dropping pkts if not %{p0}"); + + var part94 = match("MESSAGE#52:00002:48/1_0", "nwparser.p0", "exactly same with incoming if %{p0}"); + + var part95 = match("MESSAGE#52:00002:48/1_1", "nwparser.p0", "in route table %{p0}"); + + var select22 = linear_select([ + part94, + part95, + ]); + + var part96 = match("MESSAGE#52:00002:48/2", "nwparser.p0", "(IP spoof protection) is %{disposition->} on zone %{zone->} by %{username->} via %{p0}"); + + var part97 = match("MESSAGE#52:00002:48/3_0", "nwparser.p0", "NSRP Peer. (%{p0}"); + + var select23 = linear_select([ + part97, + dup45, + ]); + + var all20 = all_match({ + processors: [ + part93, + select22, + part96, + select23, + dup41, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg53 = msg("00002:48", all20); + + var part98 = match("MESSAGE#53:00002:52/0", "nwparser.payload", "%{signame->} %{p0}"); + + var part99 = match("MESSAGE#53:00002:52/1_0", "nwparser.p0", "protection%{p0}"); + + var part100 = match("MESSAGE#53:00002:52/1_1", "nwparser.p0", "limiting%{p0}"); + + var part101 = match("MESSAGE#53:00002:52/1_2", "nwparser.p0", "detection%{p0}"); + + var part102 = match("MESSAGE#53:00002:52/1_3", "nwparser.p0", "filtering %{p0}"); + + var select24 = linear_select([ + part99, + part100, + part101, + part102, + ]); + + var part103 = match("MESSAGE#53:00002:52/2", "nwparser.p0", "%{}is %{disposition->} on zone %{zone->} by %{p0}"); + + var part104 = match("MESSAGE#53:00002:52/3_1", "nwparser.p0", "admin via %{p0}"); + + var select25 = linear_select([ + dup46, + part104, + dup47, + ]); + + var select26 = linear_select([ + dup48, + dup45, + ]); + + var all21 = all_match({ + processors: [ + part98, + select24, + part103, + select25, + select26, + dup41, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg54 = msg("00002:52", all21); + + var part105 = match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"%{username}\" has been %{disposition->} by %{administrator->} via %{logon_type->} (%{fld1})", processor_chain([ + dup42, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg55 = msg("00002:53", part105); + + var part106 = match("MESSAGE#55:00002:54/0", "nwparser.payload", "Traffic shaping clearing DSCP selector is turned O%{p0}"); + + var part107 = match("MESSAGE#55:00002:54/1_0", "nwparser.p0", "FF%{p0}"); + + var part108 = match("MESSAGE#55:00002:54/1_1", "nwparser.p0", "N%{p0}"); + + var select27 = linear_select([ + part107, + part108, + ]); + + var all22 = all_match({ + processors: [ + part106, + select27, + dup49, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + dup9, + ]), + }); + + var msg56 = msg("00002:54", all22); + + var part109 = match("MESSAGE#56:00002/0", "nwparser.payload", "%{change_attribute->} %{p0}"); + + var part110 = match("MESSAGE#56:00002/1_0", "nwparser.p0", "has been changed%{p0}"); + + var select28 = linear_select([ + part110, + dup52, + ]); + + var part111 = match("MESSAGE#56:00002/2", "nwparser.p0", "%{}from %{change_old->} to %{change_new}"); + + var all23 = all_match({ + processors: [ + part109, + select28, + part111, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg57 = msg("00002", all23); + + var part112 = match("MESSAGE#1215:00002:56", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed. (%{fld1})", processor_chain([ + dup53, + dup9, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg58 = msg("00002:56", part112); + + var select29 = linear_select([ + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, + msg58, + ]); + + var part113 = match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ + dup53, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg59 = msg("00003", part113); + + var part114 = match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failures have been detected!%{}", processor_chain([ + dup53, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg60 = msg("00003:01", part114); + + var part115 = match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has been %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg61 = msg("00003:02", part115); + + var part116 = match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed from %{change_old->} to %{change_new}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg62 = msg("00003:03", part116); + + var part117 = match("MESSAGE#61:00003:05/1_0", "nwparser.p0", "serial%{p0}"); + + var part118 = match("MESSAGE#61:00003:05/1_1", "nwparser.p0", "local%{p0}"); + + var select30 = linear_select([ + part117, + part118, + ]); + + var part119 = match("MESSAGE#61:00003:05/2", "nwparser.p0", "%{}console has been %{disposition->} by admin %{administrator}."); + + var all24 = all_match({ + processors: [ + dup55, + select30, + part119, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg63 = msg("00003:05", all24); + + var select31 = linear_select([ + msg59, + msg60, + msg61, + msg62, + msg63, + ]); + + var part120 = match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been changed", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg64 = msg("00004", part120); + + var part121 = match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg65 = msg("00004:01", part121); + + var part122 = match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg66 = msg("00004:02", part122); + + var part123 = match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg67 = msg("00004:03", part123); + + var part124 = match("MESSAGE#66:00004:04/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on %{p0}"); + + var part125 = match("MESSAGE#66:00004:04/2", "nwparser.p0", "%{} %{interface->} %{space}The attack occurred %{dclass_counter1->} times"); + + var all25 = all_match({ + processors: [ + part124, + dup337, + part125, + ], + on_success: processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup59, + dup3, + dup60, + ]), + }); + + var msg68 = msg("00004:04", all25); + + var part126 = match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol}", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup3, + dup61, + ])); + + var msg69 = msg("00004:05", part126); + + var part127 = match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been changed to start at %{fld2}:%{fld3->} with an interval of %{fld4}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg70 = msg("00004:06", part127); + + var part128 = match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have been refreshed as result of external event.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg71 = msg("00004:07", part128); + + var part129 = match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg72 = msg("00004:08", part129); + + var part130 = match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more concurrent client requests than allowed.%{}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg73 = msg("00004:09", part130); + + var part131 = match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table entries exceeded maximum limit.%{}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg74 = msg("00004:10", part131); + + var part132 = match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table added with domain %{domain}, interface %{interface}, primary-ip %{fld2}, secondary-ip %{fld3}, tertiary-ip %{fld4}, failover %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg75 = msg("00004:11", part132); + + var part133 = match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table entry %{disposition->} with domain %{domain}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg76 = msg("00004:12", part133); + + var part134 = match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} returned incorrect ip %{fld2}, local-ip should be %{fld3}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg77 = msg("00004:13", part134); + + var part135 = match("MESSAGE#76:00004:14/1_0", "nwparser.p0", "automatically refreshed %{p0}"); + + var part136 = match("MESSAGE#76:00004:14/1_1", "nwparser.p0", "refreshed by HA %{p0}"); + + var select32 = linear_select([ + part135, + part136, + ]); + + var all26 = all_match({ + processors: [ + dup63, + select32, + dup49, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg78 = msg("00004:14", all26); + + var part137 = match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshed as result of DNS server address change. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg79 = msg("00004:15", part137); + + var part138 = match("MESSAGE#78:00004:16", "nwparser.payload", "DNS entries have been manually refreshed. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg80 = msg("00004:16", part138); + + var all27 = all_match({ + processors: [ + dup64, + dup338, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup4, + dup59, + dup9, + dup5, + dup3, + dup60, + ]), + }); + + var msg81 = msg("00004:17", all27); + + var select33 = linear_select([ + msg64, + msg65, + msg66, + msg67, + msg68, + msg69, + msg70, + msg71, + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + ]); + + var part139 = match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from the same source has been changed to %{trigger_val}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg82 = msg("00005", part139); + + var part140 = match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic to self has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg83 = msg("00005:01", part140); + + var part141 = match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been changed to %{fld3}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg84 = msg("00005:02", part141); + + var part142 = match("MESSAGE#83:00005:03/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); + + var part143 = match("MESSAGE#83:00005:03/4", "nwparser.p0", "%{fld99}interface %{interface->} %{p0}"); + + var part144 = match("MESSAGE#83:00005:03/5_0", "nwparser.p0", "in zone %{zone}. %{p0}"); + + var select34 = linear_select([ + part144, + dup73, + ]); + + var part145 = match("MESSAGE#83:00005:03/6", "nwparser.p0", "%{space}The attack occurred %{dclass_counter1->} times"); + + var all28 = all_match({ + processors: [ + part142, + dup339, + dup70, + dup340, + part143, + select34, + part145, + ], + on_success: processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup61, + ]), + }); + + var msg85 = msg("00005:03", all28); + + var msg86 = msg("00005:04", dup341); + + var part146 = match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2->} mode when receiving unknown dst mac has been %{disposition->} on %{zone}.", processor_chain([ + setc("eventcategory","1001020100"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg87 = msg("00005:05", part146); + + var part147 = match("MESSAGE#86:00005:06/1", "nwparser.p0", "flood timeout has been set to %{trigger_val->} on %{zone}."); + + var all29 = all_match({ + processors: [ + dup342, + part147, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg88 = msg("00005:06", all29); + + var part148 = match("MESSAGE#87:00005:07/0", "nwparser.payload", "SYN flood %{p0}"); + + var part149 = match("MESSAGE#87:00005:07/1_0", "nwparser.p0", "alarm threshold %{p0}"); + + var part150 = match("MESSAGE#87:00005:07/1_1", "nwparser.p0", "packet queue size %{p0}"); + + var part151 = match("MESSAGE#87:00005:07/1_3", "nwparser.p0", "attack threshold %{p0}"); + + var part152 = match("MESSAGE#87:00005:07/1_4", "nwparser.p0", "same source IP threshold %{p0}"); + + var select35 = linear_select([ + part149, + part150, + dup76, + part151, + part152, + ]); + + var part153 = match("MESSAGE#87:00005:07/2", "nwparser.p0", "is set to %{trigger_val}."); + + var all30 = all_match({ + processors: [ + part148, + select35, + part153, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg89 = msg("00005:07", all30); + + var part154 = match("MESSAGE#88:00005:08/1", "nwparser.p0", "flood same %{p0}"); + + var select36 = linear_select([ + dup77, + dup78, + ]); + + var part155 = match("MESSAGE#88:00005:08/3", "nwparser.p0", "ip threshold has been set to %{trigger_val->} on %{zone}."); + + var all31 = all_match({ + processors: [ + dup342, + part154, + select36, + part155, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg90 = msg("00005:08", all31); + + var part156 = match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is %{disposition->} on interface %{interface}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg91 = msg("00005:09", part156); + + var part157 = match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is %{disposition->} on %{zone}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg92 = msg("00005:10", part157); + + var part158 = match("MESSAGE#91:00005:11/0", "nwparser.payload", "The SYN flood %{p0}"); + + var part159 = match("MESSAGE#91:00005:11/1_0", "nwparser.p0", "alarm threshold%{}"); + + var part160 = match("MESSAGE#91:00005:11/1_1", "nwparser.p0", "packet queue size%{}"); + + var part161 = match("MESSAGE#91:00005:11/1_2", "nwparser.p0", "timeout value%{}"); + + var part162 = match("MESSAGE#91:00005:11/1_3", "nwparser.p0", "attack threshold%{}"); + + var part163 = match("MESSAGE#91:00005:11/1_4", "nwparser.p0", "same source IP%{}"); + + var select37 = linear_select([ + part159, + part160, + part161, + part162, + part163, + ]); + + var all32 = all_match({ + processors: [ + part158, + select37, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg93 = msg("00005:11", all32); + + var part164 = match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshold value has been set to %{trigger_val->} on %{interface}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg94 = msg("00005:12", part164); + + var part165 = match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg95 = msg("00005:13", part165); + + var part166 = match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unknown mac!%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg96 = msg("00005:14", part166); + + var part167 = match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold has been changed to %{trigger_val}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg97 = msg("00005:15", part167); + + var part168 = match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg98 = msg("00005:16", part168); + + var part169 = match("MESSAGE#97:00005:17/1_0", "nwparser.p0", "destination-based %{p0}"); + + var part170 = match("MESSAGE#97:00005:17/1_1", "nwparser.p0", "source-based %{p0}"); + + var select38 = linear_select([ + part169, + part170, + ]); + + var part171 = match("MESSAGE#97:00005:17/2", "nwparser.p0", "session-limit threshold has been set at %{trigger_val->} in zone %{zone}."); + + var all33 = all_match({ + processors: [ + dup79, + select38, + part171, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg99 = msg("00005:17", all33); + + var all34 = all_match({ + processors: [ + dup80, + dup343, + dup83, + ], + on_success: processor_chain([ + dup84, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg100 = msg("00005:18", all34); + + var part172 = match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup84, + dup2, + dup3, + dup4, + dup5, + dup59, + dup61, + ])); + + var msg101 = msg("00005:19", part172); + + var part173 = match("MESSAGE#100:00005:20", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} int %{interface}).%{space->} Occurred %{fld2->} times. (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ + dup84, + dup9, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg102 = msg("00005:20", part173); + + var select39 = linear_select([ + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, + msg89, + msg90, + msg91, + msg92, + msg93, + msg94, + msg95, + msg96, + msg97, + msg98, + msg99, + msg100, + msg101, + msg102, + ]); + + var part174 = match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup85, + dup2, + dup3, + dup4, + dup59, + dup5, + dup61, + ])); + + var msg103 = msg("00006", part174); + + var part175 = match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname}\"", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg104 = msg("00006:01", part175); + + var part176 = match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg105 = msg("00006:02", part176); + + var part177 = match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg106 = msg("00006:03", part177); + + var part178 = match("MESSAGE#105:00006:04/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); + + var all35 = all_match({ + processors: [ + part178, + dup338, + dup67, + ], + on_success: processor_chain([ + dup84, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg107 = msg("00006:04", all35); + + var all36 = all_match({ + processors: [ + dup64, + dup338, + dup67, + ], + on_success: processor_chain([ + dup84, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + dup60, + ]), + }); + + var msg108 = msg("00006:05", all36); + + var select40 = linear_select([ + msg103, + msg104, + msg105, + msg106, + msg107, + msg108, + ]); + + var part179 = match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg109 = msg("00007", part179); + + var part180 = match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the local NetScreen device has changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg110 = msg("00007:01", part180); + + var part181 = match("MESSAGE#109:00007:02/0", "nwparser.payload", "HA state of the local device has changed to backup because a device with a %{p0}"); + + var part182 = match("MESSAGE#109:00007:02/1_0", "nwparser.p0", "higher priority has been detected%{}"); + + var part183 = match("MESSAGE#109:00007:02/1_1", "nwparser.p0", "lower MAC value has been detected%{}"); + + var select41 = linear_select([ + part182, + part183, + ]); + + var all37 = all_match({ + processors: [ + part181, + select41, + ], + on_success: processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg111 = msg("00007:02", all37); + + var part184 = match("MESSAGE#110:00007:03", "nwparser.payload", "HA state of the local device has changed to init because IP tracking has failed%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg112 = msg("00007:03", part184); + + var select42 = linear_select([ + dup88, + dup89, + ]); + + var part185 = match("MESSAGE#111:00007:04/4", "nwparser.p0", "has been changed%{}"); + + var all38 = all_match({ + processors: [ + dup87, + select42, + dup23, + dup344, + part185, + ], + on_success: processor_chain([ + dup91, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg113 = msg("00007:04", all38); + + var part186 = match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device has been elected backup because a master already exists%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg114 = msg("00007:05", part186); + + var part187 = match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg115 = msg("00007:06", part187); + + var part188 = match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg116 = msg("00007:07", part188); + + var part189 = match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been elected master because no other master exists%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg117 = msg("00007:08", part189); + + var part190 = match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg118 = msg("00007:09", part190); + + var part191 = match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promoted the local NetScreen device to master%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg119 = msg("00007:10", part191); + + var part192 = match("MESSAGE#118:00007:11/0", "nwparser.payload", "IP tracking device failover threshold has been %{p0}"); + + var select43 = linear_select([ + dup92, + dup93, + ]); + + var all39 = all_match({ + processors: [ + part192, + select43, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg120 = msg("00007:11", all39); + + var part193 = match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg121 = msg("00007:12", part193); + + var part194 = match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} with interval %{fld2->} threshold %{trigger_val->} weight %{fld4->} interface %{interface->} method %{fld5->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg122 = msg("00007:13", part194); + + var part195 = match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup85, + dup2, + dup3, + dup4, + dup59, + dup5, + dup60, + ])); + + var msg123 = msg("00007:14", part195); + + var part196 = match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been changed to %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg124 = msg("00007:15", part196); + + var part197 = match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration and status changes to NetScreen-Global Manager has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg125 = msg("00007:16", part197); + + var part198 = match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg126 = msg("00007:17", part198); + + var part199 = match("MESSAGE#125:00007:18/0", "nwparser.payload", "Tracked IP %{hostip->} options have been changed from int %{fld2->} thr %{fld3->} wgt %{fld4->} inf %{fld5->} %{p0}"); + + var part200 = match("MESSAGE#125:00007:18/1_0", "nwparser.p0", "ping %{p0}"); + + var part201 = match("MESSAGE#125:00007:18/1_1", "nwparser.p0", "ARP %{p0}"); + + var select44 = linear_select([ + part200, + part201, + ]); + + var part202 = match("MESSAGE#125:00007:18/2", "nwparser.p0", "to %{fld6->} %{p0}"); + + var part203 = match("MESSAGE#125:00007:18/3_0", "nwparser.p0", "ping%{}"); + + var part204 = match("MESSAGE#125:00007:18/3_1", "nwparser.p0", "ARP%{}"); + + var select45 = linear_select([ + part203, + part204, + ]); + + var all40 = all_match({ + processors: [ + part199, + select44, + part202, + select45, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg127 = msg("00007:18", all40); + + var part205 = match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} path from %{change_old->} to %{change_new}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg128 = msg("00007:20", part205); + + var part206 = match("MESSAGE#127:00007:21/0", "nwparser.payload", "HA Slave is %{p0}"); + + var all41 = all_match({ + processors: [ + part206, + dup345, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg129 = msg("00007:21", all41); + + var part207 = match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{groupid}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg130 = msg("00007:22", part207); + + var part208 = match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg131 = msg("00007:23", part208); + + var part209 = match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg132 = msg("00007:24", part209); + + var part210 = match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial state.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg133 = msg("00007:25", part210); + + var part211 = match("MESSAGE#132:00007:26/0", "nwparser.payload", "HA: Change state to slave for %{p0}"); + + var part212 = match("MESSAGE#132:00007:26/1_0", "nwparser.p0", "tracking ip failed%{}"); + + var part213 = match("MESSAGE#132:00007:26/1_1", "nwparser.p0", "linkdown%{}"); + + var select46 = linear_select([ + part212, + part213, + ]); + + var all42 = all_match({ + processors: [ + part211, + select46, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg134 = msg("00007:26", all42); + + var part214 = match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command issued from original master to change state%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg135 = msg("00007:27", part214); + + var part215 = match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other master%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg136 = msg("00007:28", part215); + + var part216 = match("MESSAGE#135:00007:29/0", "nwparser.payload", "HA: Elected slave %{p0}"); + + var part217 = match("MESSAGE#135:00007:29/1_0", "nwparser.p0", "lower priority%{}"); + + var part218 = match("MESSAGE#135:00007:29/1_1", "nwparser.p0", "MAC value is larger%{}"); + + var part219 = match("MESSAGE#135:00007:29/1_2", "nwparser.p0", "master already exists%{}"); + + var part220 = match("MESSAGE#135:00007:29/1_3", "nwparser.p0", "detect new master with higher priority%{}"); + + var part221 = match("MESSAGE#135:00007:29/1_4", "nwparser.p0", "detect new master with smaller MAC value%{}"); + + var select47 = linear_select([ + part217, + part218, + part219, + part220, + part221, + ]); + + var all43 = all_match({ + processors: [ + part216, + select47, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg137 = msg("00007:29", all43); + + var part222 = match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command issued from original master to change state%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg138 = msg("00007:30", part222); + + var part223 = match("MESSAGE#137:00007:31/0", "nwparser.payload", "HA: ha link %{p0}"); + + var all44 = all_match({ + processors: [ + part223, + dup345, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg139 = msg("00007:31", all44); + + var part224 = match("MESSAGE#138:00007:32/0", "nwparser.payload", "NSRP %{fld2->} %{p0}"); + + var select48 = linear_select([ + dup89, + dup88, + ]); + + var part225 = match("MESSAGE#138:00007:32/4", "nwparser.p0", "changed.%{}"); + + var all45 = all_match({ + processors: [ + part224, + select48, + dup23, + dup344, + part225, + ], + on_success: processor_chain([ + dup91, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg140 = msg("00007:32", all45); + + var part226 = match("MESSAGE#139:00007:33/0_0", "nwparser.payload", "NSRP: VSD %{p0}"); + + var part227 = match("MESSAGE#139:00007:33/0_1", "nwparser.payload", "Virtual Security Device group %{p0}"); + + var select49 = linear_select([ + part226, + part227, + ]); + + var part228 = match("MESSAGE#139:00007:33/1", "nwparser.p0", "%{fld2->} change%{p0}"); + + var part229 = match("MESSAGE#139:00007:33/2_0", "nwparser.p0", "d %{p0}"); + + var select50 = linear_select([ + part229, + dup96, + ]); + + var part230 = match("MESSAGE#139:00007:33/3", "nwparser.p0", "to %{fld3->} mode."); + + var all46 = all_match({ + processors: [ + select49, + part228, + select50, + part230, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg141 = msg("00007:33", all46); + + var part231 = match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropped: invalid encryption password.", processor_chain([ + dup97, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg142 = msg("00007:34", part231); + + var part232 = match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change to %{interface}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg143 = msg("00007:35", part232); + + var part233 = match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} local unit=%{fld3->} duplicate from unit=%{fld4}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg144 = msg("00007:36", part233); + + var part234 = match("MESSAGE#143:00007:37/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} is %{p0}"); + + var all47 = all_match({ + processors: [ + part234, + dup346, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg145 = msg("00007:37", all47); + + var part235 = match("MESSAGE#144:00007:38/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} peer=%{fld3->} from %{p0}"); + + var part236 = match("MESSAGE#144:00007:38/4", "nwparser.p0", "state %{p0}"); + + var part237 = match("MESSAGE#144:00007:38/5_0", "nwparser.p0", "missed heartbeat%{}"); + + var part238 = match("MESSAGE#144:00007:38/5_1", "nwparser.p0", "group detached%{}"); + + var select51 = linear_select([ + part237, + part238, + ]); + + var all48 = all_match({ + processors: [ + part235, + dup347, + dup103, + dup347, + part236, + select51, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg146 = msg("00007:38", all48); + + var part239 = match("MESSAGE#145:00007:39/0", "nwparser.payload", "RTO mirror group id=%{groupid->} is %{p0}"); + + var all49 = all_match({ + processors: [ + part239, + dup346, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg147 = msg("00007:39", all49); + + var part240 = match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (ifnum=%{fld3}) as secondary HA path", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg148 = msg("00007:40", part240); + + var part241 = match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg149 = msg("00007:41", part241); + + var part242 = match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fld2->} (ifnum=%{fld3})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg150 = msg("00007:42", part242); + + var part243 = match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg151 = msg("00007:43", part243); + + var part244 = match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is %{disposition->} total number=%{fld3}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg152 = msg("00007:44", part244); + + var part245 = match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local unit %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg153 = msg("00007:45", part245); + + var part246 = match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup85, + dup2, + dup3, + dup4, + dup59, + dup5, + dup60, + ])); + + var msg154 = msg("00007:46", part246); + + var part247 = match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to interface %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg155 = msg("00007:47", part247); + + var part248 = match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped because it contained an invalid encryption password.", processor_chain([ + dup97, + dup2, + dup3, + dup4, + setc("disposition","dropped"), + setc("result","Invalid encryption Password"), + ])); + + var msg156 = msg("00007:48", part248); + + var part249 = match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of all Virtual Security Device groups changed from %{change_old->} to %{change_new}", processor_chain([ + setc("eventcategory","1604000000"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg157 = msg("00007:49", part249); + + var part250 = match("MESSAGE#156:00007:50/0", "nwparser.payload", "Device %{fld2->} %{p0}"); + + var part251 = match("MESSAGE#156:00007:50/1_0", "nwparser.p0", "has joined %{p0}"); + + var part252 = match("MESSAGE#156:00007:50/1_1", "nwparser.p0", "quit current %{p0}"); + + var select52 = linear_select([ + part251, + part252, + ]); + + var part253 = match("MESSAGE#156:00007:50/2", "nwparser.p0", "NSRP cluster %{fld3}"); + + var all50 = all_match({ + processors: [ + part250, + select52, + part253, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg158 = msg("00007:50", all50); + + var part254 = match("MESSAGE#157:00007:51/0", "nwparser.payload", "Virtual Security Device group %{group->} was %{p0}"); + + var part255 = match("MESSAGE#157:00007:51/1_1", "nwparser.p0", "deleted %{p0}"); + + var select53 = linear_select([ + dup104, + part255, + ]); + + var select54 = linear_select([ + dup105, + dup73, + ]); + + var part256 = match("MESSAGE#157:00007:51/4", "nwparser.p0", "The total number of members in the group %{p0}"); + + var select55 = linear_select([ + dup106, + dup107, + ]); + + var all51 = all_match({ + processors: [ + part254, + select53, + dup23, + select54, + part256, + select55, + dup108, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg159 = msg("00007:51", all51); + + var part257 = match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group %{group->} %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg160 = msg("00007:52", part257); + + var part258 = match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the devices was set to interface %{interface->} with ifnum %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg161 = msg("00007:53", part258); + + var part259 = match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of the devices changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg162 = msg("00007:54", part259); + + var part260 = match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} with ifnum %{fld2->} was removed from the secondary HA path of the devices.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg163 = msg("00007:55", part260); + + var part261 = match("MESSAGE#162:00007:56", "nwparser.payload", "The probe that detects the status of High Availability link %{fld2->} was %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg164 = msg("00007:56", part261); + + var select56 = linear_select([ + dup109, + dup110, + ]); + + var select57 = linear_select([ + dup111, + dup112, + ]); + + var part262 = match("MESSAGE#163:00007:57/4", "nwparser.p0", "the probe detecting the status of High Availability link %{fld2->} was set to %{fld3}"); + + var all52 = all_match({ + processors: [ + dup55, + select56, + dup23, + select57, + part262, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg165 = msg("00007:57", all52); + + var part263 = match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} for session synchronization(s) was accepted.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg166 = msg("00007:58", part263); + + var part264 = match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchronization by device %{fld2->} completed.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg167 = msg("00007:59", part264); + + var part265 = match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group %{group->} direction was set to %{direction}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg168 = msg("00007:60", part265); + + var part266 = match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group %{group->} was set.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg169 = msg("00007:61", part266); + + var part267 = match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group %{group->} with direction %{direction->} was unset.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg170 = msg("00007:62", part267); + + var part268 = match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} was unset.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg171 = msg("00007:63", part268); + + var part269 = match("MESSAGE#170:00007:64/1", "nwparser.p0", "%{fld2->} was removed from the monitoring list %{p0}"); + + var part270 = match("MESSAGE#170:00007:64/3", "nwparser.p0", "%{fld3}"); + + var all53 = all_match({ + processors: [ + dup348, + part269, + dup349, + part270, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg172 = msg("00007:64", all53); + + var part271 = match("MESSAGE#171:00007:65/1", "nwparser.p0", "%{fld2->} with weight %{fld3->} was added%{p0}"); + + var part272 = match("MESSAGE#171:00007:65/2_0", "nwparser.p0", " to or updated on %{p0}"); + + var part273 = match("MESSAGE#171:00007:65/2_1", "nwparser.p0", "/updated to %{p0}"); + + var select58 = linear_select([ + part272, + part273, + ]); + + var part274 = match("MESSAGE#171:00007:65/3", "nwparser.p0", "the monitoring list %{p0}"); + + var part275 = match("MESSAGE#171:00007:65/5", "nwparser.p0", "%{fld4}"); + + var all54 = all_match({ + processors: [ + dup348, + part271, + select58, + part274, + dup349, + part275, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg173 = msg("00007:65", all54); + + var part276 = match("MESSAGE#172:00007:66/0_0", "nwparser.payload", "The monitoring %{p0}"); + + var part277 = match("MESSAGE#172:00007:66/0_1", "nwparser.payload", "Monitoring %{p0}"); + + var select59 = linear_select([ + part276, + part277, + ]); + + var part278 = match("MESSAGE#172:00007:66/1", "nwparser.p0", "threshold was modified to %{trigger_val->} o%{p0}"); + + var part279 = match("MESSAGE#172:00007:66/2_0", "nwparser.p0", "f %{p0}"); + + var select60 = linear_select([ + part279, + dup115, + ]); + + var all55 = all_match({ + processors: [ + select59, + part278, + select60, + dup108, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg174 = msg("00007:66", all55); + + var part280 = match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg175 = msg("00007:67", part280); + + var part281 = match("MESSAGE#174:00007:68/0", "nwparser.payload", "NSRP b%{p0}"); + + var part282 = match("MESSAGE#174:00007:68/1_0", "nwparser.p0", "lack %{p0}"); + + var part283 = match("MESSAGE#174:00007:68/1_1", "nwparser.p0", "ack %{p0}"); + + var select61 = linear_select([ + part282, + part283, + ]); + + var part284 = match("MESSAGE#174:00007:68/2", "nwparser.p0", "hole prevention %{disposition}. Master(s) of Virtual Security Device groups %{p0}"); + + var part285 = match("MESSAGE#174:00007:68/3_0", "nwparser.p0", "may not exist %{p0}"); + + var part286 = match("MESSAGE#174:00007:68/3_1", "nwparser.p0", "always exists %{p0}"); + + var select62 = linear_select([ + part285, + part286, + ]); + + var all56 = all_match({ + processors: [ + part281, + select61, + part284, + select62, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg176 = msg("00007:68", all56); + + var part287 = match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchronization between devices was %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg177 = msg("00007:69", part287); + + var part288 = match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was changed.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg178 = msg("00007:70", part288); + + var part289 = match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Active mode was %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg179 = msg("00007:71", part289); + + var part290 = match("MESSAGE#178:00007:72", "nwparser.payload", "NSRP: nsrp link probe enable on %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg180 = msg("00007:72", part290); + + var select63 = linear_select([ + msg109, + msg110, + msg111, + msg112, + msg113, + msg114, + msg115, + msg116, + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, + msg123, + msg124, + msg125, + msg126, + msg127, + msg128, + msg129, + msg130, + msg131, + msg132, + msg133, + msg134, + msg135, + msg136, + msg137, + msg138, + msg139, + msg140, + msg141, + msg142, + msg143, + msg144, + msg145, + msg146, + msg147, + msg148, + msg149, + msg150, + msg151, + msg152, + msg153, + msg154, + msg155, + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, + msg175, + msg176, + msg177, + msg178, + msg179, + msg180, + ]); + + var part291 = match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup59, + dup5, + dup61, + ])); + + var msg181 = msg("00008", part291); + + var msg182 = msg("00008:01", dup341); + + var part292 = match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg183 = msg("00008:02", part292); + + var part293 = match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been updated through NTP%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg184 = msg("00008:03", part293); + + var part294 = match("MESSAGE#183:00008:04/0", "nwparser.payload", "System clock %{p0}"); + + var part295 = match("MESSAGE#183:00008:04/1_0", "nwparser.p0", "configurations have been%{p0}"); + + var part296 = match("MESSAGE#183:00008:04/1_1", "nwparser.p0", "was%{p0}"); + + var part297 = match("MESSAGE#183:00008:04/1_2", "nwparser.p0", "is%{p0}"); + + var select64 = linear_select([ + part295, + part296, + part297, + ]); + + var part298 = match("MESSAGE#183:00008:04/2", "nwparser.p0", "%{}changed%{p0}"); + + var part299 = match("MESSAGE#183:00008:04/3_0", "nwparser.p0", " by admin %{administrator}"); + + var part300 = match("MESSAGE#183:00008:04/3_1", "nwparser.p0", " by %{username->} (%{fld1})"); + + var part301 = match("MESSAGE#183:00008:04/3_2", "nwparser.p0", " by %{username}"); + + var part302 = match("MESSAGE#183:00008:04/3_3", "nwparser.p0", " manually.%{}"); + + var part303 = match("MESSAGE#183:00008:04/3_4", "nwparser.p0", " manually%{}"); + + var select65 = linear_select([ + part299, + part300, + part301, + part302, + part303, + dup21, + ]); + + var all57 = all_match({ + processors: [ + part294, + select64, + part298, + select65, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup9, + ]), + }); + + var msg185 = msg("00008:04", all57); + + var part304 = match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg186 = msg("00008:05", part304); + + var part305 = match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup61, + ])); + + var msg187 = msg("00008:06", part305); + + var part306 = match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup60, + ])); + + var msg188 = msg("00008:07", part306); + + var part307 = match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup60, + ])); + + var msg189 = msg("00008:08", part307); + + var part308 = match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manually%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg190 = msg("00008:09", part308); + + var part309 = match("MESSAGE#189:00008:10/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol}(zone %{p0}"); + + var all58 = all_match({ + processors: [ + part309, + dup338, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup60, + ]), + }); + + var msg191 = msg("00008:10", all58); + + var select66 = linear_select([ + msg181, + msg182, + msg183, + msg184, + msg185, + msg186, + msg187, + msg188, + msg189, + msg190, + msg191, + ]); + + var part310 = match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the interface %{interface->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg192 = msg("00009", part310); + + var part311 = match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg193 = msg("00009:01", part311); + + var part312 = match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{interface->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg194 = msg("00009:02", part312); + + var part313 = match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for interface %{interface->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg195 = msg("00009:03", part313); + + var part314 = match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg196 = msg("00009:05", part314); + + var part315 = match("MESSAGE#195:00009:06/0_0", "nwparser.payload", "%{fld2}: The 802.1Q tag %{p0}"); + + var part316 = match("MESSAGE#195:00009:06/0_1", "nwparser.payload", "The 802.1Q tag %{p0}"); + + var select67 = linear_select([ + part315, + part316, + ]); + + var select68 = linear_select([ + dup119, + dup16, + ]); + + var part317 = match("MESSAGE#195:00009:06/3", "nwparser.p0", "interface %{interface->} has been %{p0}"); + + var part318 = match("MESSAGE#195:00009:06/4_1", "nwparser.p0", "changed to %{p0}"); + + var select69 = linear_select([ + dup120, + part318, + ]); + + var part319 = match("MESSAGE#195:00009:06/6_0", "nwparser.p0", "%{info->} from host %{saddr}"); + + var part320 = match_copy("MESSAGE#195:00009:06/6_1", "nwparser.p0", "info"); + + var select70 = linear_select([ + part319, + part320, + ]); + + var all59 = all_match({ + processors: [ + select67, + dup118, + select68, + part317, + select69, + dup23, + select70, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg197 = msg("00009:06", all59); + + var part321 = match("MESSAGE#196:00009:07/0", "nwparser.payload", "Maximum bandwidth %{fld2->} on %{p0}"); + + var part322 = match("MESSAGE#196:00009:07/2", "nwparser.p0", "%{} %{interface->} is less than t%{p0}"); + + var part323 = match("MESSAGE#196:00009:07/3_0", "nwparser.p0", "he total %{p0}"); + + var part324 = match("MESSAGE#196:00009:07/3_1", "nwparser.p0", "otal %{p0}"); + + var select71 = linear_select([ + part323, + part324, + ]); + + var part325 = match("MESSAGE#196:00009:07/4", "nwparser.p0", "guaranteed bandwidth %{fld3}"); + + var all60 = all_match({ + processors: [ + part321, + dup337, + part322, + select71, + part325, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg198 = msg("00009:07", all60); + + var part326 = match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth setting on the interface %{interface->} has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg199 = msg("00009:09", part326); + + var part327 = match("MESSAGE#198:00009:10/0", "nwparser.payload", "The operational mode for the interface %{interface->} has been changed to %{p0}"); + + var part328 = match("MESSAGE#198:00009:10/1_0", "nwparser.p0", "Route%{}"); + + var part329 = match("MESSAGE#198:00009:10/1_1", "nwparser.p0", "NAT%{}"); + + var select72 = linear_select([ + part328, + part329, + ]); + + var all61 = all_match({ + processors: [ + part327, + select72, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg200 = msg("00009:10", all61); + + var part330 = match("MESSAGE#199:00009:11/0_0", "nwparser.payload", "%{fld1}: VLAN %{p0}"); + + var part331 = match("MESSAGE#199:00009:11/0_1", "nwparser.payload", "VLAN %{p0}"); + + var select73 = linear_select([ + part330, + part331, + ]); + + var part332 = match("MESSAGE#199:00009:11/1", "nwparser.p0", "tag %{fld2->} has been %{disposition}"); + + var all62 = all_match({ + processors: [ + select73, + part332, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg201 = msg("00009:11", all62); + + var part333 = match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{disposition->} on interface %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg202 = msg("00009:12", part333); + + var part334 = match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on %{interface->} have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg203 = msg("00009:13", part334); + + var part335 = match("MESSAGE#202:00009:14/0_0", "nwparser.payload", "Global-PRO has been %{p0}"); + + var part336 = match("MESSAGE#202:00009:14/0_1", "nwparser.payload", "Global PRO has been %{p0}"); + + var part337 = match("MESSAGE#202:00009:14/0_2", "nwparser.payload", "DNS proxy was %{p0}"); + + var select74 = linear_select([ + part335, + part336, + part337, + ]); + + var part338 = match("MESSAGE#202:00009:14/1", "nwparser.p0", "%{disposition->} on %{p0}"); + + var select75 = linear_select([ + dup122, + dup123, + ]); + + var part339 = match("MESSAGE#202:00009:14/4_0", "nwparser.p0", "%{interface->} (%{fld2})"); + + var select76 = linear_select([ + part339, + dup124, + ]); + + var all63 = all_match({ + processors: [ + select74, + part338, + select75, + dup23, + select76, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg204 = msg("00009:14", all63); + + var part340 = match("MESSAGE#203:00009:15/0", "nwparser.payload", "Route between secondary IP%{p0}"); + + var part341 = match("MESSAGE#203:00009:15/1_0", "nwparser.p0", " addresses %{p0}"); + + var select77 = linear_select([ + part341, + dup125, + ]); + + var all64 = all_match({ + processors: [ + part340, + select77, + dup126, + dup350, + dup128, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg205 = msg("00009:15", all64); + + var part342 = match("MESSAGE#204:00009:16/0", "nwparser.payload", "Secondary IP address %{hostip}/%{mask->} %{p0}"); + + var part343 = match("MESSAGE#204:00009:16/3_2", "nwparser.p0", "deleted from %{p0}"); + + var select78 = linear_select([ + dup129, + dup130, + part343, + ]); + + var part344 = match("MESSAGE#204:00009:16/4", "nwparser.p0", "interface %{interface}."); + + var all65 = all_match({ + processors: [ + part342, + dup350, + dup23, + select78, + part344, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg206 = msg("00009:16", all65); + + var part345 = match("MESSAGE#205:00009:17/0", "nwparser.payload", "Secondary IP address %{p0}"); + + var part346 = match("MESSAGE#205:00009:17/1_0", "nwparser.p0", "%{hostip}/%{mask->} was added to interface %{p0}"); + + var part347 = match("MESSAGE#205:00009:17/1_1", "nwparser.p0", "%{hostip->} was added to interface %{p0}"); + + var select79 = linear_select([ + part346, + part347, + ]); + + var part348 = match("MESSAGE#205:00009:17/2", "nwparser.p0", "%{interface}."); + + var all66 = all_match({ + processors: [ + part345, + select79, + part348, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg207 = msg("00009:17", all66); + + var part349 = match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on the interface %{interface->} has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg208 = msg("00009:18", part349); + + var part350 = match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg209 = msg("00009:19", part350); + + var part351 = match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg210 = msg("00009:27", part351); + + var part352 = match("MESSAGE#209:00009:20/0_0", "nwparser.payload", "%{fld2}: %{service->} has been %{p0}"); + + var part353 = match("MESSAGE#209:00009:20/0_1", "nwparser.payload", "%{service->} has been %{p0}"); + + var select80 = linear_select([ + part352, + part353, + ]); + + var part354 = match("MESSAGE#209:00009:20/1", "nwparser.p0", "%{disposition->} on interface %{interface->} %{p0}"); + + var part355 = match("MESSAGE#209:00009:20/2_0", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}"); + + var part356 = match("MESSAGE#209:00009:20/2_1", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}:%{sport}"); + + var part357 = match("MESSAGE#209:00009:20/2_2", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}"); + + var part358 = match("MESSAGE#209:00009:20/2_3", "nwparser.p0", "from host %{saddr->} (%{fld1})"); + + var select81 = linear_select([ + part355, + part356, + part357, + part358, + ]); + + var all67 = all_match({ + processors: [ + select80, + part354, + select81, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg211 = msg("00009:20", all67); + + var part359 = match("MESSAGE#210:00009:21/0", "nwparser.payload", "Source Route IP option! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var all68 = all_match({ + processors: [ + part359, + dup343, + dup131, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup60, + ]), + }); + + var msg212 = msg("00009:21", all68); + + var part360 = match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface->} has been changed to %{fld2->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg213 = msg("00009:22", part360); + + var part361 = match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip->} has been added to interface %{interface->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup9, + dup3, + dup4, + dup5, + ])); + + var msg214 = msg("00009:23", part361); + + var part362 = match("MESSAGE#213:00009:24/0", "nwparser.payload", "Web has been enabled on interface %{interface->} by admin %{administrator->} via %{p0}"); + + var part363 = match("MESSAGE#213:00009:24/1_0", "nwparser.p0", "%{logon_type->} %{space}(%{p0}"); + + var part364 = match("MESSAGE#213:00009:24/1_1", "nwparser.p0", "%{logon_type}. (%{p0}"); + + var select82 = linear_select([ + part363, + part364, + ]); + + var part365 = match("MESSAGE#213:00009:24/2", "nwparser.p0", ")%{fld1}"); + + var all69 = all_match({ + processors: [ + part362, + select82, + part365, + ], + on_success: processor_chain([ + dup1, + dup2, + dup9, + dup3, + dup4, + dup5, + ]), + }); + + var msg215 = msg("00009:24", all69); + + var part366 = match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on interface %{interface->} by %{username->} via %{logon_type}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup9, + dup3, + dup4, + dup5, + ])); + + var msg216 = msg("00009:25", part366); + + var part367 = match("MESSAGE#215:00009:26/0", "nwparser.payload", "%{protocol->} has been %{disposition->} on interface %{interface->} by %{username->} via NSRP Peer . %{p0}"); + + var all70 = all_match({ + processors: [ + part367, + dup333, + ], + on_success: processor_chain([ + dup1, + dup2, + dup9, + dup3, + dup4, + dup5, + ]), + }); + + var msg217 = msg("00009:26", all70); + + var select83 = linear_select([ + msg192, + msg193, + msg194, + msg195, + msg196, + msg197, + msg198, + msg199, + msg200, + msg201, + msg202, + msg203, + msg204, + msg205, + msg206, + msg207, + msg208, + msg209, + msg210, + msg211, + msg212, + msg213, + msg214, + msg215, + msg216, + msg217, + ]); + + var part368 = match("MESSAGE#216:00010/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} %{p0}"); + + var part369 = match("MESSAGE#216:00010/1_0", "nwparser.p0", "using protocol %{p0}"); + + var part370 = match("MESSAGE#216:00010/1_1", "nwparser.p0", "proto %{p0}"); + + var select84 = linear_select([ + part369, + part370, + ]); + + var part371 = match("MESSAGE#216:00010/2", "nwparser.p0", "%{protocol->} %{p0}"); + + var part372 = match("MESSAGE#216:00010/3_0", "nwparser.p0", "( zone %{zone}, int %{interface}) %{p0}"); + + var part373 = match("MESSAGE#216:00010/3_1", "nwparser.p0", "zone %{zone->} int %{interface}) %{p0}"); + + var select85 = linear_select([ + part372, + part373, + dup126, + ]); + + var part374 = match("MESSAGE#216:00010/4", "nwparser.p0", ".%{space}The attack occurred %{dclass_counter1->} times%{p0}"); + + var all71 = all_match({ + processors: [ + part368, + select84, + part371, + select85, + part374, + dup351, + ], + on_success: processor_chain([ + dup58, + dup2, + dup4, + dup59, + dup5, + dup9, + dup3, + dup61, + ]), + }); + + var msg218 = msg("00010", all71); + + var part375 = match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg219 = msg("00010:01", part375); + + var part376 = match("MESSAGE#218:00010:02", "nwparser.payload", "Mapped IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg220 = msg("00010:02", part376); + + var all72 = all_match({ + processors: [ + dup132, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup9, + dup3, + dup60, + ]), + }); + + var msg221 = msg("00010:03", all72); + + var select86 = linear_select([ + msg218, + msg219, + msg220, + msg221, + ]); + + var part377 = match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg222 = msg("00011", part377); + + var part378 = match("MESSAGE#221:00011:01/0", "nwparser.payload", "Route to %{daddr}/%{fld2->} [ %{p0}"); + + var select87 = linear_select([ + dup57, + dup56, + ]); + + var part379 = match("MESSAGE#221:00011:01/2", "nwparser.p0", "%{} %{interface->} gateway %{fld3->} ] has been %{disposition}"); + + var all73 = all_match({ + processors: [ + part378, + select87, + part379, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg223 = msg("00011:01", all73); + + var part380 = match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} to %{daddr->} protocol %{protocol->} (%{fld2})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg224 = msg("00011:02", part380); + + var part381 = match("MESSAGE#223:00011:03/0", "nwparser.payload", "An %{p0}"); + + var part382 = match("MESSAGE#223:00011:03/1_0", "nwparser.p0", "import %{p0}"); + + var part383 = match("MESSAGE#223:00011:03/1_1", "nwparser.p0", "export %{p0}"); + + var select88 = linear_select([ + part382, + part383, + ]); + + var part384 = match("MESSAGE#223:00011:03/2", "nwparser.p0", "rule in virtual router %{node->} to virtual router %{fld4->} with %{p0}"); + + var part385 = match("MESSAGE#223:00011:03/3_0", "nwparser.p0", "route-map %{fld3->} and protocol %{protocol->} has been %{p0}"); + + var part386 = match("MESSAGE#223:00011:03/3_1", "nwparser.p0", "IP-prefix %{hostip}/%{interface->} has been %{p0}"); + + var select89 = linear_select([ + part385, + part386, + ]); + + var all74 = all_match({ + processors: [ + part381, + select88, + part384, + select89, + dup36, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg225 = msg("00011:03", all74); + + var part387 = match("MESSAGE#224:00011:04/0", "nwparser.payload", "A route in virtual router %{node->} that has IP address %{hostip}/%{fld2->} through %{p0}"); + + var part388 = match("MESSAGE#224:00011:04/2", "nwparser.p0", "%{interface->} and gateway %{fld3->} with metric %{fld4->} has been %{disposition}"); + + var all75 = all_match({ + processors: [ + part387, + dup352, + part388, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg226 = msg("00011:04", all75); + + var part389 = match("MESSAGE#225:00011:05/1_0", "nwparser.p0", "sharable virtual router using name%{p0}"); + + var part390 = match("MESSAGE#225:00011:05/1_1", "nwparser.p0", "virtual router with name%{p0}"); + + var select90 = linear_select([ + part389, + part390, + ]); + + var part391 = match("MESSAGE#225:00011:05/2", "nwparser.p0", "%{} %{node->} and id %{fld2->} has been %{disposition}"); + + var all76 = all_match({ + processors: [ + dup79, + select90, + part391, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg227 = msg("00011:05", all76); + + var part392 = match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup59, + dup3, + dup60, + ])); + + var msg228 = msg("00011:07", part392); + + var part393 = match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{node->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg229 = msg("00011:08", part393); + + var part394 = match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature in virtual router %{node->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg230 = msg("00011:09", part394); + + var part395 = match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes that can be created in virtual router %{node->} is %{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg231 = msg("00011:10", part395); + + var part396 = match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in virtual router %{node->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg232 = msg("00011:11", part396); + + var part397 = match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual router %{node->} used by OSPF BGP routing instances id has been uninitialized", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg233 = msg("00011:12", part397); + + var part398 = match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be used by OSPF BGP routing instances in virtual router %{node->} has been set to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg234 = msg("00011:13", part398); + + var part399 = match("MESSAGE#233:00011:14/0", "nwparser.payload", "The routing preference for protocol %{protocol->} in virtual router %{node->} has been %{p0}"); + + var part400 = match("MESSAGE#233:00011:14/1_1", "nwparser.p0", "reset%{}"); + + var select91 = linear_select([ + dup134, + part400, + ]); + + var all77 = all_match({ + processors: [ + part399, + select91, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg235 = msg("00011:14", all77); + + var part401 = match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in virtual router %{node->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg236 = msg("00011:15", part401); + + var part402 = match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route through virtual router %{node->} has been added in virtual router %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg237 = msg("00011:16", part402); + + var part403 = match("MESSAGE#236:00011:17/0", "nwparser.payload", "The virtual router %{node->} has been made %{p0}"); + + var part404 = match("MESSAGE#236:00011:17/1_0", "nwparser.p0", "sharable%{}"); + + var part405 = match("MESSAGE#236:00011:17/1_1", "nwparser.p0", "unsharable%{}"); + + var part406 = match("MESSAGE#236:00011:17/1_2", "nwparser.p0", "default virtual router for virtual system %{fld2}"); + + var select92 = linear_select([ + part404, + part405, + part406, + ]); + + var all78 = all_match({ + processors: [ + part403, + select92, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg238 = msg("00011:17", all78); + + var part407 = match("MESSAGE#237:00011:18/0_0", "nwparser.payload", "Source route(s) %{p0}"); + + var part408 = match("MESSAGE#237:00011:18/0_1", "nwparser.payload", "A source route %{p0}"); + + var select93 = linear_select([ + part407, + part408, + ]); + + var part409 = match("MESSAGE#237:00011:18/1", "nwparser.p0", "in virtual router %{node->} %{p0}"); + + var part410 = match("MESSAGE#237:00011:18/2_0", "nwparser.p0", "with route addresses of %{p0}"); + + var part411 = match("MESSAGE#237:00011:18/2_1", "nwparser.p0", "that has IP address %{p0}"); + + var select94 = linear_select([ + part410, + part411, + ]); + + var part412 = match("MESSAGE#237:00011:18/3", "nwparser.p0", "%{hostip}/%{fld2->} through interface %{interface->} and %{p0}"); + + var part413 = match("MESSAGE#237:00011:18/4_0", "nwparser.p0", "a default gateway address %{p0}"); + + var select95 = linear_select([ + part413, + dup135, + ]); + + var part414 = match("MESSAGE#237:00011:18/5", "nwparser.p0", "%{fld3->} with metric %{fld4->} %{p0}"); + + var all79 = all_match({ + processors: [ + select93, + part409, + select94, + part412, + select95, + part414, + dup350, + dup128, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg239 = msg("00011:18", all79); + + var part415 = match("MESSAGE#238:00011:19/0", "nwparser.payload", "Source Route(s) in virtual router %{node->} with %{p0}"); + + var part416 = match("MESSAGE#238:00011:19/1_0", "nwparser.p0", "route addresses of %{p0}"); + + var part417 = match("MESSAGE#238:00011:19/1_1", "nwparser.p0", "an IP address %{p0}"); + + var select96 = linear_select([ + part416, + part417, + ]); + + var part418 = match("MESSAGE#238:00011:19/2", "nwparser.p0", "%{hostip}/%{fld3->} and %{p0}"); + + var part419 = match("MESSAGE#238:00011:19/3_0", "nwparser.p0", "a default gateway address of %{p0}"); + + var select97 = linear_select([ + part419, + dup135, + ]); + + var part420 = match("MESSAGE#238:00011:19/4", "nwparser.p0", "%{fld4->} %{p0}"); + + var part421 = match("MESSAGE#238:00011:19/5_1", "nwparser.p0", "has been%{p0}"); + + var select98 = linear_select([ + dup107, + part421, + ]); + + var all80 = all_match({ + processors: [ + part415, + select96, + part418, + select97, + part420, + select98, + dup136, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg240 = msg("00011:19", all80); + + var part422 = match("MESSAGE#239:00011:20/0_0", "nwparser.payload", "%{fld2}: A %{p0}"); + + var select99 = linear_select([ + part422, + dup79, + ]); + + var part423 = match("MESSAGE#239:00011:20/1", "nwparser.p0", "route has been created in virtual router \"%{node}\"%{space}with an IP address %{hostip->} and next-hop as virtual router \"%{fld3}\""); + + var all81 = all_match({ + processors: [ + select99, + part423, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg241 = msg("00011:20", all81); + + var part424 = match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual router %{node->} for interface %{interface->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg242 = msg("00011:21", part424); + + var part425 = match("MESSAGE#241:00011:22", "nwparser.payload", "SIBR route in virtual router %{node->} for interface %{interface->} that has IP address %{hostip->} through interface %{fld3->} and gateway %{fld4->} with metric %{fld5->} was %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg243 = msg("00011:22", part425); + + var all82 = all_match({ + processors: [ + dup132, + dup343, + dup131, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$IN"), + field("saddr"), + field("daddr"), + ], + }), + ]), + }); + + var msg244 = msg("00011:23", all82); + + var part426 = match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{node}\" that has IP address %{hostip->} through interface %{interface->} and gateway %{fld2->} with metric %{fld3->} %{disposition}. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg245 = msg("00011:24", part426); + + var part427 = match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \"%{node}\" with an IP address %{hostip}/%{fld2->} and gateway %{fld3->} %{disposition}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg246 = msg("00011:25", part427); + + var part428 = match("MESSAGE#245:00011:26", "nwparser.payload", "Route in virtual router \"%{node}\" with IP address %{hostip}/%{fld2->} and next-hop as virtual router \"%{fld3}\" created. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg247 = msg("00011:26", part428); + + var select100 = linear_select([ + msg222, + msg223, + msg224, + msg225, + msg226, + msg227, + msg228, + msg229, + msg230, + msg231, + msg232, + msg233, + msg234, + msg235, + msg236, + msg237, + msg238, + msg239, + msg240, + msg241, + msg242, + msg243, + msg244, + msg245, + msg246, + msg247, + ]); + + var part429 = match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comments have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg248 = msg("00012:02", part429); + + var part430 = match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} %{change_attribute->} has been changed to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg249 = msg("00012:03", part430); + + var part431 = match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{group->} has %{disposition->} member %{username->} from host %{saddr}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg250 = msg("00012:04", part431); + + var part432 = match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2}) (%{fld3})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg251 = msg("00012:05", part432); + + var part433 = match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup61, + ])); + + var msg252 = msg("00012:06", part433); + + var part434 = match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, + dup59, + ])); + + var msg253 = msg("00012:07", part434); + + var part435 = match("MESSAGE#252:00012:08", "nwparser.payload", "%{fld2}: Service %{service->} has been %{disposition->} from host %{saddr->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg254 = msg("00012:08", part435); + + var all83 = all_match({ + processors: [ + dup80, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg255 = msg("00012:09", all83); + + var all84 = all_match({ + processors: [ + dup132, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + dup60, + ]), + }); + + var msg256 = msg("00012:10", all84); + + var part436 = match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup59, + dup5, + dup9, + dup61, + ])); + + var msg257 = msg("00012:11", part436); + + var part437 = match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{zone}) %{info->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg258 = msg("00012:12", part437); + + var part438 = match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg259 = msg("00012", part438); + + var part439 = match("MESSAGE#258:00012:01", "nwparser.payload", "Service %{service->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg260 = msg("00012:01", part439); + + var select101 = linear_select([ + msg248, + msg249, + msg250, + msg251, + msg252, + msg253, + msg254, + msg255, + msg256, + msg257, + msg258, + msg259, + msg260, + ]); + + var part440 = match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding bytes has been detected%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg261 = msg("00013", part440); + + var part441 = match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to connect to the NetScreen-Global Manager port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + setc("signame","An Attempt to connect to NetScreen-Global Manager Port."), + ])); + + var msg262 = msg("00013:01", part441); + + var part442 = match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has been changed to %{fld3}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg263 = msg("00013:02", part442); + + var part443 = match("MESSAGE#262:00013:03", "nwparser.payload", "Web Filtering has been %{disposition->} (%{fld1})", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg264 = msg("00013:03", part443); + + var select102 = linear_select([ + msg261, + msg262, + msg263, + msg264, + ]); + + var part444 = match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes has changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg265 = msg("00014", part444); + + var part445 = match("MESSAGE#264:00014:01/0", "nwparser.payload", "The group member %{username->} has been %{disposition->} %{p0}"); + + var part446 = match("MESSAGE#264:00014:01/1_0", "nwparser.p0", "to a group%{}"); + + var part447 = match("MESSAGE#264:00014:01/1_1", "nwparser.p0", "from a group%{}"); + + var select103 = linear_select([ + part446, + part447, + ]); + + var all85 = all_match({ + processors: [ + part445, + select103, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg266 = msg("00014:01", all85); + + var part448 = match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has been %{disposition->} by %{username}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg267 = msg("00014:02", part448); + + var part449 = match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has been %{disposition->} by %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg268 = msg("00014:03", part449); + + var part450 = match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{hostname->} server { %{hostip->} }: SrvErr (%{fld2}), SockErr (%{fld3}), Valid (%{fld4}),Connected (%{fld5})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg269 = msg("00014:04", part450); + + var part451 = match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations have been %{disposition->} by admin %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg270 = msg("00014:05", part451); + + var part452 = match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition->} manually.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg271 = msg("00014:06", part452); + + var part453 = match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{disposition->} by %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg272 = msg("00014:07", part453); + + var part454 = match("MESSAGE#271:00014:08", "nwparser.payload", "Communication error with %{hostname->} server[%{hostip}]: SrvErr(%{fld2}),SockErr(%{fld3}),Valid(%{fld4}),Connected(%{fld5}) (%{fld1})", processor_chain([ + dup27, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg273 = msg("00014:08", part454); + + var select104 = linear_select([ + msg265, + msg266, + msg267, + msg268, + msg269, + msg270, + msg271, + msg272, + msg273, + ]); + + var part455 = match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been changed to %{authmethod}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg274 = msg("00015", part455); + + var part456 = match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has %{disposition}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg275 = msg("00015:01", part456); + + var part457 = match("MESSAGE#274:00015:02/0", "nwparser.payload", "LDAP %{p0}"); + + var part458 = match("MESSAGE#274:00015:02/1_0", "nwparser.p0", "server name %{p0}"); + + var part459 = match("MESSAGE#274:00015:02/1_2", "nwparser.p0", "distinguished name %{p0}"); + + var part460 = match("MESSAGE#274:00015:02/1_3", "nwparser.p0", "common name %{p0}"); + + var select105 = linear_select([ + part458, + dup137, + part459, + part460, + ]); + + var all86 = all_match({ + processors: [ + part457, + select105, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg276 = msg("00015:02", all86); + + var part461 = match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg277 = msg("00015:03", part461); + + var part462 = match("MESSAGE#276:00015:04/0", "nwparser.payload", "RADIUS server %{p0}"); + + var part463 = match("MESSAGE#276:00015:04/1_2", "nwparser.p0", "secret %{p0}"); + + var select106 = linear_select([ + dup139, + dup140, + part463, + ]); + + var all87 = all_match({ + processors: [ + part462, + select106, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg278 = msg("00015:04", all87); + + var part464 = match("MESSAGE#277:00015:05/0", "nwparser.payload", "SecurID %{p0}"); + + var part465 = match("MESSAGE#277:00015:05/1_0", "nwparser.p0", "authentication port %{p0}"); + + var part466 = match("MESSAGE#277:00015:05/1_1", "nwparser.p0", "duress mode %{p0}"); + + var part467 = match("MESSAGE#277:00015:05/1_3", "nwparser.p0", "number of retries value %{p0}"); + + var select107 = linear_select([ + part465, + part466, + dup76, + part467, + ]); + + var all88 = all_match({ + processors: [ + part464, + select107, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg279 = msg("00015:05", all88); + + var part468 = match("MESSAGE#278:00015:06/0_0", "nwparser.payload", "Master %{p0}"); + + var part469 = match("MESSAGE#278:00015:06/0_1", "nwparser.payload", "Backup %{p0}"); + + var select108 = linear_select([ + part468, + part469, + ]); + + var part470 = match("MESSAGE#278:00015:06/1", "nwparser.p0", "SecurID server IP address has been %{disposition}"); + + var all89 = all_match({ + processors: [ + select108, + part470, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg280 = msg("00015:06", all89); + + var part471 = match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to master%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg281 = msg("00015:07", part471); + + var part472 = match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration between master and slave%{}", processor_chain([ + dup141, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg282 = msg("00015:08", part472); + + var part473 = match("MESSAGE#281:00015:09/0_0", "nwparser.payload", "configuration %{p0}"); + + var part474 = match("MESSAGE#281:00015:09/0_1", "nwparser.payload", "Configuration %{p0}"); + + var select109 = linear_select([ + part473, + part474, + ]); + + var part475 = match("MESSAGE#281:00015:09/1", "nwparser.p0", "out of sync between local unit and remote unit%{}"); + + var all90 = all_match({ + processors: [ + select109, + part475, + ], + on_success: processor_chain([ + dup141, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg283 = msg("00015:09", all90); + + var part476 = match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg284 = msg("00015:10", part476); + + var part477 = match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg285 = msg("00015:11", part477); + + var part478 = match("MESSAGE#284:00015:12/1_0", "nwparser.p0", "control %{p0}"); + + var part479 = match("MESSAGE#284:00015:12/1_1", "nwparser.p0", "data %{p0}"); + + var select110 = linear_select([ + part478, + part479, + ]); + + var part480 = match("MESSAGE#284:00015:12/2", "nwparser.p0", "channel moved from link %{p0}"); + + var part481 = match("MESSAGE#284:00015:12/6", "nwparser.p0", "(%{interface})"); + + var all91 = all_match({ + processors: [ + dup87, + select110, + part480, + dup353, + dup103, + dup353, + part481, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg286 = msg("00015:12", all91); + + var part482 = match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg287 = msg("00015:13", part482); + + var part483 = match("MESSAGE#286:00015:14/0", "nwparser.payload", "NSRP link %{p0}"); + + var all92 = all_match({ + processors: [ + part483, + dup353, + dup116, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg288 = msg("00015:14", all92); + + var part484 = match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel available (%{fld3->} used by other channel)", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg289 = msg("00015:15", part484); + + var part485 = match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out of synchronization between the local device and the peer device.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg290 = msg("00015:16", part485); + + var part486 = match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{change_old->} changed to link channel %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg291 = msg("00015:17", part486); + + var part487 = match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on peer device %{fld2->} changed from %{fld3->} to %{fld4->} state.", processor_chain([ + dup121, + dup2, + dup3, + dup4, + dup5, + setc("change_attribute","RTO mirror group"), + ])); + + var msg292 = msg("00015:18", part487); + + var part488 = match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on local device %{fld2}, detected a duplicate direction on the peer device %{fld3}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg293 = msg("00015:19", part488); + + var part489 = match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} changed on the local device from %{fld2->} to up state, it had peer device %{fld3}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg294 = msg("00015:20", part489); + + var part490 = match("MESSAGE#293:00015:21/0", "nwparser.payload", "Peer device %{fld2->} %{p0}"); + + var part491 = match("MESSAGE#293:00015:21/1_0", "nwparser.p0", "disappeared %{p0}"); + + var part492 = match("MESSAGE#293:00015:21/1_1", "nwparser.p0", "was discovered %{p0}"); + + var select111 = linear_select([ + part491, + part492, + ]); + + var all93 = all_match({ + processors: [ + part490, + select111, + dup116, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg295 = msg("00015:21", all93); + + var part493 = match("MESSAGE#294:00015:22/0_0", "nwparser.payload", "The local %{p0}"); + + var part494 = match("MESSAGE#294:00015:22/0_1", "nwparser.payload", "The peer %{p0}"); + + var part495 = match("MESSAGE#294:00015:22/0_2", "nwparser.payload", "Peer %{p0}"); + + var select112 = linear_select([ + part493, + part494, + part495, + ]); + + var part496 = match("MESSAGE#294:00015:22/1", "nwparser.p0", "device %{fld2->} in the Virtual Security Device group %{group->} changed %{change_attribute->} from %{change_old->} to %{change_new->} %{p0}"); + + var all94 = all_match({ + processors: [ + select112, + part496, + dup354, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg296 = msg("00015:22", all94); + + var part497 = match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg297 = msg("00015:23", part497); + + var part498 = match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authentication server has been changed to %{hostname}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg298 = msg("00015:24", part498); + + var part499 = match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification was successful", processor_chain([ + setc("eventcategory","1613050100"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg299 = msg("00015:25", part499); + + var part500 = match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification failed", processor_chain([ + dup97, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg300 = msg("00015:29", part500); + + var part501 = match("MESSAGE#299:00015:26/0", "nwparser.payload", "unit %{fld2->} just dis%{p0}"); + + var part502 = match("MESSAGE#299:00015:26/1_0", "nwparser.p0", "appeared%{}"); + + var part503 = match("MESSAGE#299:00015:26/1_1", "nwparser.p0", "covered%{}"); + + var select113 = linear_select([ + part502, + part503, + ]); + + var all95 = all_match({ + processors: [ + part501, + select113, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg301 = msg("00015:26", all95); + + var part504 = match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change to %{interface}. (%{fld2})", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + dup146, + ])); + + var msg302 = msg("00015:33", part504); + + var part505 = match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg303 = msg("00015:27", part505); + + var part506 = match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RADIUS retry timeout has been set to default of %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg304 = msg("00015:28", part506); + + var part507 = match("MESSAGE#303:00015:30/0", "nwparser.payload", "Number of RADIUS retries for auth server %{hostname->} %{p0}"); + + var part508 = match("MESSAGE#303:00015:30/2", "nwparser.p0", "set to %{fld2->} (%{fld1})"); + + var all96 = all_match({ + processors: [ + part507, + dup355, + part508, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg305 = msg("00015:30", all96); + + var part509 = match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth server %{hostname->} is unset to its default value, %{info->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg306 = msg("00015:31", part509); + + var part510 = match("MESSAGE#305:00015:32", "nwparser.payload", "Accounting port of server RADIUS is set to %{network_port}. (%{fld1})", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg307 = msg("00015:32", part510); + + var select114 = linear_select([ + msg274, + msg275, + msg276, + msg277, + msg278, + msg279, + msg280, + msg281, + msg282, + msg283, + msg284, + msg285, + msg286, + msg287, + msg288, + msg289, + msg290, + msg291, + msg292, + msg293, + msg294, + msg295, + msg296, + msg297, + msg298, + msg299, + msg300, + msg301, + msg302, + msg303, + msg304, + msg305, + msg306, + msg307, + ]); + + var part511 = match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg308 = msg("00016", part511); + + var part512 = match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{fld3->} has been %{disposition}.", processor_chain([ + dup1, + dup148, + dup149, + dup150, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg309 = msg("00016:01", part512); + + var part513 = match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disposition}", processor_chain([ + dup1, + dup148, + dup149, + dup150, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg310 = msg("00016:02", part513); + + var part514 = match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2})", processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg311 = msg("00016:03", part514); + + var part515 = match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg312 = msg("00016:05", part515); + + var part516 = match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg313 = msg("00016:06", part516); + + var part517 = match("MESSAGE#312:00016:07/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} ( zone %{p0}"); + + var all97 = all_match({ + processors: [ + part517, + dup338, + dup67, + ], + on_success: processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg314 = msg("00016:07", all97); + + var part518 = match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) Modify by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + setc("eventcategory","1001020305"), + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg315 = msg("00016:08", part518); + + var part519 = match("MESSAGE#314:00016:09", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) New by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + setc("eventcategory","1001030305"), + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg316 = msg("00016:09", part519); + + var select115 = linear_select([ + msg308, + msg309, + msg310, + msg311, + msg312, + msg313, + msg314, + msg315, + msg316, + ]); + + var part520 = match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup151, + dup2, + dup3, + dup59, + dup4, + dup5, + ])); + + var msg317 = msg("00017", part520); + + var part521 = match("MESSAGE#316:00017:23/0", "nwparser.payload", "Gateway %{fld2->} at %{fld3->} in %{fld5->} mode with ID %{p0}"); + + var part522 = match("MESSAGE#316:00017:23/1_0", "nwparser.p0", "[%{fld4}] %{p0}"); + + var part523 = match("MESSAGE#316:00017:23/1_1", "nwparser.p0", "%{fld4->} %{p0}"); + + var select116 = linear_select([ + part522, + part523, + ]); + + var part524 = match("MESSAGE#316:00017:23/2", "nwparser.p0", "has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} %{fld}"); + + var all98 = all_match({ + processors: [ + part521, + select116, + part524, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg318 = msg("00017:23", all98); + + var part525 = match("MESSAGE#317:00017:01/0_0", "nwparser.payload", "%{fld1}: Gateway %{p0}"); + + var part526 = match("MESSAGE#317:00017:01/0_1", "nwparser.payload", "Gateway %{p0}"); + + var select117 = linear_select([ + part525, + part526, + ]); + + var part527 = match("MESSAGE#317:00017:01/1", "nwparser.p0", "%{fld2->} at %{fld3->} in %{fld5->} mode with ID%{p0}"); + + var part528 = match("MESSAGE#317:00017:01/3", "nwparser.p0", "%{fld4->} has been %{disposition}"); + + var all99 = all_match({ + processors: [ + select117, + part527, + dup356, + part528, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg319 = msg("00017:01", all99); + + var part529 = match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settings have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg320 = msg("00017:02", part529); + + var part530 = match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg321 = msg("00017:03", part530); + + var part531 = match("MESSAGE#320:00017:04/2", "nwparser.p0", "%{group_object->} with range %{fld2->} has been %{disposition}"); + + var all100 = all_match({ + processors: [ + dup153, + dup357, + part531, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg322 = msg("00017:04", all100); + + var part532 = match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg323 = msg("00017:05", part532); + + var part533 = match("MESSAGE#322:00017:06/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been set to %{p0}"); + + var part534 = match("MESSAGE#322:00017:06/1_0", "nwparser.p0", "clear %{p0}"); + + var part535 = match("MESSAGE#322:00017:06/1_2", "nwparser.p0", "copy %{p0}"); + + var select118 = linear_select([ + part534, + dup101, + part535, + ]); + + var all101 = all_match({ + processors: [ + part533, + select118, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg324 = msg("00017:06", all101); + + var part536 = match("MESSAGE#323:00017:07/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been %{p0}"); + + var part537 = match("MESSAGE#323:00017:07/1_0", "nwparser.p0", "clear%{}"); + + var part538 = match("MESSAGE#323:00017:07/1_1", "nwparser.p0", "cleared%{}"); + + var part539 = match("MESSAGE#323:00017:07/1_3", "nwparser.p0", "copy%{}"); + + var part540 = match("MESSAGE#323:00017:07/1_4", "nwparser.p0", "copied%{}"); + + var select119 = linear_select([ + part537, + part538, + dup98, + part539, + part540, + ]); + + var all102 = all_match({ + processors: [ + part536, + select119, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg325 = msg("00017:07", all102); + + var part541 = match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and SPI %{fld3}/%{fld4->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg326 = msg("00017:08", part541); + + var part542 = match("MESSAGE#325:00017:09/0_0", "nwparser.payload", "%{fld1}: VPN %{p0}"); + + var part543 = match("MESSAGE#325:00017:09/0_1", "nwparser.payload", "VPN %{p0}"); + + var select120 = linear_select([ + part542, + part543, + ]); + + var part544 = match("MESSAGE#325:00017:09/1", "nwparser.p0", "%{group->} with gateway %{fld2->} %{p0}"); + + var part545 = match("MESSAGE#325:00017:09/2_0", "nwparser.p0", "no-rekey %{p0}"); + + var part546 = match("MESSAGE#325:00017:09/2_1", "nwparser.p0", "rekey, %{p0}"); + + var part547 = match("MESSAGE#325:00017:09/2_2", "nwparser.p0", "rekey %{p0}"); + + var select121 = linear_select([ + part545, + part546, + part547, + ]); + + var part548 = match("MESSAGE#325:00017:09/3", "nwparser.p0", "and p2-proposal %{fld3->} has been %{p0}"); + + var part549 = match("MESSAGE#325:00017:09/4_0", "nwparser.p0", "%{disposition->} from peer unit"); + + var part550 = match("MESSAGE#325:00017:09/4_1", "nwparser.p0", "%{disposition->} from host %{saddr}"); + + var select122 = linear_select([ + part549, + part550, + dup36, + ]); + + var all103 = all_match({ + processors: [ + select120, + part544, + select121, + part548, + select122, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg327 = msg("00017:09", all103); + + var part551 = match("MESSAGE#326:00017:10/0", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}. Src IF %{sinterface->} dst IP %{daddr->} with rekeying %{p0}"); + + var all104 = all_match({ + processors: [ + part551, + dup358, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg328 = msg("00017:10", all104); + + var part552 = match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg329 = msg("00017:11", part552); + + var part553 = match("MESSAGE#328:00017:12/0", "nwparser.payload", "VPN monitoring %{p0}"); + + var part554 = match("MESSAGE#328:00017:12/1_2", "nwparser.p0", "frequency %{p0}"); + + var select123 = linear_select([ + dup109, + dup110, + part554, + ]); + + var all105 = all_match({ + processors: [ + part553, + select123, + dup127, + dup359, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg330 = msg("00017:12", all105); + + var part555 = match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been added by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg331 = msg("00017:26", part555); + + var part556 = match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. You cannot allocate an IP address.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg332 = msg("00017:13", part556); + + var part557 = match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail}, DH group %{group}, ESP %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup9, + dup5, + ])); + + var msg333 = msg("00017:14", part557); + + var part558 = match("MESSAGE#332:00017:15/0", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group->} %{p0}"); + + var part559 = match("MESSAGE#332:00017:15/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime (%{fld3}) (%{fld4}) has been %{disposition}."); + + var all106 = all_match({ + processors: [ + part558, + dup360, + part559, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg334 = msg("00017:15", all106); + + var part560 = match("MESSAGE#333:00017:31/0", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail->} DH group %{group->} %{p0}"); + + var part561 = match("MESSAGE#333:00017:31/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime %{fld3->} has been %{disposition}."); + + var all107 = all_match({ + processors: [ + part560, + dup360, + part561, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg335 = msg("00017:31", all107); + + var part562 = match("MESSAGE#334:00017:16/0", "nwparser.payload", "vpnmonitor interval is %{p0}"); + + var all108 = all_match({ + processors: [ + part562, + dup359, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg336 = msg("00017:16", all108); + + var part563 = match("MESSAGE#335:00017:17/0", "nwparser.payload", "vpnmonitor threshold is %{p0}"); + + var select124 = linear_select([ + dup99, + dup93, + ]); + + var all109 = all_match({ + processors: [ + part563, + select124, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg337 = msg("00017:17", all109); + + var part564 = match("MESSAGE#336:00017:18/2", "nwparser.p0", "%{group_object->} with range %{fld2->} was %{disposition}"); + + var all110 = all_match({ + processors: [ + dup153, + dup357, + part564, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg338 = msg("00017:18", all110); + + var part565 = match("MESSAGE#337:00017:19/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at %{p0}"); + + var part566 = match("MESSAGE#337:00017:19/2", "nwparser.p0", "%{} %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times"); + + var all111 = all_match({ + processors: [ + part565, + dup337, + part566, + ], + on_success: processor_chain([ + dup151, + dup2, + dup3, + dup59, + dup4, + dup5, + ]), + }); + + var msg339 = msg("00017:19", all111); + + var all112 = all_match({ + processors: [ + dup64, + dup338, + dup67, + ], + on_success: processor_chain([ + dup151, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + ]), + }); + + var msg340 = msg("00017:20", all112); + + var part567 = match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup151, + dup2, + dup3, + dup59, + dup4, + dup5, + ])); + + var msg341 = msg("00017:21", part567); + + var part568 = match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg342 = msg("00017:22", part568); + + var part569 = match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bound to tunnel interface %{interface}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg343 = msg("00017:24", part569); + + var part570 = match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal standard has been added by admin %{administrator->} via NSRP Peer (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg344 = msg("00017:25", part570); + + var part571 = match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group}, ESP, enc %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg345 = msg("00017:28", part571); + + var part572 = match("MESSAGE#344:00017:29", "nwparser.payload", "L2TP \"%{fld2}\", all-L2TP-users secret \"%{fld3}\" keepalive %{fld4->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg346 = msg("00017:29", part572); + + var select125 = linear_select([ + msg317, + msg318, + msg319, + msg320, + msg321, + msg322, + msg323, + msg324, + msg325, + msg326, + msg327, + msg328, + msg329, + msg330, + msg331, + msg332, + msg333, + msg334, + msg335, + msg336, + msg337, + msg338, + msg339, + msg340, + msg341, + msg342, + msg343, + msg344, + msg345, + msg346, + ]); + + var part573 = match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} and %{fld3->} have been exchanged", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg347 = msg("00018", part573); + + var part574 = match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", processor_chain([ + setc("eventcategory","1502010000"), + dup2, + dup4, + dup5, + dup3, + ])); + + var msg348 = msg("00018:01", part574); + + var part575 = match("MESSAGE#347:00018:02", "nwparser.payload", "Device%{quote}s %{change_attribute->} has been changed from %{change_old->} to %{change_new->} by admin %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg349 = msg("00018:02", part575); + + var part576 = match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg350 = msg("00018:04", part576); + + var part577 = match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} by admin %{administrator->} via NSRP Peer", processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg351 = msg("00018:16", part577); + + var part578 = match("MESSAGE#350:00018:06/0", "nwparser.payload", "%{fld2->} Policy %{policy_id->} has been moved %{p0}"); + + var part579 = match("MESSAGE#350:00018:06/1_0", "nwparser.p0", "before %{p0}"); + + var part580 = match("MESSAGE#350:00018:06/1_1", "nwparser.p0", "after %{p0}"); + + var select126 = linear_select([ + part579, + part580, + ]); + + var part581 = match("MESSAGE#350:00018:06/2", "nwparser.p0", "%{fld3->} by admin %{administrator}"); + + var all113 = all_match({ + processors: [ + part578, + select126, + part581, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg352 = msg("00018:06", all113); + + var part582 = match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} application was modified to %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg353 = msg("00018:08", part582); + + var part583 = match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup3, + dup2, + dup9, + dup4, + dup5, + ])); + + var msg354 = msg("00018:09", part583); + + var part584 = match("MESSAGE#353:00018:10/0", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{p0}"); + + var part585 = match("MESSAGE#353:00018:10/1_0", "nwparser.p0", "%{disposition->} from peer unit by %{p0}"); + + var part586 = match("MESSAGE#353:00018:10/1_1", "nwparser.p0", "%{disposition->} by %{p0}"); + + var select127 = linear_select([ + part585, + part586, + ]); + + var part587 = match("MESSAGE#353:00018:10/2", "nwparser.p0", "%{username->} via %{interface->} from host %{saddr->} (%{fld1})"); + + var all114 = all_match({ + processors: [ + part584, + select127, + part587, + ], + on_success: processor_chain([ + dup17, + dup3, + dup2, + dup9, + dup4, + dup5, + ]), + }); + + var msg355 = msg("00018:10", all114); + + var part588 = match("MESSAGE#354:00018:11/1_0", "nwparser.p0", "Service %{service->} was %{p0}"); + + var part589 = match("MESSAGE#354:00018:11/1_1", "nwparser.p0", "Attack group %{signame->} was %{p0}"); + + var select128 = linear_select([ + part588, + part589, + ]); + + var part590 = match("MESSAGE#354:00018:11/2", "nwparser.p0", "%{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} %{p0}"); + + var part591 = match("MESSAGE#354:00018:11/3_0", "nwparser.p0", "to %{daddr}:%{dport}. %{p0}"); + + var select129 = linear_select([ + part591, + dup16, + ]); + + var all115 = all_match({ + processors: [ + dup160, + select128, + part590, + select129, + dup10, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg356 = msg("00018:11", all115); + + var part592 = match("MESSAGE#355:00018:12/0", "nwparser.payload", "In policy %{policy_id}, the %{p0}"); + + var part593 = match("MESSAGE#355:00018:12/1_0", "nwparser.p0", "application %{p0}"); + + var part594 = match("MESSAGE#355:00018:12/1_1", "nwparser.p0", "attack severity %{p0}"); + + var part595 = match("MESSAGE#355:00018:12/1_2", "nwparser.p0", "DI attack component %{p0}"); + + var select130 = linear_select([ + part593, + part594, + part595, + ]); + + var part596 = match("MESSAGE#355:00018:12/2", "nwparser.p0", "was modified by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); + + var all116 = all_match({ + processors: [ + part592, + select130, + part596, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg357 = msg("00018:12", all116); + + var part597 = match("MESSAGE#356:00018:32/1", "nwparser.p0", "%{}address %{dhost}(%{daddr}) was %{disposition->} %{p0}"); + + var all117 = all_match({ + processors: [ + dup361, + part597, + dup362, + dup164, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg358 = msg("00018:32", all117); + + var part598 = match("MESSAGE#357:00018:22/1", "nwparser.p0", "%{}address %{dhost->} was %{disposition->} %{p0}"); + + var all118 = all_match({ + processors: [ + dup361, + part598, + dup362, + dup164, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg359 = msg("00018:22", all118); + + var part599 = match("MESSAGE#358:00018:15/0", "nwparser.payload", "%{agent->} was %{disposition->} from policy %{policy_id->} %{p0}"); + + var select131 = linear_select([ + dup78, + dup77, + ]); + + var part600 = match("MESSAGE#358:00018:15/2", "nwparser.p0", "address by admin %{administrator->} via NSRP Peer"); + + var all119 = all_match({ + processors: [ + part599, + select131, + part600, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg360 = msg("00018:15", all119); + + var part601 = match("MESSAGE#359:00018:14/0", "nwparser.payload", "%{agent->} was %{disposition->} %{p0}"); + + var part602 = match("MESSAGE#359:00018:14/1_0", "nwparser.p0", "to%{p0}"); + + var part603 = match("MESSAGE#359:00018:14/1_1", "nwparser.p0", "from%{p0}"); + + var select132 = linear_select([ + part602, + part603, + ]); + + var part604 = match("MESSAGE#359:00018:14/2", "nwparser.p0", "%{}policy %{policy_id->} %{p0}"); + + var part605 = match("MESSAGE#359:00018:14/3_0", "nwparser.p0", "service %{p0}"); + + var part606 = match("MESSAGE#359:00018:14/3_1", "nwparser.p0", "source address %{p0}"); + + var part607 = match("MESSAGE#359:00018:14/3_2", "nwparser.p0", "destination address %{p0}"); + + var select133 = linear_select([ + part605, + part606, + part607, + ]); + + var part608 = match("MESSAGE#359:00018:14/4", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); + + var all120 = all_match({ + processors: [ + part601, + select132, + part604, + select133, + part608, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg361 = msg("00018:14", all120); + + var part609 = match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg362 = msg("00018:29", part609); + + var part610 = match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to policy %{policy_id->} %{rule_group->} by admin %{administrator->} via NSRP Peer %{space->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg363 = msg("00018:07", part610); + + var part611 = match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg364 = msg("00018:18", part611); + + var part612 = match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{disposition->} from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg365 = msg("00018:17", part612); + + var part613 = match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg366 = msg("00018:19", part613); + + var part614 = match("MESSAGE#365:00018:23/0_0", "nwparser.payload", "Destination %{p0}"); + + var part615 = match("MESSAGE#365:00018:23/0_1", "nwparser.payload", "Source %{p0}"); + + var select134 = linear_select([ + part614, + part615, + ]); + + var part616 = match("MESSAGE#365:00018:23/1", "nwparser.p0", "address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} %{p0}"); + + var part617 = match("MESSAGE#365:00018:23/2_0", "nwparser.p0", "from host %{p0}"); + + var select135 = linear_select([ + part617, + dup103, + ]); + + var part618 = match("MESSAGE#365:00018:23/4_0", "nwparser.p0", "%{saddr->} to %{daddr->} %{p0}"); + + var part619 = match("MESSAGE#365:00018:23/4_1", "nwparser.p0", "%{daddr->} %{p0}"); + + var select136 = linear_select([ + part618, + part619, + ]); + + var part620 = match("MESSAGE#365:00018:23/5", "nwparser.p0", "%{dport}:(%{fld1})"); + + var all121 = all_match({ + processors: [ + select134, + part616, + select135, + dup23, + select136, + part620, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg367 = msg("00018:23", all121); + + var part621 = match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg368 = msg("00018:21", part621); + + var part622 = match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{disposition->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg369 = msg("00018:24", part622); + + var part623 = match("MESSAGE#368:00018:25/1", "nwparser.p0", "%{}address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); + + var all122 = all_match({ + processors: [ + dup363, + part623, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg370 = msg("00018:25", all122); + + var part624 = match("MESSAGE#369:00018:30/1", "nwparser.p0", "%{}address %{info->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); + + var all123 = all_match({ + processors: [ + dup363, + part624, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg371 = msg("00018:30", all123); + + var part625 = match("MESSAGE#370:00018:26/0", "nwparser.payload", "In policy %{policy_id}, the application was modified to %{disposition->} by %{p0}"); + + var part626 = match("MESSAGE#370:00018:26/2_1", "nwparser.p0", "%{logon_type->} from host %{saddr}. (%{p0}"); + + var select137 = linear_select([ + dup48, + part626, + ]); + + var all124 = all_match({ + processors: [ + part625, + dup364, + select137, + dup41, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg372 = msg("00018:26", all124); + + var part627 = match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the DI attack component was modified by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg373 = msg("00018:27", part627); + + var part628 = match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the DI attack component was modified by admin %{administrator->} via %{logon_type}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup4, + dup5, + dup9, + setc("info","the DI attack component was modified"), + ])); + + var msg374 = msg("00018:28", part628); + + var part629 = match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition}", processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg375 = msg("00018:03", part629); + + var part630 = match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the option %{fld2->} was %{disposition}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg376 = msg("00018:31", part630); + + var select138 = linear_select([ + msg347, + msg348, + msg349, + msg350, + msg351, + msg352, + msg353, + msg354, + msg355, + msg356, + msg357, + msg358, + msg359, + msg360, + msg361, + msg362, + msg363, + msg364, + msg365, + msg366, + msg367, + msg368, + msg369, + msg370, + msg371, + msg372, + msg373, + msg374, + msg375, + msg376, + ]); + + var part631 = match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has %{disposition->} because WebTrends settings have not yet been configured", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg377 = msg("00019", part631); + + var part632 = match("MESSAGE#375:00019:01/2", "nwparser.p0", "has %{disposition->} because syslog settings have not yet been configured"); + + var all125 = all_match({ + processors: [ + dup165, + dup365, + part632, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg378 = msg("00019:01", all125); + + var part633 = match("MESSAGE#376:00019:02/0", "nwparser.payload", "Socket cannot be assigned for %{p0}"); + + var part634 = match("MESSAGE#376:00019:02/1_0", "nwparser.p0", "WebTrends%{}"); + + var part635 = match("MESSAGE#376:00019:02/1_1", "nwparser.p0", "syslog%{}"); + + var select139 = linear_select([ + part634, + part635, + ]); + + var all126 = all_match({ + processors: [ + part633, + select139, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg379 = msg("00019:02", all126); + + var part636 = match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has been %{disposition}", processor_chain([ + dup91, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg380 = msg("00019:03", part636); + + var select140 = linear_select([ + dup169, + dup78, + ]); + + var select141 = linear_select([ + dup139, + dup170, + dup137, + dup122, + ]); + + var all127 = all_match({ + processors: [ + dup168, + select140, + dup23, + select141, + dup171, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg381 = msg("00019:04", all127); + + var part637 = match("MESSAGE#379:00019:05/0", "nwparser.payload", "Syslog message level has been changed to %{p0}"); + + var part638 = match("MESSAGE#379:00019:05/1_0", "nwparser.p0", "debug%{}"); + + var part639 = match("MESSAGE#379:00019:05/1_1", "nwparser.p0", "information%{}"); + + var part640 = match("MESSAGE#379:00019:05/1_2", "nwparser.p0", "notification%{}"); + + var part641 = match("MESSAGE#379:00019:05/1_3", "nwparser.p0", "warning%{}"); + + var part642 = match("MESSAGE#379:00019:05/1_4", "nwparser.p0", "error%{}"); + + var part643 = match("MESSAGE#379:00019:05/1_5", "nwparser.p0", "critical%{}"); + + var part644 = match("MESSAGE#379:00019:05/1_6", "nwparser.p0", "alert%{}"); + + var part645 = match("MESSAGE#379:00019:05/1_7", "nwparser.p0", "emergency%{}"); + + var select142 = linear_select([ + part638, + part639, + part640, + part641, + part642, + part643, + part644, + part645, + ]); + + var all128 = all_match({ + processors: [ + part637, + select142, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg382 = msg("00019:05", all128); + + var part646 = match("MESSAGE#380:00019:06/2", "nwparser.p0", "has been changed to %{p0}"); + + var all129 = all_match({ + processors: [ + dup168, + dup366, + part646, + dup367, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg383 = msg("00019:06", all129); + + var part647 = match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has been %{disposition}", processor_chain([ + dup91, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg384 = msg("00019:07", part647); + + var part648 = match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg385 = msg("00019:08", part648); + + var part649 = match("MESSAGE#383:00019:09/0", "nwparser.payload", "WebTrends host %{p0}"); + + var select143 = linear_select([ + dup139, + dup170, + dup137, + ]); + + var all130 = all_match({ + processors: [ + part649, + select143, + dup171, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg386 = msg("00019:09", all130); + + var part650 = match("MESSAGE#384:00019:10/1_0", "nwparser.p0", "Traffic logging via syslog %{p0}"); + + var part651 = match("MESSAGE#384:00019:10/1_1", "nwparser.p0", "Syslog %{p0}"); + + var select144 = linear_select([ + part650, + part651, + ]); + + var all131 = all_match({ + processors: [ + dup183, + select144, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg387 = msg("00019:10", all131); + + var part652 = match("MESSAGE#385:00019:11/2", "nwparser.p0", "has %{disposition->} because there is no syslog server defined"); + + var all132 = all_match({ + processors: [ + dup165, + dup365, + part652, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg388 = msg("00019:11", all132); + + var part653 = match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg389 = msg("00019:12", part653); + + var part654 = match("MESSAGE#387:00019:13/0", "nwparser.payload", "Syslog server %{hostip->} %{p0}"); + + var select145 = linear_select([ + dup107, + dup106, + ]); + + var part655 = match("MESSAGE#387:00019:13/2", "nwparser.p0", "%{disposition}"); + + var all133 = all_match({ + processors: [ + part654, + select145, + part655, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg390 = msg("00019:13", all133); + + var part656 = match("MESSAGE#388:00019:14/2", "nwparser.p0", "for %{hostip->} has been changed to %{p0}"); + + var all134 = all_match({ + processors: [ + dup168, + dup366, + part656, + dup367, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg391 = msg("00019:14", all134); + + var part657 = match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the TCP server %{hostip}; the connection is closed.", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg392 = msg("00019:15", part657); + + var part658 = match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were removed.%{}", processor_chain([ + setc("eventcategory","1701030000"), + setc("ec_activity","Delete"), + dup51, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg393 = msg("00019:16", part658); + + var part659 = match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} host port number has been changed to %{network_port->} %{fld5}", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg394 = msg("00019:17", part659); + + var part660 = match("MESSAGE#392:00019:18/0", "nwparser.payload", "Traffic logging %{p0}"); + + var part661 = match("MESSAGE#392:00019:18/1_0", "nwparser.p0", "via syslog %{p0}"); + + var part662 = match("MESSAGE#392:00019:18/1_1", "nwparser.p0", "for syslog server %{hostip->} %{p0}"); + + var select146 = linear_select([ + part661, + part662, + ]); + + var all135 = all_match({ + processors: [ + part660, + select146, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg395 = msg("00019:18", all135); + + var part663 = match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog server %{hostip->} was changed to udp", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg396 = msg("00019:19", part663); + + var part664 = match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is enabled on backup device by netscreen via web from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg397 = msg("00019:20", part664); + + var select147 = linear_select([ + msg377, + msg378, + msg379, + msg380, + msg381, + msg382, + msg383, + msg384, + msg385, + msg386, + msg387, + msg388, + msg389, + msg390, + msg391, + msg392, + msg393, + msg394, + msg395, + msg396, + msg397, + ]); + + var part665 = match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg398 = msg("00020", part665); + + var part666 = match("MESSAGE#396:00020:01/0", "nwparser.payload", "System memory is low %{p0}"); + + var part667 = match("MESSAGE#396:00020:01/1_1", "nwparser.p0", "( %{p0}"); + + var select148 = linear_select([ + dup152, + part667, + ]); + + var part668 = match("MESSAGE#396:00020:01/2", "nwparser.p0", "%{fld2->} bytes allocated out of %{p0}"); + + var part669 = match("MESSAGE#396:00020:01/3_0", "nwparser.p0", "total %{fld3->} bytes"); + + var part670 = match("MESSAGE#396:00020:01/3_1", "nwparser.p0", "%{fld4->} bytes total"); + + var select149 = linear_select([ + part669, + part670, + ]); + + var all136 = all_match({ + processors: [ + part666, + select148, + part668, + select149, + ], + on_success: processor_chain([ + dup184, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg399 = msg("00020:01", all136); + + var part671 = match("MESSAGE#397:00020:02", "nwparser.payload", "System memory is low (%{fld2->} allocated out of %{fld3->} ) %{fld4->} times in %{fld5}", processor_chain([ + dup184, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg400 = msg("00020:02", part671); + + var select150 = linear_select([ + msg398, + msg399, + msg400, + ]); + + var part672 = match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg401 = msg("00021", part672); + + var part673 = match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range %{info->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg402 = msg("00021:01", part673); + + var part674 = match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg403 = msg("00021:02", part674); + + var part675 = match("MESSAGE#401:00021:03", "nwparser.payload", "Connection refused by the DNS server%{}", processor_chain([ + dup185, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg404 = msg("00021:03", part675); + + var part676 = match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg405 = msg("00021:04", part676); + + var part677 = match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg406 = msg("00021:05", part677); + + var part678 = match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, + setc("info","DIP port-translation stickiness was modified"), + ])); + + var msg407 = msg("00021:06", part678); + + var select151 = linear_select([ + msg401, + msg402, + msg403, + msg404, + msg405, + msg406, + msg407, + ]); + + var part679 = match("MESSAGE#405:00022/1_0", "nwparser.p0", "power supplies %{p0}"); + + var part680 = match("MESSAGE#405:00022/1_1", "nwparser.p0", "fans %{p0}"); + + var select152 = linear_select([ + part679, + part680, + ]); + + var part681 = match("MESSAGE#405:00022/2", "nwparser.p0", "are %{fld2->} functioning properly"); + + var all137 = all_match({ + processors: [ + dup186, + select152, + part681, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg408 = msg("00022", all137); + + var part682 = match("MESSAGE#406:00022:01/0_0", "nwparser.payload", "At least one power supply %{p0}"); + + var part683 = match("MESSAGE#406:00022:01/0_1", "nwparser.payload", "The power supply %{fld2->} %{p0}"); + + var part684 = match("MESSAGE#406:00022:01/0_2", "nwparser.payload", "At least one fan %{p0}"); + + var select153 = linear_select([ + part682, + part683, + part684, + ]); + + var part685 = match("MESSAGE#406:00022:01/1", "nwparser.p0", "is not functioning properly%{p0}"); + + var all138 = all_match({ + processors: [ + select153, + part685, + dup368, + ], + on_success: processor_chain([ + dup187, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg409 = msg("00022:01", all138); + + var part686 = match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management tunnel has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg410 = msg("00022:02", part686); + + var part687 = match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name has been defined as %{domain}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg411 = msg("00022:03", part687); + + var part688 = match("MESSAGE#409:00022:04/0", "nwparser.payload", "Reporting of the %{p0}"); + + var part689 = match("MESSAGE#409:00022:04/1_0", "nwparser.p0", "network activities %{p0}"); + + var part690 = match("MESSAGE#409:00022:04/1_1", "nwparser.p0", "device resources %{p0}"); + + var part691 = match("MESSAGE#409:00022:04/1_2", "nwparser.p0", "event logs %{p0}"); + + var part692 = match("MESSAGE#409:00022:04/1_3", "nwparser.p0", "summary logs %{p0}"); + + var select154 = linear_select([ + part689, + part690, + part691, + part692, + ]); + + var part693 = match("MESSAGE#409:00022:04/2", "nwparser.p0", "to Global Manager has been %{disposition}"); + + var all139 = all_match({ + processors: [ + part688, + select154, + part693, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg412 = msg("00022:04", all139); + + var part694 = match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg413 = msg("00022:05", part694); + + var part695 = match("MESSAGE#411:00022:06/0", "nwparser.payload", "Global Manager %{p0}"); + + var part696 = match("MESSAGE#411:00022:06/1_0", "nwparser.p0", "report %{p0}"); + + var part697 = match("MESSAGE#411:00022:06/1_1", "nwparser.p0", "listen %{p0}"); + + var select155 = linear_select([ + part696, + part697, + ]); + + var part698 = match("MESSAGE#411:00022:06/2", "nwparser.p0", "port has been set to %{interface}"); + + var all140 = all_match({ + processors: [ + part695, + select155, + part698, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg414 = msg("00022:06", all140); + + var part699 = match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive value has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg415 = msg("00022:07", part699); + + var part700 = match("MESSAGE#413:00022:08/0_0", "nwparser.payload", "System temperature %{p0}"); + + var part701 = match("MESSAGE#413:00022:08/0_1", "nwparser.payload", "System's temperature: %{p0}"); + + var part702 = match("MESSAGE#413:00022:08/0_2", "nwparser.payload", "The system temperature %{p0}"); + + var select156 = linear_select([ + part700, + part701, + part702, + ]); + + var part703 = match("MESSAGE#413:00022:08/1", "nwparser.p0", "(%{fld2->} C%{p0}"); + + var part704 = match("MESSAGE#413:00022:08/2_0", "nwparser.p0", "entigrade, %{p0}"); + + var select157 = linear_select([ + part704, + dup96, + ]); + + var part705 = match("MESSAGE#413:00022:08/3", "nwparser.p0", "%{fld3->} F%{p0}"); + + var part706 = match("MESSAGE#413:00022:08/4_0", "nwparser.p0", "ahrenheit %{p0}"); + + var select158 = linear_select([ + part706, + dup96, + ]); + + var part707 = match("MESSAGE#413:00022:08/5", "nwparser.p0", ") is too high%{}"); + + var all141 = all_match({ + processors: [ + select156, + part703, + select157, + part705, + select158, + part707, + ], + on_success: processor_chain([ + dup188, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg416 = msg("00022:08", all141); + + var part708 = match("MESSAGE#414:00022:09/2", "nwparser.p0", "power supply is no%{p0}"); + + var select159 = linear_select([ + dup191, + dup192, + ]); + + var part709 = match("MESSAGE#414:00022:09/4", "nwparser.p0", "functioning properly%{}"); + + var all142 = all_match({ + processors: [ + dup55, + dup369, + part708, + select159, + part709, + ], + on_success: processor_chain([ + dup188, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg417 = msg("00022:09", all142); + + var part710 = match("MESSAGE#415:00022:10/0", "nwparser.payload", "The NetScreen device was unable to upgrade the file system%{p0}"); + + var part711 = match("MESSAGE#415:00022:10/1_0", "nwparser.p0", " due to an internal conflict%{}"); + + var part712 = match("MESSAGE#415:00022:10/1_1", "nwparser.p0", ", but the old file system is intact%{}"); + + var select160 = linear_select([ + part711, + part712, + ]); + + var all143 = all_match({ + processors: [ + part710, + select160, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg418 = msg("00022:10", all143); + + var part713 = match("MESSAGE#416:00022:11/0", "nwparser.payload", "The NetScreen device was unable to upgrade %{p0}"); + + var part714 = match("MESSAGE#416:00022:11/1_0", "nwparser.p0", "due to an internal conflict%{}"); + + var part715 = match("MESSAGE#416:00022:11/1_1", "nwparser.p0", "the loader, but the loader is intact%{}"); + + var select161 = linear_select([ + part714, + part715, + ]); + + var all144 = all_match({ + processors: [ + part713, + select161, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg419 = msg("00022:11", all144); + + var part716 = match("MESSAGE#417:00022:12/0", "nwparser.payload", "Battery is no%{p0}"); + + var select162 = linear_select([ + dup192, + dup191, + ]); + + var part717 = match("MESSAGE#417:00022:12/2", "nwparser.p0", "functioning properly.%{}"); + + var all145 = all_match({ + processors: [ + part716, + select162, + part717, + ], + on_success: processor_chain([ + dup188, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg420 = msg("00022:12", all145); + + var part718 = match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2->} Centigrade, %{fld3->} Fahrenheit) is OK now.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg421 = msg("00022:13", part718); + + var part719 = match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is functioning properly. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg422 = msg("00022:14", part719); + + var select163 = linear_select([ + msg408, + msg409, + msg410, + msg411, + msg412, + msg413, + msg414, + msg415, + msg416, + msg417, + msg418, + msg419, + msg420, + msg421, + msg422, + ]); + + var part720 = match("MESSAGE#420:00023", "nwparser.payload", "VIP server %{hostip->} is not responding", processor_chain([ + dup187, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg423 = msg("00023", part720); + + var part721 = match("MESSAGE#421:00023:01", "nwparser.payload", "VIP/load balance server %{hostip->} cannot be contacted", processor_chain([ + dup187, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg424 = msg("00023:01", part721); + + var part722 = match("MESSAGE#422:00023:02", "nwparser.payload", "VIP server %{hostip->} cannot be contacted", processor_chain([ + dup187, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg425 = msg("00023:02", part722); + + var select164 = linear_select([ + msg423, + msg424, + msg425, + ]); + + var part723 = match("MESSAGE#423:00024/0_0", "nwparser.payload", "The DHCP %{p0}"); + + var part724 = match("MESSAGE#423:00024/0_1", "nwparser.payload", " DHCP %{p0}"); + + var select165 = linear_select([ + part723, + part724, + ]); + + var part725 = match("MESSAGE#423:00024/2_0", "nwparser.p0", "IP address pool has %{p0}"); + + var part726 = match("MESSAGE#423:00024/2_1", "nwparser.p0", "options have been %{p0}"); + + var select166 = linear_select([ + part725, + part726, + ]); + + var all146 = all_match({ + processors: [ + select165, + dup193, + select166, + dup52, + dup368, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg426 = msg("00024", all146); + + var part727 = match("MESSAGE#424:00024:01/0_0", "nwparser.payload", "Traffic log %{p0}"); + + var part728 = match("MESSAGE#424:00024:01/0_1", "nwparser.payload", "Alarm log %{p0}"); + + var part729 = match("MESSAGE#424:00024:01/0_2", "nwparser.payload", "Event log %{p0}"); + + var part730 = match("MESSAGE#424:00024:01/0_3", "nwparser.payload", "Self log %{p0}"); + + var part731 = match("MESSAGE#424:00024:01/0_4", "nwparser.payload", "Asset Recovery log %{p0}"); + + var select167 = linear_select([ + part727, + part728, + part729, + part730, + part731, + ]); + + var part732 = match("MESSAGE#424:00024:01/1", "nwparser.p0", "has overflowed%{}"); + + var all147 = all_match({ + processors: [ + select167, + part732, + ], + on_success: processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg427 = msg("00024:01", all147); + + var part733 = match("MESSAGE#425:00024:02/0", "nwparser.payload", "DHCP relay agent settings on %{fld2->} %{p0}"); + + var part734 = match("MESSAGE#425:00024:02/1_0", "nwparser.p0", "are %{p0}"); + + var part735 = match("MESSAGE#425:00024:02/1_1", "nwparser.p0", "have been %{p0}"); + + var select168 = linear_select([ + part734, + part735, + ]); + + var part736 = match("MESSAGE#425:00024:02/2", "nwparser.p0", "%{disposition->} (%{fld1})"); + + var all148 = all_match({ + processors: [ + part733, + select168, + part736, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg428 = msg("00024:02", all148); + + var part737 = match("MESSAGE#426:00024:03/0", "nwparser.payload", "DHCP server IP address pool %{p0}"); + + var select169 = linear_select([ + dup194, + dup106, + ]); + + var part738 = match("MESSAGE#426:00024:03/2", "nwparser.p0", "changed. (%{fld1})"); + + var all149 = all_match({ + processors: [ + part737, + select169, + part738, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg429 = msg("00024:03", all149); + + var select170 = linear_select([ + msg426, + msg427, + msg428, + msg429, + ]); + + var part739 = match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool has changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg430 = msg("00025", part739); + + var part740 = match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{disposition->} to save the certificate authority configuration.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg431 = msg("00025:01", part740); + + var part741 = match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the X509 request file via e-mail", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg432 = msg("00025:02", part741); + + var part742 = match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the CA configuration", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg433 = msg("00025:03", part742); + + var part743 = match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certificates. The %{result}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg434 = msg("00025:04", part743); + + var select171 = linear_select([ + msg430, + msg431, + msg432, + msg433, + msg434, + ]); + + var part744 = match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg435 = msg("00026", part744); + + var part745 = match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on interface %{interface}", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg436 = msg("00026:13", part745); + + var part746 = match("MESSAGE#434:00026:01/2", "nwparser.p0", "PKA key has been %{p0}"); + + var part747 = match("MESSAGE#434:00026:01/4", "nwparser.p0", "admin user %{administrator}. (Key ID = %{fld2})"); + + var all150 = all_match({ + processors: [ + dup195, + dup370, + part746, + dup371, + part747, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg437 = msg("00026:01", all150); + + var part748 = match("MESSAGE#435:00026:02/1_0", "nwparser.p0", ": SCS %{p0}"); + + var select172 = linear_select([ + part748, + dup96, + ]); + + var part749 = match("MESSAGE#435:00026:02/2", "nwparser.p0", "has been %{disposition->} for %{p0}"); + + var part750 = match("MESSAGE#435:00026:02/3_0", "nwparser.p0", "root system %{p0}"); + + var part751 = match("MESSAGE#435:00026:02/3_1", "nwparser.p0", "%{interface->} %{p0}"); + + var select173 = linear_select([ + part750, + part751, + ]); + + var all151 = all_match({ + processors: [ + dup195, + select172, + part749, + select173, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg438 = msg("00026:02", all151); + + var part752 = match("MESSAGE#436:00026:03/2", "nwparser.p0", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}"); + + var all152 = all_match({ + processors: [ + dup195, + dup370, + part752, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg439 = msg("00026:03", all152); + + var part753 = match("MESSAGE#437:00026:04", "nwparser.payload", "SCS: Connection has been terminated for admin user %{administrator->} at %{hostip}:%{network_port}", processor_chain([ + dup198, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg440 = msg("00026:04", part753); + + var part754 = match("MESSAGE#438:00026:05", "nwparser.payload", "SCS: Host client has requested NO cipher from %{interface}", processor_chain([ + dup198, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg441 = msg("00026:05", part754); + + var part755 = match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using PKA RSA from %{saddr}:%{sport}. (key-ID=%{fld2}", processor_chain([ + dup199, + dup29, + dup30, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg442 = msg("00026:06", part755); + + var part756 = match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using password from %{saddr}:%{sport}.", processor_chain([ + dup199, + dup29, + dup30, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg443 = msg("00026:07", part756); + + var part757 = match("MESSAGE#441:00026:08/0", "nwparser.payload", "SSH user %{username->} has been authenticated using %{p0}"); + + var part758 = match("MESSAGE#441:00026:08/2", "nwparser.p0", "from %{saddr}:%{sport->} [ with key ID %{fld2->} ]"); + + var all153 = all_match({ + processors: [ + part757, + dup372, + part758, + ], + on_success: processor_chain([ + dup199, + dup29, + dup30, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg444 = msg("00026:08", all153); + + var part759 = match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interface->} with tunnel ID %{fld2->} received a packet with a bad SPI.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg445 = msg("00026:09", part759); + + var part760 = match("MESSAGE#443:00026:10/0", "nwparser.payload", "SSH: %{p0}"); + + var part761 = match("MESSAGE#443:00026:10/1_0", "nwparser.p0", "Failed %{p0}"); + + var part762 = match("MESSAGE#443:00026:10/1_1", "nwparser.p0", "Attempt %{p0}"); + + var select174 = linear_select([ + part761, + part762, + ]); + + var part763 = match("MESSAGE#443:00026:10/3_0", "nwparser.p0", "bind duplicate %{p0}"); + + var select175 = linear_select([ + part763, + dup201, + ]); + + var part764 = match("MESSAGE#443:00026:10/6", "nwparser.p0", "admin user '%{administrator}' (Key ID %{fld2})"); + + var all154 = all_match({ + processors: [ + part760, + select174, + dup103, + select175, + dup202, + dup373, + part764, + ], + on_success: processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg446 = msg("00026:10", all154); + + var part765 = match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA keys (%{fld2}) has been bound to user '%{username}' Key not bound. (Key ID %{fld3})", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg447 = msg("00026:11", part765); + + var part766 = match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg448 = msg("00026:12", part766); + + var select176 = linear_select([ + msg435, + msg436, + msg437, + msg438, + msg439, + msg440, + msg441, + msg442, + msg443, + msg444, + msg445, + msg446, + msg447, + msg448, + ]); + + var part767 = match("MESSAGE#446:00027/2", "nwparser.p0", "user %{username->} from %{p0}"); + + var part768 = match("MESSAGE#446:00027/3_0", "nwparser.p0", "IP address %{saddr}:%{sport}"); + + var part769 = match("MESSAGE#446:00027/3_1", "nwparser.p0", "%{saddr}:%{sport}"); + + var part770 = match("MESSAGE#446:00027/3_2", "nwparser.p0", "console%{}"); + + var select177 = linear_select([ + part768, + part769, + part770, + ]); + + var all155 = all_match({ + processors: [ + dup204, + dup374, + part767, + select177, + ], + on_success: processor_chain([ + dup206, + dup30, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg449 = msg("00027", all155); + + var part771 = match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg450 = msg("00027:01", part771); + + var part772 = match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to %{change_new}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg451 = msg("00027:02", part772); + + var part773 = match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg452 = msg("00027:03", part773); + + var part774 = match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg453 = msg("00027:04", part774); + + var part775 = match("MESSAGE#451:00027:05/0", "nwparser.payload", "ScreenOS %{version->} %{p0}"); + + var part776 = match("MESSAGE#451:00027:05/1_0", "nwparser.p0", "Serial %{p0}"); + + var part777 = match("MESSAGE#451:00027:05/1_1", "nwparser.p0", "serial %{p0}"); + + var select178 = linear_select([ + part776, + part777, + ]); + + var part778 = match("MESSAGE#451:00027:05/2", "nwparser.p0", "# %{fld2}: Asset recovery %{p0}"); + + var part779 = match("MESSAGE#451:00027:05/3_0", "nwparser.p0", "performed %{p0}"); + + var select179 = linear_select([ + part779, + dup127, + ]); + + var select180 = linear_select([ + dup207, + dup208, + ]); + + var all156 = all_match({ + processors: [ + part775, + select178, + part778, + select179, + dup23, + select180, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg454 = msg("00027:05", all156); + + var part780 = match("MESSAGE#452:00027:06/0", "nwparser.payload", "Device Reset (Asset Recovery) has been %{p0}"); + + var select181 = linear_select([ + dup208, + dup207, + ]); + + var all157 = all_match({ + processors: [ + part780, + select181, + ], + on_success: processor_chain([ + setc("eventcategory","1606000000"), + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg455 = msg("00027:06", all157); + + var part781 = match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg456 = msg("00027:07", part781); + + var part782 = match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been erased%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg457 = msg("00027:08", part782); + + var part783 = match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due to expire in %{fld3}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg458 = msg("00027:09", part783); + + var part784 = match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has expired.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg459 = msg("00027:10", part784); + + var part785 = match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired after 30-day grace period.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg460 = msg("00027:11", part785); + + var part786 = match("MESSAGE#458:00027:12/0", "nwparser.payload", "Request to retrieve license key failed to reach %{p0}"); + + var part787 = match("MESSAGE#458:00027:12/1_0", "nwparser.p0", "the server %{p0}"); + + var select182 = linear_select([ + part787, + dup193, + ]); + + var part788 = match("MESSAGE#458:00027:12/2", "nwparser.p0", "by %{fld2}. Server url: %{url}"); + + var all158 = all_match({ + processors: [ + part786, + select182, + part788, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg461 = msg("00027:12", all158); + + var part789 = match("MESSAGE#459:00027:13/2", "nwparser.p0", "user %{username}"); + + var all159 = all_match({ + processors: [ + dup204, + dup374, + part789, + ], + on_success: processor_chain([ + dup206, + dup30, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg462 = msg("00027:13", all159); + + var part790 = match("MESSAGE#460:00027:14/0", "nwparser.payload", "Configuration Erasure Process %{p0}"); + + var part791 = match("MESSAGE#460:00027:14/1_0", "nwparser.p0", "has been initiated %{p0}"); + + var part792 = match("MESSAGE#460:00027:14/1_1", "nwparser.p0", "aborted %{p0}"); + + var select183 = linear_select([ + part791, + part792, + ]); + + var part793 = match("MESSAGE#460:00027:14/2", "nwparser.p0", ".%{space}(%{fld1})"); + + var all160 = all_match({ + processors: [ + part790, + select183, + part793, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg463 = msg("00027:14", all160); + + var part794 = match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg464 = msg("00027:15", part794); + + var part795 = match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{policy_id->} name \"%{fld2->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg465 = msg("00027:16", part795); + + var part796 = match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locked and will be unlocked after %{duration->} minutes (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg466 = msg("00027:17", part796); + + var part797 = match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{username->} from %{saddr->} is refused as this account is locked (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg467 = msg("00027:18", part797); + + var part798 = match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg468 = msg("00027:19", part798); + + var select184 = linear_select([ + msg449, + msg450, + msg451, + msg452, + msg453, + msg454, + msg455, + msg456, + msg457, + msg458, + msg459, + msg460, + msg461, + msg462, + msg463, + msg464, + msg465, + msg466, + msg467, + msg468, + ]); + + var part799 = match("MESSAGE#462:00028/0_0", "nwparser.payload", "An Intruder%{p0}"); + + var part800 = match("MESSAGE#462:00028/0_1", "nwparser.payload", "Intruder%{p0}"); + + var part801 = match("MESSAGE#462:00028/0_2", "nwparser.payload", "An intruter%{p0}"); + + var select185 = linear_select([ + part799, + part800, + part801, + ]); + + var part802 = match("MESSAGE#462:00028/1", "nwparser.p0", "%{}has attempted to connect to the NetScreen-Global PRO port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); + + var all161 = all_match({ + processors: [ + select185, + part802, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + setc("signame","Attempt to Connect to the NetScreen-Global Port"), + ]), + }); + + var msg469 = msg("00028", all161); + + var part803 = match("MESSAGE#463:00029", "nwparser.payload", "DNS has been refreshed%{}", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg470 = msg("00029", part803); + + var part804 = match("MESSAGE#464:00029:01", "nwparser.payload", "DHCP file write: out of memory.%{}", processor_chain([ + dup184, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg471 = msg("00029:01", part804); + + var part805 = match("MESSAGE#465:00029:02/0", "nwparser.payload", "The DHCP process cannot open file %{fld2->} to %{p0}"); + + var part806 = match("MESSAGE#465:00029:02/1_0", "nwparser.p0", "read %{p0}"); + + var part807 = match("MESSAGE#465:00029:02/1_1", "nwparser.p0", "write %{p0}"); + + var select186 = linear_select([ + part806, + part807, + ]); + + var part808 = match("MESSAGE#465:00029:02/2", "nwparser.p0", "data.%{}"); + + var all162 = all_match({ + processors: [ + part805, + select186, + part808, + ], + on_success: processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg472 = msg("00029:02", all162); + + var part809 = match("MESSAGE#466:00029:03/2", "nwparser.p0", "%{} %{interface->} is full. Unable to %{p0}"); + + var part810 = match("MESSAGE#466:00029:03/3_0", "nwparser.p0", "commit %{p0}"); + + var part811 = match("MESSAGE#466:00029:03/3_1", "nwparser.p0", "offer %{p0}"); + + var select187 = linear_select([ + part810, + part811, + ]); + + var part812 = match("MESSAGE#466:00029:03/4", "nwparser.p0", "IP address to client at %{fld2}"); + + var all163 = all_match({ + processors: [ + dup210, + dup337, + part809, + select187, + part812, + ], + on_success: processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg473 = msg("00029:03", all163); + + var part813 = match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{interface->} (another server found on %{hostip}).", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg474 = msg("00029:04", part813); + + var select188 = linear_select([ + msg470, + msg471, + msg472, + msg473, + msg474, + ]); + + var part814 = match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg475 = msg("00030", part814); + + var part815 = match("MESSAGE#469:00030:01/0", "nwparser.payload", "DSS checking of CRLs has been changed from %{p0}"); + + var part816 = match("MESSAGE#469:00030:01/1_0", "nwparser.p0", "0 to 1%{}"); + + var part817 = match("MESSAGE#469:00030:01/1_1", "nwparser.p0", "1 to 0%{}"); + + var select189 = linear_select([ + part816, + part817, + ]); + + var all164 = all_match({ + processors: [ + part815, + select189, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg476 = msg("00030:01", all164); + + var part818 = match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg477 = msg("00030:05", part818); + + var part819 = match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate request the %{fld2->} field has been changed from %{fld3}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg478 = msg("00030:06", part819); + + var part820 = match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be loaded%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg479 = msg("00030:07", part820); + + var part821 = match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate cannot be generated%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg480 = msg("00030:10", part821); + + var part822 = match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS image has successfully been updated%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg481 = msg("00030:12", part822); + + var part823 = match("MESSAGE#475:00030:13/0", "nwparser.payload", "The public key used for ScreenOS image authentication cannot be %{p0}"); + + var part824 = match("MESSAGE#475:00030:13/1_0", "nwparser.p0", "decoded%{}"); + + var part825 = match("MESSAGE#475:00030:13/1_1", "nwparser.p0", "loaded%{}"); + + var select190 = linear_select([ + part824, + part825, + ]); + + var all165 = all_match({ + processors: [ + part823, + select190, + ], + on_success: processor_chain([ + dup35, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg482 = msg("00030:13", all165); + + var part826 = match("MESSAGE#476:00030:14/1_0", "nwparser.p0", "CA IDENT %{p0}"); + + var part827 = match("MESSAGE#476:00030:14/1_1", "nwparser.p0", "Challenge password %{p0}"); + + var part828 = match("MESSAGE#476:00030:14/1_2", "nwparser.p0", "CA CGI URL %{p0}"); + + var part829 = match("MESSAGE#476:00030:14/1_3", "nwparser.p0", "RA CGI URL %{p0}"); + + var select191 = linear_select([ + part826, + part827, + part828, + part829, + ]); + + var part830 = match("MESSAGE#476:00030:14/2", "nwparser.p0", "for SCEP %{p0}"); + + var part831 = match("MESSAGE#476:00030:14/3_0", "nwparser.p0", "requests %{p0}"); + + var select192 = linear_select([ + part831, + dup16, + ]); + + var part832 = match("MESSAGE#476:00030:14/4", "nwparser.p0", "has been changed from %{change_old->} to %{change_new}"); + + var all166 = all_match({ + processors: [ + dup55, + select191, + part830, + select192, + part832, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg483 = msg("00030:14", all166); + + var msg484 = msg("00030:02", dup375); + + var part833 = match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS image authentication is invalid%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg485 = msg("00030:15", part833); + + var part834 = match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been deleted%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg486 = msg("00030:16", part834); + + var part835 = match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accept per config DN %{interface}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg487 = msg("00030:18", part835); + + var part836 = match("MESSAGE#481:00030:19/0", "nwparser.payload", "PKI: A configurable item %{change_attribute->} %{p0}"); + + var part837 = match("MESSAGE#481:00030:19/1_0", "nwparser.p0", "mode %{p0}"); + + var part838 = match("MESSAGE#481:00030:19/1_1", "nwparser.p0", "field%{p0}"); + + var select193 = linear_select([ + part837, + part838, + ]); + + var part839 = match("MESSAGE#481:00030:19/2", "nwparser.p0", "%{}has changed from %{change_old->} to %{change_new}"); + + var all167 = all_match({ + processors: [ + part836, + select193, + part839, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg488 = msg("00030:19", all167); + + var part840 = match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for total of %{fld2->} items.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg489 = msg("00030:30", part840); + + var part841 = match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} out of order expect %{fld3->} of %{fld4}.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg490 = msg("00030:31", part841); + + var part842 = match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} without first item.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg491 = msg("00030:32", part842); + + var part843 = match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received normal item during cold sync.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg492 = msg("00030:33", part843); + + var part844 = match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} is deleted.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg493 = msg("00030:34", part844); + + var part845 = match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availability synchronization %{fld2->} failed.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg494 = msg("00030:35", part845); + + var part846 = match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute->} has changed from %{change_old->} to %{change_new}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg495 = msg("00030:36", part846); + + var part847 = match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate for the ScreenOS image authentication is invalid.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg496 = msg("00030:37", part847); + + var part848 = match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certificate cannot be sync to vsd member.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg497 = msg("00030:38", part848); + + var part849 = match("MESSAGE#491:00030:39/0", "nwparser.payload", "PKI: The X.509 certificate %{p0}"); + + var part850 = match("MESSAGE#491:00030:39/1_0", "nwparser.p0", "revocation list %{p0}"); + + var select194 = linear_select([ + part850, + dup16, + ]); + + var part851 = match("MESSAGE#491:00030:39/2", "nwparser.p0", "cannot be loaded during NSRP synchronization.%{}"); + + var all168 = all_match({ + processors: [ + part849, + select194, + part851, + ], + on_success: processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg498 = msg("00030:39", all168); + + var part852 = match("MESSAGE#492:00030:17/0", "nwparser.payload", "X509 %{p0}"); + + var part853 = match("MESSAGE#492:00030:17/2", "nwparser.p0", "cannot be loaded%{}"); + + var all169 = all_match({ + processors: [ + part852, + dup376, + part853, + ], + on_success: processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg499 = msg("00030:17", all169); + + var part854 = match("MESSAGE#493:00030:40/0", "nwparser.payload", "PKI: The certificate %{fld2->} will expire %{p0}"); + + var part855 = match("MESSAGE#493:00030:40/1_1", "nwparser.p0", "please %{p0}"); + + var select195 = linear_select([ + dup214, + part855, + ]); + + var part856 = match("MESSAGE#493:00030:40/2", "nwparser.p0", "renew.%{}"); + + var all170 = all_match({ + processors: [ + part854, + select195, + part856, + ], + on_success: processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg500 = msg("00030:40", all170); + + var part857 = match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocation list has expired issued by certificate authority %{fld2}.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg501 = msg("00030:41", part857); + + var part858 = match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration content of certificate authority %{fld2->} is not valid.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg502 = msg("00030:42", part858); + + var part859 = match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot allocate this object id number %{fld2}.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg503 = msg("00030:43", part859); + + var part860 = match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg504 = msg("00030:44", part860); + + var part861 = match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find the PKI object %{fld2->} during cold sync.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg505 = msg("00030:45", part861); + + var part862 = match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X.509 certificate onto the device certificate %{fld2}.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg506 = msg("00030:46", part862); + + var part863 = match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a certificate pending SCEP completion.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg507 = msg("00030:47", part863); + + var part864 = match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load an X.509 certificate revocation list (CRL).%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg508 = msg("00030:48", part864); + + var part865 = match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load the CA certificate received through SCEP.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg509 = msg("00030:49", part865); + + var part866 = match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg510 = msg("00030:50", part866); + + var part867 = match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load the X.509 local certificate received through SCEP.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg511 = msg("00030:51", part867); + + var part868 = match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load the X.509 %{product->} during boot.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg512 = msg("00030:52", part868); + + var part869 = match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load the X.509 certificate file.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg513 = msg("00030:53", part869); + + var part870 = match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the coldsync of the PKI object at %{fld2->} attempt.", processor_chain([ + dup44, + dup211, + dup31, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg514 = msg("00030:54", part870); + + var part871 = match("MESSAGE#508:00030:55/0", "nwparser.payload", "PKI: The device could not generate %{p0}"); + + var all171 = all_match({ + processors: [ + part871, + dup377, + dup217, + ], + on_success: processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg515 = msg("00030:55", all171); + + var part872 = match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an invalid RSA key.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg516 = msg("00030:56", part872); + + var part873 = match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an invalid digital signature algorithm (DSA) key.%{}", processor_chain([ + dup35, + dup218, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg517 = msg("00030:57", part873); + + var part874 = match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to coldsync the PKI object at %{fld2->} attempt.", processor_chain([ + dup86, + dup218, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg518 = msg("00030:58", part874); + + var part875 = match("MESSAGE#512:00030:59", "nwparser.payload", "PKI: The device failed to decode the public key of the image%{quote}s signer certificate.", processor_chain([ + dup35, + dup218, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg519 = msg("00030:59", part875); + + var part876 = match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to install the RSA key.%{}", processor_chain([ + dup35, + dup218, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg520 = msg("00030:60", part876); + + var part877 = match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to retrieve the pending certificate %{fld2}.", processor_chain([ + dup35, + dup211, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg521 = msg("00030:61", part877); + + var part878 = match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to save the certificate authority related configuration.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg522 = msg("00030:62", part878); + + var part879 = match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to store the authority configuration.%{}", processor_chain([ + dup18, + dup219, + dup51, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg523 = msg("00030:63", part879); + + var part880 = match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.%{}", processor_chain([ + dup18, + dup218, + dup51, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg524 = msg("00030:64", part880); + + var part881 = match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.%{}", processor_chain([ + dup18, + dup218, + dup51, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg525 = msg("00030:65", part881); + + var part882 = match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected an invalid X.509 object attribute %{fld2}.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg526 = msg("00030:66", part882); + + var part883 = match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected invalid X.509 object content.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg527 = msg("00030:67", part883); + + var part884 = match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to load an invalid X.509 object.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg528 = msg("00030:68", part884); + + var part885 = match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading the version 0 PKI data.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg529 = msg("00030:69", part885); + + var part886 = match("MESSAGE#523:00030:70/0", "nwparser.payload", "PKI: The device successfully generated a new %{p0}"); + + var all172 = all_match({ + processors: [ + part886, + dup377, + dup217, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg530 = msg("00030:70", all172); + + var part887 = match("MESSAGE#524:00030:71", "nwparser.payload", "PKI: The public key of image%{quote}s signer has been loaded successfully, for future image authentication.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg531 = msg("00030:71", part887); + + var part888 = match("MESSAGE#525:00030:72", "nwparser.payload", "PKI: The signature of the image%{quote}s signer certificate cannot be verified.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg532 = msg("00030:72", part888); + + var part889 = match("MESSAGE#526:00030:73/0", "nwparser.payload", "PKI: The %{p0}"); + + var part890 = match("MESSAGE#526:00030:73/1_0", "nwparser.p0", "file name %{p0}"); + + var part891 = match("MESSAGE#526:00030:73/1_1", "nwparser.p0", "friendly name of a certificate %{p0}"); + + var part892 = match("MESSAGE#526:00030:73/1_2", "nwparser.p0", "vsys name %{p0}"); + + var select196 = linear_select([ + part890, + part891, + part892, + ]); + + var part893 = match("MESSAGE#526:00030:73/2", "nwparser.p0", "is too long %{fld2->} to do NSRP synchronization allowed %{fld3}."); + + var all173 = all_match({ + processors: [ + part889, + select196, + part893, + ], + on_success: processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg533 = msg("00030:73", all173); + + var part894 = match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier version save to file.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg534 = msg("00030:74", part894); + + var part895 = match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has been deleted distinguished name %{username}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg535 = msg("00030:75", part895); + + var part896 = match("MESSAGE#529:00030:76/0", "nwparser.payload", "PKI: X.509 %{p0}"); + + var part897 = match("MESSAGE#529:00030:76/2", "nwparser.p0", "file has been loaded successfully filename %{fld2}."); + + var all174 = all_match({ + processors: [ + part896, + dup376, + part897, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg536 = msg("00030:76", all174); + + var part898 = match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA key.%{}", processor_chain([ + dup18, + dup218, + dup51, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg537 = msg("00030:77", part898); + + var part899 = match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when requesting certificate.%{}", processor_chain([ + dup35, + dup211, + dup220, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg538 = msg("00030:78", part899); + + var part900 = match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check per config DN %{username}.", processor_chain([ + dup35, + dup211, + dup220, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg539 = msg("00030:79", part900); + + var part901 = match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 objects.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg540 = msg("00030:80", part901); + + var part902 = match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject name %{fld2->} is deleted.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg541 = msg("00030:81", part902); + + var part903 = match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg542 = msg("00030:82", part903); + + var part904 = match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire authcfg for this CA cert %{fld2}.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg543 = msg("00030:83", part904); + + var part905 = match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg from global.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg544 = msg("00030:84", part905); + + var part906 = match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is high (%{fld2->} alarm threshold: %{trigger_val}) %{info}", processor_chain([ + setc("eventcategory","1603080000"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg545 = msg("00030:85", part906); + + var part907 = match("MESSAGE#539:00030:86/2", "nwparser.p0", "Pair-wise invoked by started after key generation. (%{fld1})"); + + var all175 = all_match({ + processors: [ + dup221, + dup378, + part907, + ], + on_success: processor_chain([ + dup223, + dup2, + dup4, + dup5, + dup9, + ]), + }); + + var msg546 = msg("00030:86", all175); + + var part908 = match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is high (%{fld2->} > %{fld3->} ) %{fld4->} times in %{fld5->} minute (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + dup9, + ])); + + var msg547 = msg("00030:87", part908); + + var part909 = match("MESSAGE#1217:00030:88/2", "nwparser.p0", "Pair-wise invoked by passed. (%{fld1})\u003c\u003c%{fld6}>"); + + var all176 = all_match({ + processors: [ + dup221, + dup378, + part909, + ], + on_success: processor_chain([ + dup223, + dup2, + dup4, + dup5, + dup9, + ]), + }); + + var msg548 = msg("00030:88", all176); + + var select197 = linear_select([ + msg475, + msg476, + msg477, + msg478, + msg479, + msg480, + msg481, + msg482, + msg483, + msg484, + msg485, + msg486, + msg487, + msg488, + msg489, + msg490, + msg491, + msg492, + msg493, + msg494, + msg495, + msg496, + msg497, + msg498, + msg499, + msg500, + msg501, + msg502, + msg503, + msg504, + msg505, + msg506, + msg507, + msg508, + msg509, + msg510, + msg511, + msg512, + msg513, + msg514, + msg515, + msg516, + msg517, + msg518, + msg519, + msg520, + msg521, + msg522, + msg523, + msg524, + msg525, + msg526, + msg527, + msg528, + msg529, + msg530, + msg531, + msg532, + msg533, + msg534, + msg535, + msg536, + msg537, + msg538, + msg539, + msg540, + msg541, + msg542, + msg543, + msg544, + msg545, + msg546, + msg547, + msg548, + ]); + + var part910 = match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP address %{hostip->} changed from %{sinterface->} to interface %{dinterface->} (%{fld1})", processor_chain([ + dup121, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg549 = msg("00031:13", part910); + + var part911 = match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg550 = msg("00031", part911); + + var part912 = match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg551 = msg("00031:01", part912); + + var part913 = match("MESSAGE#543:00031:02/0", "nwparser.payload", "SNMP community %{fld2->} attributes-write access %{p0}"); + + var part914 = match("MESSAGE#543:00031:02/2", "nwparser.p0", "; receive traps %{p0}"); + + var part915 = match("MESSAGE#543:00031:02/4", "nwparser.p0", "; receive traffic alarms %{p0}"); + + var part916 = match("MESSAGE#543:00031:02/6", "nwparser.p0", "-have been modified%{}"); + + var all177 = all_match({ + processors: [ + part913, + dup379, + part914, + dup379, + part915, + dup379, + part916, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg552 = msg("00031:02", all177); + + var part917 = match("MESSAGE#544:00031:03/0", "nwparser.payload", "%{fld2->} SNMP host %{hostip->} has been %{p0}"); + + var select198 = linear_select([ + dup130, + dup129, + ]); + + var part918 = match("MESSAGE#544:00031:03/2", "nwparser.p0", "SNMP community %{fld3}"); + + var all178 = all_match({ + processors: [ + part917, + select198, + part918, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg553 = msg("00031:03", all178); + + var part919 = match("MESSAGE#545:00031:04/0", "nwparser.payload", "SNMP %{p0}"); + + var part920 = match("MESSAGE#545:00031:04/1_0", "nwparser.p0", "contact %{p0}"); + + var select199 = linear_select([ + part920, + dup226, + ]); + + var part921 = match("MESSAGE#545:00031:04/2", "nwparser.p0", "description has been modified%{}"); + + var all179 = all_match({ + processors: [ + part919, + select199, + part921, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg554 = msg("00031:04", all179); + + var part922 = match("MESSAGE#546:00031:11/0", "nwparser.payload", "SNMP system %{p0}"); + + var select200 = linear_select([ + dup226, + dup25, + ]); + + var part923 = match("MESSAGE#546:00031:11/2", "nwparser.p0", "has been changed to %{fld2}. (%{fld1})"); + + var all180 = all_match({ + processors: [ + part922, + select200, + part923, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg555 = msg("00031:11", all180); + + var part924 = match("MESSAGE#547:00031:08/0", "nwparser.payload", "%{fld2}: SNMP community name \"%{fld3}\" %{p0}"); + + var part925 = match("MESSAGE#547:00031:08/1_0", "nwparser.p0", "attributes -- %{p0}"); + + var part926 = match("MESSAGE#547:00031:08/1_1", "nwparser.p0", "-- %{p0}"); + + var select201 = linear_select([ + part925, + part926, + ]); + + var part927 = match("MESSAGE#547:00031:08/2", "nwparser.p0", "write access, %{p0}"); + + var part928 = match("MESSAGE#547:00031:08/4", "nwparser.p0", "; receive traps, %{p0}"); + + var part929 = match("MESSAGE#547:00031:08/6", "nwparser.p0", "; receive traffic alarms, %{p0}"); + + var part930 = match("MESSAGE#547:00031:08/8", "nwparser.p0", "-%{p0}"); + + var part931 = match("MESSAGE#547:00031:08/9_0", "nwparser.p0", "- %{p0}"); + + var select202 = linear_select([ + part931, + dup96, + ]); + + var part932 = match("MESSAGE#547:00031:08/10", "nwparser.p0", "have been modified%{}"); + + var all181 = all_match({ + processors: [ + part924, + select201, + part927, + dup379, + part928, + dup379, + part929, + dup379, + part930, + select202, + part932, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg556 = msg("00031:08", all181); + + var part933 = match("MESSAGE#548:00031:05/0", "nwparser.payload", "Detect IP conflict (%{fld2}) on %{p0}"); + + var all182 = all_match({ + processors: [ + part933, + dup337, + dup227, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg557 = msg("00031:05", all182); + + var part934 = match("MESSAGE#549:00031:06/1_0", "nwparser.p0", "q, %{p0}"); + + var select203 = linear_select([ + part934, + dup229, + dup230, + ]); + + var part935 = match("MESSAGE#549:00031:06/2", "nwparser.p0", "detect IP conflict ( %{hostip->} )%{p0}"); + + var select204 = linear_select([ + dup105, + dup96, + ]); + + var part936 = match("MESSAGE#549:00031:06/4", "nwparser.p0", "mac%{p0}"); + + var part937 = match("MESSAGE#549:00031:06/6", "nwparser.p0", "%{macaddr->} on %{p0}"); + + var all183 = all_match({ + processors: [ + dup228, + select203, + part935, + select204, + part936, + dup356, + part937, + dup352, + dup23, + dup380, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg558 = msg("00031:06", all183); + + var part938 = match("MESSAGE#550:00031:07/2", "nwparser.p0", "detects a duplicate virtual security device group master IP address %{hostip}, MAC address %{macaddr->} on %{p0}"); + + var all184 = all_match({ + processors: [ + dup228, + dup381, + part938, + dup337, + dup227, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg559 = msg("00031:07", all184); + + var part939 = match("MESSAGE#551:00031:09/2", "nwparser.p0", "detected an IP conflict (IP %{hostip}, MAC %{macaddr}) on interface %{p0}"); + + var all185 = all_match({ + processors: [ + dup228, + dup381, + part939, + dup380, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg560 = msg("00031:09", all185); + + var part940 = match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{fld3}\" has been moved. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg561 = msg("00031:10", part940); + + var part941 = match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has been changed to %{fld3}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg562 = msg("00031:12", part941); + + var select205 = linear_select([ + msg549, + msg550, + msg551, + msg552, + msg553, + msg554, + msg555, + msg556, + msg557, + msg558, + msg559, + msg560, + msg561, + msg562, + ]); + + var part942 = match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup232, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg563 = msg("00032", part942); + + var part943 = match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ + dup232, + dup2, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg564 = msg("00032:01", part943); + + var part944 = match("MESSAGE#556:00032:03/0", "nwparser.payload", "Vsys %{fld2->} has been %{p0}"); + + var part945 = match("MESSAGE#556:00032:03/1_0", "nwparser.p0", "changed to %{fld3}"); + + var part946 = match("MESSAGE#556:00032:03/1_1", "nwparser.p0", "created%{}"); + + var part947 = match("MESSAGE#556:00032:03/1_2", "nwparser.p0", "deleted%{}"); + + var part948 = match("MESSAGE#556:00032:03/1_3", "nwparser.p0", "removed%{}"); + + var select206 = linear_select([ + part945, + part946, + part947, + part948, + ]); + + var all186 = all_match({ + processors: [ + part944, + select206, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg565 = msg("00032:03", all186); + + var part949 = match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup232, + dup2, + dup3, + dup4, + dup59, + dup5, + dup61, + ])); + + var msg566 = msg("00032:04", part949); + + var part950 = match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsys %{fld2->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg567 = msg("00032:05", part950); + + var msg568 = msg("00032:02", dup375); + + var select207 = linear_select([ + msg563, + msg564, + msg565, + msg566, + msg567, + msg568, + ]); + + var part951 = match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("agent","NSM"), + ])); + + var msg569 = msg("00033:25", part951); + + var part952 = match("MESSAGE#561:00033/1", "nwparser.p0", "timeout value has been %{p0}"); + + var part953 = match("MESSAGE#561:00033/2_1", "nwparser.p0", "returned%{p0}"); + + var select208 = linear_select([ + dup52, + part953, + ]); + + var part954 = match("MESSAGE#561:00033/3", "nwparser.p0", "%{}to %{fld2}"); + + var all187 = all_match({ + processors: [ + dup382, + part952, + select208, + part954, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg570 = msg("00033", all187); + + var part955 = match("MESSAGE#562:00033:03/1_0", "nwparser.p0", "Global PRO %{p0}"); + + var part956 = match("MESSAGE#562:00033:03/1_1", "nwparser.p0", "%{fld3->} %{p0}"); + + var select209 = linear_select([ + part955, + part956, + ]); + + var part957 = match("MESSAGE#562:00033:03/4", "nwparser.p0", "host has been set to %{fld4}"); + + var all188 = all_match({ + processors: [ + dup160, + select209, + dup23, + dup369, + part957, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg571 = msg("00033:03", all188); + + var part958 = match("MESSAGE#563:00033:02/3", "nwparser.p0", "host has been %{disposition}"); + + var all189 = all_match({ + processors: [ + dup382, + dup23, + dup369, + part958, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg572 = msg("00033:02", all189); + + var part959 = match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{fld3->} has been %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg573 = msg("00033:04", part959); + + var part960 = match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg574 = msg("00033:05", part960); + + var part961 = match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The attack occurred %{dclass_counter1->} times", processor_chain([ + dup27, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg575 = msg("00033:06", part961); + + var part962 = match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The threshold was exceeded %{dclass_counter1->} times", processor_chain([ + dup27, + dup2, + dup3, + setc("dclass_counter1_string","Number of times the threshold was exceeded"), + dup4, + dup5, + dup61, + ])); + + var msg576 = msg("00033:01", part962); + + var part963 = match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{service->} has been %{disposition->} from %{fld2->} distribution", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg577 = msg("00033:07", part963); + + var part964 = match("MESSAGE#569:00033:08/2", "nwparser.p0", "?s CA certificate field has not been specified.%{}"); + + var all190 = all_match({ + processors: [ + dup235, + dup383, + part964, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg578 = msg("00033:08", all190); + + var part965 = match("MESSAGE#570:00033:09/2", "nwparser.p0", "?s Cert-Subject field has not been specified.%{}"); + + var all191 = all_match({ + processors: [ + dup235, + dup383, + part965, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg579 = msg("00033:09", all191); + + var part966 = match("MESSAGE#571:00033:10/2", "nwparser.p0", "?s host field has been %{p0}"); + + var part967 = match("MESSAGE#571:00033:10/3_0", "nwparser.p0", "set to %{fld2->} %{p0}"); + + var select210 = linear_select([ + part967, + dup238, + ]); + + var all192 = all_match({ + processors: [ + dup235, + dup383, + part966, + select210, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg580 = msg("00033:10", all192); + + var part968 = match("MESSAGE#572:00033:11/2", "nwparser.p0", "?s outgoing interface used to report NACN to Policy Manager %{p0}"); + + var part969 = match("MESSAGE#572:00033:11/4", "nwparser.p0", "has not been specified.%{}"); + + var all193 = all_match({ + processors: [ + dup235, + dup383, + part968, + dup383, + part969, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg581 = msg("00033:11", all193); + + var part970 = match("MESSAGE#573:00033:12/2", "nwparser.p0", "?s password field has been %{p0}"); + + var select211 = linear_select([ + dup101, + dup238, + ]); + + var all194 = all_match({ + processors: [ + dup235, + dup383, + part970, + select211, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg582 = msg("00033:12", all194); + + var part971 = match("MESSAGE#574:00033:13/2", "nwparser.p0", "?s policy-domain field has been %{p0}"); + + var part972 = match("MESSAGE#574:00033:13/3_0", "nwparser.p0", "unset .%{}"); + + var part973 = match("MESSAGE#574:00033:13/3_1", "nwparser.p0", "set to %{domain}."); + + var select212 = linear_select([ + part972, + part973, + ]); + + var all195 = all_match({ + processors: [ + dup235, + dup383, + part971, + select212, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg583 = msg("00033:13", all195); + + var part974 = match("MESSAGE#575:00033:14/2", "nwparser.p0", "?s CA certificate field has been set to %{fld2}."); + + var all196 = all_match({ + processors: [ + dup235, + dup383, + part974, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg584 = msg("00033:14", all196); + + var part975 = match("MESSAGE#576:00033:15/2", "nwparser.p0", "?s Cert-Subject field has been set to %{fld2}."); + + var all197 = all_match({ + processors: [ + dup235, + dup383, + part975, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg585 = msg("00033:15", all197); + + var part976 = match("MESSAGE#577:00033:16/2", "nwparser.p0", "?s outgoing-interface field has been set to %{interface}."); + + var all198 = all_match({ + processors: [ + dup235, + dup383, + part976, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg586 = msg("00033:16", all198); + + var part977 = match("MESSAGE#578:00033:17/2", "nwparser.p0", "?s port field has been %{p0}"); + + var part978 = match("MESSAGE#578:00033:17/3_0", "nwparser.p0", "set to %{network_port->} %{p0}"); + + var part979 = match("MESSAGE#578:00033:17/3_1", "nwparser.p0", "reset to the default value %{p0}"); + + var select213 = linear_select([ + part978, + part979, + ]); + + var all199 = all_match({ + processors: [ + dup235, + dup383, + part977, + select213, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg587 = msg("00033:17", all199); + + var part980 = match("MESSAGE#579:00033:19/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); + + var part981 = match("MESSAGE#579:00033:19/4", "nwparser.p0", "%{fld99}arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time."); + + var all200 = all_match({ + processors: [ + part980, + dup339, + dup70, + dup340, + part981, + ], + on_success: processor_chain([ + dup27, + dup2, + dup4, + dup5, + dup3, + dup59, + dup61, + ]), + }); + + var msg588 = msg("00033:19", all200); + + var part982 = match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.", processor_chain([ + dup27, + dup2, + dup4, + dup5, + dup3, + dup59, + dup60, + ])); + + var msg589 = msg("00033:20", part982); + + var all201 = all_match({ + processors: [ + dup239, + dup343, + dup83, + ], + on_success: processor_chain([ + dup27, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg590 = msg("00033:21", all201); + + var part983 = match("MESSAGE#582:00033:22/0", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var all202 = all_match({ + processors: [ + part983, + dup343, + dup83, + ], + on_success: processor_chain([ + dup27, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + dup60, + ]), + }); + + var msg591 = msg("00033:22", all202); + + var part984 = match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name %{hostname->} was set: addr %{hostip}, port %{network_port}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg592 = msg("00033:23", part984); + + var part985 = match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{info}. (%{fld1})", processor_chain([ + setc("eventcategory","1001030500"), + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg593 = msg("00033:24", part985); + + var select214 = linear_select([ + msg569, + msg570, + msg571, + msg572, + msg573, + msg574, + msg575, + msg576, + msg577, + msg578, + msg579, + msg580, + msg581, + msg582, + msg583, + msg584, + msg585, + msg586, + msg587, + msg588, + msg589, + msg590, + msg591, + msg592, + msg593, + ]); + + var part986 = match("MESSAGE#585:00034/0_0", "nwparser.payload", "SCS: Failed %{p0}"); + + var part987 = match("MESSAGE#585:00034/0_1", "nwparser.payload", "Failed %{p0}"); + + var select215 = linear_select([ + part986, + part987, + ]); + + var part988 = match("MESSAGE#585:00034/2_0", "nwparser.p0", "bind %{p0}"); + + var part989 = match("MESSAGE#585:00034/2_2", "nwparser.p0", "retrieve %{p0}"); + + var select216 = linear_select([ + part988, + dup201, + part989, + ]); + + var select217 = linear_select([ + dup196, + dup103, + dup163, + ]); + + var part990 = match("MESSAGE#585:00034/5", "nwparser.p0", "SSH user %{username}. (Key ID=%{fld2})"); + + var all203 = all_match({ + processors: [ + select215, + dup103, + select216, + dup202, + select217, + part990, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg594 = msg("00034", all203); + + var part991 = match("MESSAGE#586:00034:01/0_0", "nwparser.payload", "SCS: Incompatible %{p0}"); + + var part992 = match("MESSAGE#586:00034:01/0_1", "nwparser.payload", "Incompatible %{p0}"); + + var select218 = linear_select([ + part991, + part992, + ]); + + var part993 = match("MESSAGE#586:00034:01/1", "nwparser.p0", "SSH version %{version->} has been received from %{p0}"); + + var part994 = match("MESSAGE#586:00034:01/2_0", "nwparser.p0", "the SSH %{p0}"); + + var select219 = linear_select([ + part994, + dup241, + ]); + + var part995 = match("MESSAGE#586:00034:01/3", "nwparser.p0", "client at %{saddr}:%{sport}"); + + var all204 = all_match({ + processors: [ + select218, + part993, + select219, + part995, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg595 = msg("00034:01", all204); + + var part996 = match("MESSAGE#587:00034:02", "nwparser.payload", "Maximum number of SCS sessions %{fld2->} has been reached. Connection request from SSH user %{username->} at %{saddr}:%{sport->} has been %{disposition}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg596 = msg("00034:02", part996); + + var part997 = match("MESSAGE#588:00034:03/1", "nwparser.p0", "device failed to authenticate the SSH client at %{saddr}:%{sport}"); + + var all205 = all_match({ + processors: [ + dup384, + part997, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg597 = msg("00034:03", all205); + + var part998 = match("MESSAGE#589:00034:04", "nwparser.payload", "SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user %{username->} at %{saddr}:%{sport}. (Key ID=%{fld2})", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg598 = msg("00034:04", part998); + + var part999 = match("MESSAGE#590:00034:05", "nwparser.payload", "NetScreen device failed to generate a PKA RSA challenge for SSH user %{username}. (Key ID=%{fld2})", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg599 = msg("00034:05", part999); + + var part1000 = match("MESSAGE#591:00034:06/1", "nwparser.p0", "device failed to %{p0}"); + + var part1001 = match("MESSAGE#591:00034:06/2_0", "nwparser.p0", "identify itself %{p0}"); + + var part1002 = match("MESSAGE#591:00034:06/2_1", "nwparser.p0", "send the identification string %{p0}"); + + var select220 = linear_select([ + part1001, + part1002, + ]); + + var part1003 = match("MESSAGE#591:00034:06/3", "nwparser.p0", "to the SSH client at %{saddr}:%{sport}"); + + var all206 = all_match({ + processors: [ + dup384, + part1000, + select220, + part1003, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg600 = msg("00034:06", all206); + + var part1004 = match("MESSAGE#592:00034:07", "nwparser.payload", "SCS connection has been terminated for admin user %{username->} at %{saddr}:%{sport}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg601 = msg("00034:07", part1004); + + var part1005 = match("MESSAGE#593:00034:08", "nwparser.payload", "SCS: SCS has been %{disposition->} for %{username->} with %{fld2->} existing PKA keys already bound to %{fld3->} SSH users.", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg602 = msg("00034:08", part1005); + + var part1006 = match("MESSAGE#594:00034:09", "nwparser.payload", "SCS has been %{disposition->} for %{username->} with %{fld2->} PKA keys already bound to %{fld3->} SSH users", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg603 = msg("00034:09", part1006); + + var part1007 = match("MESSAGE#595:00034:10/2", "nwparser.p0", "%{}client at %{saddr->} has attempted to make an SCS connection to %{p0}"); + + var part1008 = match("MESSAGE#595:00034:10/4", "nwparser.p0", "%{interface->} %{p0}"); + + var part1009 = match("MESSAGE#595:00034:10/5_0", "nwparser.p0", "with%{p0}"); + + var part1010 = match("MESSAGE#595:00034:10/5_1", "nwparser.p0", "at%{p0}"); + + var select221 = linear_select([ + part1009, + part1010, + ]); + + var part1011 = match("MESSAGE#595:00034:10/6", "nwparser.p0", "%{}IP %{hostip->} but %{disposition->} because %{result}"); + + var all207 = all_match({ + processors: [ + dup244, + dup385, + part1007, + dup352, + part1008, + select221, + part1011, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg604 = msg("00034:10", all207); + + var part1012 = match("MESSAGE#596:00034:12/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has attempted to make an SCS connection to %{p0}"); + + var part1013 = match("MESSAGE#596:00034:12/4", "nwparser.p0", "but %{disposition->} because %{result}"); + + var all208 = all_match({ + processors: [ + dup244, + dup385, + part1012, + dup386, + part1013, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg605 = msg("00034:12", all208); + + var part1014 = match("MESSAGE#597:00034:11/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to %{p0}"); + + var part1015 = match("MESSAGE#597:00034:11/4", "nwparser.p0", "because %{result}"); + + var all209 = all_match({ + processors: [ + dup244, + dup385, + part1014, + dup386, + part1015, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg606 = msg("00034:11", all209); + + var part1016 = match("MESSAGE#598:00034:15", "nwparser.payload", "SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection because %{result}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg607 = msg("00034:15", part1016); + + var part1017 = match("MESSAGE#599:00034:18/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} cannot log in via SCS to %{service->} using the shared %{interface->} interface because %{result}"); + + var all210 = all_match({ + processors: [ + dup244, + dup387, + part1017, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg608 = msg("00034:18", all210); + + var part1018 = match("MESSAGE#600:00034:20/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has %{disposition->} the PKA RSA challenge"); + + var all211 = all_match({ + processors: [ + dup244, + dup387, + part1018, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg609 = msg("00034:20", all211); + + var part1019 = match("MESSAGE#601:00034:21/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has requested %{p0}"); + + var part1020 = match("MESSAGE#601:00034:21/4", "nwparser.p0", "authentication which is not %{p0}"); + + var part1021 = match("MESSAGE#601:00034:21/5_0", "nwparser.p0", "supported %{p0}"); + + var select222 = linear_select([ + part1021, + dup156, + ]); + + var part1022 = match("MESSAGE#601:00034:21/6", "nwparser.p0", "for that %{p0}"); + + var part1023 = match("MESSAGE#601:00034:21/7_0", "nwparser.p0", "client%{}"); + + var part1024 = match("MESSAGE#601:00034:21/7_1", "nwparser.p0", "user%{}"); + + var select223 = linear_select([ + part1023, + part1024, + ]); + + var all212 = all_match({ + processors: [ + dup244, + dup387, + part1019, + dup372, + part1020, + select222, + part1022, + select223, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg610 = msg("00034:21", all212); + + var part1025 = match("MESSAGE#602:00034:22", "nwparser.payload", "SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to vsys %{fld2->} using the shared untrusted interface", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg611 = msg("00034:22", part1025); + + var part1026 = match("MESSAGE#603:00034:23/1_0", "nwparser.p0", "SCS: Unable %{p0}"); + + var part1027 = match("MESSAGE#603:00034:23/1_1", "nwparser.p0", "Unable %{p0}"); + + var select224 = linear_select([ + part1026, + part1027, + ]); + + var part1028 = match("MESSAGE#603:00034:23/2", "nwparser.p0", "to validate cookie from the SSH client at %{saddr}:%{sport}"); + + var all213 = all_match({ + processors: [ + dup160, + select224, + part1028, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg612 = msg("00034:23", all213); + + var part1029 = match("MESSAGE#604:00034:24", "nwparser.payload", "AC %{username->} is advertising URL %{fld2}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg613 = msg("00034:24", part1029); + + var part1030 = match("MESSAGE#605:00034:25", "nwparser.payload", "Message from AC %{username}: %{fld2}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg614 = msg("00034:25", part1030); + + var part1031 = match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg615 = msg("00034:26", part1031); + + var part1032 = match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on %{interface->} interface", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg616 = msg("00034:27", part1032); + + var part1033 = match("MESSAGE#608:00034:28", "nwparser.payload", "PPPoE%{quote}s session closed by AC", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg617 = msg("00034:28", part1033); + + var part1034 = match("MESSAGE#609:00034:29", "nwparser.payload", "SCS: Disabled for %{username}. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg618 = msg("00034:29", part1034); + + var part1035 = match("MESSAGE#610:00034:30", "nwparser.payload", "SCS: %{disposition->} to remove PKA key removed.", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg619 = msg("00034:30", part1035); + + var part1036 = match("MESSAGE#611:00034:31", "nwparser.payload", "SCS: %{disposition->} to retrieve host key", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg620 = msg("00034:31", part1036); + + var part1037 = match("MESSAGE#612:00034:32", "nwparser.payload", "SCS: %{disposition->} to send identification string to client host at %{saddr}:%{sport}.", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg621 = msg("00034:32", part1037); + + var part1038 = match("MESSAGE#613:00034:33", "nwparser.payload", "SCS: Max %{fld2->} sessions reached unabel to accept connection : %{saddr}:%{sport}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg622 = msg("00034:33", part1038); + + var part1039 = match("MESSAGE#614:00034:34", "nwparser.payload", "SCS: Maximum number for SCS sessions %{fld2->} has been reached. Connection request from SSH user at %{saddr}:%{sport->} has been %{disposition}.", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg623 = msg("00034:34", part1039); + + var part1040 = match("MESSAGE#615:00034:35", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to %{service->} using the shared untrusted interface because SCS is disabled on that interface.", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg624 = msg("00034:35", part1040); + + var part1041 = match("MESSAGE#616:00034:36", "nwparser.payload", "SCS: Unsupported cipher type %{fld2->} requested from: %{saddr}:%{sport}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg625 = msg("00034:36", part1041); + + var part1042 = match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg626 = msg("00034:37", part1042); + + var part1043 = match("MESSAGE#618:00034:38", "nwparser.payload", "SSH: %{disposition->} to retreive PKA key bound to SSH user %{username->} (Key ID %{fld2})", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg627 = msg("00034:38", part1043); + + var part1044 = match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet from host %{saddr->} (Code %{fld2})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg628 = msg("00034:39", part1044); + + var part1045 = match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send initialization string to client at %{saddr}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg629 = msg("00034:40", part1045); + + var part1046 = match("MESSAGE#621:00034:41/0", "nwparser.payload", "SCP: Admin user '%{administrator}' attempted to transfer file %{p0}"); + + var part1047 = match("MESSAGE#621:00034:41/2", "nwparser.p0", "the device with insufficient privilege.%{}"); + + var all214 = all_match({ + processors: [ + part1046, + dup373, + part1047, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg630 = msg("00034:41", all214); + + var part1048 = match("MESSAGE#622:00034:42", "nwparser.payload", "SSH: Maximum number of SSH sessions (%{fld2}) exceeded. Connection request from SSH user %{username->} at %{saddr->} denied.", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg631 = msg("00034:42", part1048); + + var part1049 = match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx bd (port %{network_port})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg632 = msg("00034:43", part1049); + + var part1050 = match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack detected on SSH connection initiated from %{saddr}:%{sport->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg633 = msg("00034:44", part1050); + + var select225 = linear_select([ + msg594, + msg595, + msg596, + msg597, + msg598, + msg599, + msg600, + msg601, + msg602, + msg603, + msg604, + msg605, + msg606, + msg607, + msg608, + msg609, + msg610, + msg611, + msg612, + msg613, + msg614, + msg615, + msg616, + msg617, + msg618, + msg619, + msg620, + msg621, + msg622, + msg623, + msg624, + msg625, + msg626, + msg627, + msg628, + msg629, + msg630, + msg631, + msg632, + msg633, + ]); + + var part1051 = match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}:%{result}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg634 = msg("00035", part1051); + + var part1052 = match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in incoming mail - %{fld2}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg635 = msg("00035:01", part1052); + + var part1053 = match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} is not allowed in export or firewall only system", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg636 = msg("00035:02", part1053); + + var part1054 = match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg637 = msg("00035:03", part1054); + + var part1055 = match("MESSAGE#628:00035:04/0", "nwparser.payload", "SSL Error when retrieve local c%{p0}"); + + var part1056 = match("MESSAGE#628:00035:04/1_0", "nwparser.p0", "a(verify) %{p0}"); + + var part1057 = match("MESSAGE#628:00035:04/1_1", "nwparser.p0", "ert(verify) %{p0}"); + + var part1058 = match("MESSAGE#628:00035:04/1_2", "nwparser.p0", "ert(all) %{p0}"); + + var select226 = linear_select([ + part1056, + part1057, + part1058, + ]); + + var part1059 = match("MESSAGE#628:00035:04/2", "nwparser.p0", ": %{fld2}"); + + var all215 = all_match({ + processors: [ + part1055, + select226, + part1059, + ], + on_success: processor_chain([ + dup117, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg638 = msg("00035:04", all215); + + var part1060 = match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready for connections.%{}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg639 = msg("00035:05", part1060); + + var part1061 = match("MESSAGE#630:00035:06/0", "nwparser.payload", "SSL c%{p0}"); + + var part1062 = match("MESSAGE#630:00035:06/2", "nwparser.p0", "changed to none%{}"); + + var all216 = all_match({ + processors: [ + part1061, + dup388, + part1062, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg640 = msg("00035:06", all216); + + var part1063 = match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{fld2->} recieved %{fld3->} is expected", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg641 = msg("00035:07", part1063); + + var part1064 = match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg642 = msg("00035:08", part1064); + + var part1065 = match("MESSAGE#633:00035:09/1_0", "nwparser.p0", "enabled%{}"); + + var select227 = linear_select([ + part1065, + dup92, + ]); + + var all217 = all_match({ + processors: [ + dup253, + select227, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg643 = msg("00035:09", all217); + + var part1066 = match("MESSAGE#634:00035:10/0", "nwparser.payload", "SSL memory allocation fails in process_c%{p0}"); + + var part1067 = match("MESSAGE#634:00035:10/1_0", "nwparser.p0", "a()%{}"); + + var part1068 = match("MESSAGE#634:00035:10/1_1", "nwparser.p0", "ert()%{}"); + + var select228 = linear_select([ + part1067, + part1068, + ]); + + var all218 = all_match({ + processors: [ + part1066, + select228, + ], + on_success: processor_chain([ + dup184, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg644 = msg("00035:10", all218); + + var part1069 = match("MESSAGE#635:00035:11/0", "nwparser.payload", "SSL no ssl c%{p0}"); + + var part1070 = match("MESSAGE#635:00035:11/1_0", "nwparser.p0", "a%{}"); + + var part1071 = match("MESSAGE#635:00035:11/1_1", "nwparser.p0", "ert%{}"); + + var select229 = linear_select([ + part1070, + part1071, + ]); + + var all219 = all_match({ + processors: [ + part1069, + select229, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg645 = msg("00035:11", all219); + + var part1072 = match("MESSAGE#636:00035:12/0", "nwparser.payload", "SSL set c%{p0}"); + + var part1073 = match("MESSAGE#636:00035:12/2", "nwparser.p0", "id is invalid %{fld2}"); + + var all220 = all_match({ + processors: [ + part1072, + dup388, + part1073, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg646 = msg("00035:12", all220); + + var part1074 = match("MESSAGE#637:00035:13/1_1", "nwparser.p0", "verify %{p0}"); + + var select230 = linear_select([ + dup101, + part1074, + ]); + + var part1075 = match("MESSAGE#637:00035:13/2", "nwparser.p0", "cert failed. Key type is not RSA%{}"); + + var all221 = all_match({ + processors: [ + dup253, + select230, + part1075, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg647 = msg("00035:13", all221); + + var part1076 = match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg648 = msg("00035:14", part1076); + + var part1077 = match("MESSAGE#639:00035:15/0", "nwparser.payload", "%{change_attribute->} has been changed %{p0}"); + + var part1078 = match("MESSAGE#639:00035:15/1_0", "nwparser.p0", "from %{change_old->} to %{change_new}"); + + var part1079 = match("MESSAGE#639:00035:15/1_1", "nwparser.p0", "to %{fld2}"); + + var select231 = linear_select([ + part1078, + part1079, + ]); + + var all222 = all_match({ + processors: [ + part1077, + select231, + ], + on_success: processor_chain([ + dup184, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg649 = msg("00035:15", all222); + + var part1080 = match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed to by %{username->} via web from host %{saddr->} to %{daddr}:%{dport->} %{fld5}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg650 = msg("00035:16", part1080); + + var select232 = linear_select([ + msg634, + msg635, + msg636, + msg637, + msg638, + msg639, + msg640, + msg641, + msg642, + msg643, + msg644, + msg645, + msg646, + msg647, + msg648, + msg649, + msg650, + ]); + + var part1081 = match("MESSAGE#641:00036", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key%{}", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg651 = msg("00036", part1081); + + var part1082 = match("MESSAGE#642:00036:01/0", "nwparser.payload", "%{fld2->} license keys were updated successfully by %{p0}"); + + var part1083 = match("MESSAGE#642:00036:01/1_1", "nwparser.p0", "manual %{p0}"); + + var select233 = linear_select([ + dup214, + part1083, + ]); + + var part1084 = match("MESSAGE#642:00036:01/2", "nwparser.p0", "retrieval%{}"); + + var all223 = all_match({ + processors: [ + part1082, + select233, + part1084, + ], + on_success: processor_chain([ + dup254, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg652 = msg("00036:01", all223); + + var select234 = linear_select([ + msg651, + msg652, + ]); + + var part1085 = match("MESSAGE#643:00037/0", "nwparser.payload", "Intra-zone block for zone %{zone->} was set to o%{p0}"); + + var part1086 = match("MESSAGE#643:00037/1_0", "nwparser.p0", "n%{}"); + + var part1087 = match("MESSAGE#643:00037/1_1", "nwparser.p0", "ff%{}"); + + var select235 = linear_select([ + part1086, + part1087, + ]); + + var all224 = all_match({ + processors: [ + part1085, + select235, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg653 = msg("00037", all224); + + var part1088 = match("MESSAGE#644:00037:01/0", "nwparser.payload", "New zone %{zone->} ( %{p0}"); + + var select236 = linear_select([ + dup255, + dup256, + ]); + + var part1089 = match("MESSAGE#644:00037:01/2", "nwparser.p0", "%{fld2}) was created.%{p0}"); + + var all225 = all_match({ + processors: [ + part1088, + select236, + part1089, + dup351, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg654 = msg("00037:01", all225); + + var part1090 = match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was bound to out zone %{dst_zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg655 = msg("00037:02", part1090); + + var part1091 = match("MESSAGE#646:00037:03/1_0", "nwparser.p0", "was was %{p0}"); + + var part1092 = match("MESSAGE#646:00037:03/1_1", "nwparser.p0", "%{zone->} was %{p0}"); + + var select237 = linear_select([ + part1091, + part1092, + ]); + + var part1093 = match("MESSAGE#646:00037:03/3", "nwparser.p0", "virtual router %{p0}"); + + var part1094 = match("MESSAGE#646:00037:03/4_0", "nwparser.p0", "%{node->} (%{fld1})"); + + var part1095 = match("MESSAGE#646:00037:03/4_1", "nwparser.p0", "%{node}."); + + var select238 = linear_select([ + part1094, + part1095, + ]); + + var all226 = all_match({ + processors: [ + dup113, + select237, + dup371, + part1093, + select238, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg656 = msg("00037:03", all226); + + var part1096 = match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to non-shared.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg657 = msg("00037:04", part1096); + + var part1097 = match("MESSAGE#648:00037:05/0", "nwparser.payload", "Zone %{zone->} ( %{p0}"); + + var select239 = linear_select([ + dup256, + dup255, + ]); + + var part1098 = match("MESSAGE#648:00037:05/2", "nwparser.p0", "%{fld2}) was deleted. %{p0}"); + + var part1099 = match_copy("MESSAGE#648:00037:05/3_1", "nwparser.p0", "space"); + + var select240 = linear_select([ + dup10, + part1099, + ]); + + var all227 = all_match({ + processors: [ + part1097, + select239, + part1098, + select240, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg658 = msg("00037:05", all227); + + var part1100 = match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was %{disposition->} on zone %{zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg659 = msg("00037:06", part1100); + + var select241 = linear_select([ + msg653, + msg654, + msg655, + msg656, + msg657, + msg658, + msg659, + ]); + + var part1101 = match("MESSAGE#650:00038/0", "nwparser.payload", "OSPF routing instance in vrouter %{p0}"); + + var part1102 = match("MESSAGE#650:00038/1_0", "nwparser.p0", "%{node->} is %{p0}"); + + var part1103 = match("MESSAGE#650:00038/1_1", "nwparser.p0", "%{node->} %{p0}"); + + var select242 = linear_select([ + part1102, + part1103, + ]); + + var all228 = all_match({ + processors: [ + part1101, + select242, + dup36, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg660 = msg("00038", all228); + + var part1104 = match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr %{node}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg661 = msg("00039", part1104); + + var part1105 = match("MESSAGE#652:00040/0_0", "nwparser.payload", "Low watermark%{p0}"); + + var part1106 = match("MESSAGE#652:00040/0_1", "nwparser.payload", "High watermark%{p0}"); + + var select243 = linear_select([ + part1105, + part1106, + ]); + + var part1107 = match("MESSAGE#652:00040/1", "nwparser.p0", "%{}for early aging has been changed to the default %{fld2}"); + + var all229 = all_match({ + processors: [ + select243, + part1107, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg662 = msg("00040", all229); + + var part1108 = match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg663 = msg("00040:01", part1108); + + var select244 = linear_select([ + msg662, + msg663, + ]); + + var part1109 = match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual router %{node->} has been removed", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg664 = msg("00041", part1109); + + var part1110 = match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg665 = msg("00041:01", part1110); + + var select245 = linear_select([ + msg664, + msg665, + ]); + + var part1111 = match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec tunnel on %{interface->} with tunnel ID %{fld2}! From %{saddr->} to %{daddr}/%{dport}, %{info->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg666 = msg("00042", part1111); + + var part1112 = match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup9, + dup4, + dup5, + dup60, + ])); + + var msg667 = msg("00042:01", part1112); + + var select246 = linear_select([ + msg666, + msg667, + ]); + + var part1113 = match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp tunnel (%{fld2}-%{fld3}), Result code %{resultcode->} (%{result}). (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg668 = msg("00043", part1113); + + var part1114 = match("MESSAGE#659:00044/0", "nwparser.payload", "access list %{listnum->} sequence number %{fld3->} %{p0}"); + + var part1115 = match("MESSAGE#659:00044/1_1", "nwparser.p0", "deny %{p0}"); + + var select247 = linear_select([ + dup257, + part1115, + ]); + + var part1116 = match("MESSAGE#659:00044/2", "nwparser.p0", "ip %{hostip}/%{mask->} %{disposition->} in vrouter %{node}"); + + var all230 = all_match({ + processors: [ + part1114, + select247, + part1116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg669 = msg("00044", all230); + + var part1117 = match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{disposition->} in vrouter %{node}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg670 = msg("00044:01", part1117); + + var select248 = linear_select([ + msg669, + msg670, + ]); + + var part1118 = match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router %{node->} was %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg671 = msg("00045", part1118); + + var part1119 = match("MESSAGE#662:00047/1_0", "nwparser.p0", "remove %{p0}"); + + var part1120 = match("MESSAGE#662:00047/1_1", "nwparser.p0", "add %{p0}"); + + var select249 = linear_select([ + part1119, + part1120, + ]); + + var part1121 = match("MESSAGE#662:00047/2", "nwparser.p0", "multicast policy from %{src_zone->} %{fld4->} to %{dst_zone->} %{fld3->} (%{fld1})"); + + var all231 = all_match({ + processors: [ + dup183, + select249, + part1121, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg672 = msg("00047", all231); + + var part1122 = match("MESSAGE#663:00048/0", "nwparser.payload", "Access list entry %{listnum->} with %{p0}"); + + var part1123 = match("MESSAGE#663:00048/1_0", "nwparser.p0", "a sequence %{p0}"); + + var part1124 = match("MESSAGE#663:00048/1_1", "nwparser.p0", "sequence %{p0}"); + + var select250 = linear_select([ + part1123, + part1124, + ]); + + var part1125 = match("MESSAGE#663:00048/2", "nwparser.p0", "number %{fld2->} %{p0}"); + + var part1126 = match("MESSAGE#663:00048/3_0", "nwparser.p0", "with an action of %{p0}"); + + var select251 = linear_select([ + part1126, + dup112, + ]); + + var part1127 = match("MESSAGE#663:00048/5_0", "nwparser.p0", "with an IP %{p0}"); + + var select252 = linear_select([ + part1127, + dup139, + ]); + + var part1128 = match("MESSAGE#663:00048/6", "nwparser.p0", "address %{p0}"); + + var part1129 = match("MESSAGE#663:00048/7_0", "nwparser.p0", "and subnetwork mask of %{p0}"); + + var select253 = linear_select([ + part1129, + dup16, + ]); + + var part1130 = match("MESSAGE#663:00048/8", "nwparser.p0", "%{} %{fld3}was %{p0}"); + + var part1131 = match("MESSAGE#663:00048/9_0", "nwparser.p0", "created on %{p0}"); + + var select254 = linear_select([ + part1131, + dup129, + ]); + + var part1132 = match("MESSAGE#663:00048/10", "nwparser.p0", "virtual router %{node->} (%{fld1})"); + + var all232 = all_match({ + processors: [ + part1122, + select250, + part1125, + select251, + dup257, + select252, + part1128, + select253, + part1130, + select254, + part1132, + ], + on_success: processor_chain([ + setc("eventcategory","1501000000"), + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg673 = msg("00048", all232); + + var part1133 = match("MESSAGE#664:00048:01/0", "nwparser.payload", "Route %{p0}"); + + var part1134 = match("MESSAGE#664:00048:01/1_0", "nwparser.p0", "map entry %{p0}"); + + var part1135 = match("MESSAGE#664:00048:01/1_1", "nwparser.p0", "entry %{p0}"); + + var select255 = linear_select([ + part1134, + part1135, + ]); + + var part1136 = match("MESSAGE#664:00048:01/2", "nwparser.p0", "with sequence number %{fld2->} in route map binck-ospf%{p0}"); + + var part1137 = match("MESSAGE#664:00048:01/3_0", "nwparser.p0", " in %{p0}"); + + var select256 = linear_select([ + part1137, + dup105, + ]); + + var part1138 = match("MESSAGE#664:00048:01/4", "nwparser.p0", "virtual router %{node->} was %{disposition->} (%{fld1})"); + + var all233 = all_match({ + processors: [ + part1133, + select255, + part1136, + select256, + part1138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg674 = msg("00048:01", all233); + + var part1139 = match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface %{interface->} (%{fld1})", processor_chain([ + dup209, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg675 = msg("00048:02", part1139); + + var select257 = linear_select([ + msg673, + msg674, + msg675, + ]); + + var part1140 = match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed to %{fld8->} (%{fld2}) => %{fld3->} (%{fld4}) => %{fld5->} (%{fld6}) in virtual router (%{node})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg676 = msg("00049", part1140); + + var part1141 = match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} in virtual router %{node}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg677 = msg("00049:01", part1141); + + var part1142 = match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{node->} and ID %{fld2->} has been removed", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg678 = msg("00049:02", part1142); + + var part1143 = match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual router \"%{node}\" used by OSPF, BGP routing instances id has been uninitialized. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg679 = msg("00049:03", part1143); + + var part1144 = match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route through virtual router \"%{node}\" has been added in virtual router \"%{fld4}\" (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg680 = msg("00049:04", part1144); + + var part1145 = match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking for interfaces in virtual router (%{node}) has been enabled. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg681 = msg("00049:05", part1145); + + var select258 = linear_select([ + msg676, + msg677, + msg678, + msg679, + msg680, + msg681, + ]); + + var part1146 = match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg682 = msg("00050", part1146); + + var part1147 = match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached %{fld2}, which is %{fld3->} of the system capacity!", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg683 = msg("00051", part1147); + + var part1148 = match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:%{sport}->%{daddr}:%{dport->} used %{fld2->} percent of AV resources, which exceeded the max of %{fld3->} percent.", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg684 = msg("00052", part1148); + + var part1149 = match("MESSAGE#675:00055/1_1", "nwparser.p0", "router %{p0}"); + + var select259 = linear_select([ + dup169, + part1149, + ]); + + var part1150 = match("MESSAGE#675:00055/2", "nwparser.p0", "instance was %{disposition->} on interface %{interface}."); + + var all234 = all_match({ + processors: [ + dup258, + select259, + part1150, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg685 = msg("00055", all234); + + var part1151 = match("MESSAGE#676:00055:01/1_0", "nwparser.p0", "proxy %{p0}"); + + var part1152 = match("MESSAGE#676:00055:01/1_1", "nwparser.p0", "function %{p0}"); + + var select260 = linear_select([ + part1151, + part1152, + ]); + + var part1153 = match("MESSAGE#676:00055:01/2", "nwparser.p0", "was %{disposition->} on interface %{interface}."); + + var all235 = all_match({ + processors: [ + dup258, + select260, + part1153, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg686 = msg("00055:01", all235); + + var part1154 = match("MESSAGE#677:00055:02/2", "nwparser.p0", "same subnet check on interface %{interface}."); + + var all236 = all_match({ + processors: [ + dup259, + dup389, + part1154, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg687 = msg("00055:02", all236); + + var part1155 = match("MESSAGE#678:00055:03/2", "nwparser.p0", "router alert IP option check on interface %{interface}."); + + var all237 = all_match({ + processors: [ + dup259, + dup389, + part1155, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg688 = msg("00055:03", all237); + + var part1156 = match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to %{version->} on interface %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg689 = msg("00055:04", part1156); + + var part1157 = match("MESSAGE#680:00055:05/0", "nwparser.payload", "IGMP query %{p0}"); + + var part1158 = match("MESSAGE#680:00055:05/1_1", "nwparser.p0", "max response time %{p0}"); + + var select261 = linear_select([ + dup110, + part1158, + ]); + + var part1159 = match("MESSAGE#680:00055:05/2", "nwparser.p0", "was changed to %{fld2->} on interface %{interface}"); + + var all238 = all_match({ + processors: [ + part1157, + select261, + part1159, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg690 = msg("00055:05", all238); + + var part1160 = match("MESSAGE#681:00055:06/0", "nwparser.payload", "IGMP l%{p0}"); + + var part1161 = match("MESSAGE#681:00055:06/1_0", "nwparser.p0", "eave %{p0}"); + + var part1162 = match("MESSAGE#681:00055:06/1_1", "nwparser.p0", "ast member query %{p0}"); + + var select262 = linear_select([ + part1161, + part1162, + ]); + + var part1163 = match("MESSAGE#681:00055:06/2", "nwparser.p0", "interval was changed to %{fld2->} on interface %{interface}."); + + var all239 = all_match({ + processors: [ + part1160, + select262, + part1163, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg691 = msg("00055:06", all239); + + var part1164 = match("MESSAGE#682:00055:07/1_0", "nwparser.p0", "routers %{p0}"); + + var part1165 = match("MESSAGE#682:00055:07/1_1", "nwparser.p0", "hosts %{p0}"); + + var part1166 = match("MESSAGE#682:00055:07/1_2", "nwparser.p0", "groups %{p0}"); + + var select263 = linear_select([ + part1164, + part1165, + part1166, + ]); + + var part1167 = match("MESSAGE#682:00055:07/2", "nwparser.p0", "accept list ID was changed to %{fld2->} on interface %{interface}."); + + var all240 = all_match({ + processors: [ + dup258, + select263, + part1167, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg692 = msg("00055:07", all240); + + var part1168 = match("MESSAGE#683:00055:08/1_0", "nwparser.p0", "all groups %{p0}"); + + var part1169 = match("MESSAGE#683:00055:08/1_1", "nwparser.p0", "group %{p0}"); + + var select264 = linear_select([ + part1168, + part1169, + ]); + + var part1170 = match("MESSAGE#683:00055:08/2", "nwparser.p0", "%{group->} static flag was %{disposition->} on interface %{interface}."); + + var all241 = all_match({ + processors: [ + dup258, + select264, + part1170, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg693 = msg("00055:08", all241); + + var part1171 = match("MESSAGE#684:00055:09", "nwparser.payload", "IGMP static group %{group->} was added on interface %{interface}", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg694 = msg("00055:09", part1171); + + var part1172 = match("MESSAGE#685:00055:10", "nwparser.payload", "IGMP proxy always is %{disposition->} on interface %{interface}.", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg695 = msg("00055:10", part1172); + + var select265 = linear_select([ + msg685, + msg686, + msg687, + msg688, + msg689, + msg690, + msg691, + msg692, + msg693, + msg694, + msg695, + ]); + + var part1173 = match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{src_zone->} %{saddr->} to %{dst_zone->} %{daddr}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg696 = msg("00056", part1173); + + var part1174 = match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route src=%{saddr}, grp=%{group->} input ifp = %{sinterface->} output ifp = %{dinterface->} added", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg697 = msg("00057", part1174); + + var part1175 = match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on interface %{interface}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg698 = msg("00058", part1175); + + var part1176 = match("MESSAGE#689:00059/0", "nwparser.payload", "DDNS module is %{p0}"); + + var part1177 = match("MESSAGE#689:00059/1_0", "nwparser.p0", "initialized %{p0}"); + + var select266 = linear_select([ + part1177, + dup262, + dup157, + dup156, + ]); + + var all242 = all_match({ + processors: [ + part1176, + select266, + dup116, + ], + on_success: processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg699 = msg("00059", all242); + + var part1178 = match("MESSAGE#690:00059:02/0", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with server type \"%{fld3}\" name \"%{hostname}\" refresh-interval %{fld5->} hours minimum update interval %{fld6->} minutes with %{p0}"); + + var part1179 = match("MESSAGE#690:00059:02/1_0", "nwparser.p0", "secure %{p0}"); + + var part1180 = match("MESSAGE#690:00059:02/1_1", "nwparser.p0", "clear-text %{p0}"); + + var select267 = linear_select([ + part1179, + part1180, + ]); + + var part1181 = match("MESSAGE#690:00059:02/2", "nwparser.p0", "secure connection.%{}"); + + var all243 = all_match({ + processors: [ + part1178, + select267, + part1181, + ], + on_success: processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg700 = msg("00059:02", all243); + + var part1182 = match("MESSAGE#691:00059:03", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with user name \"%{username}\" agent \"%{fld3}\"", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg701 = msg("00059:03", part1182); + + var part1183 = match("MESSAGE#692:00059:04", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with interface \"%{interface}\" host-name \"%{hostname}\"", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg702 = msg("00059:04", part1183); + + var part1184 = match("MESSAGE#693:00059:05/0_0", "nwparser.payload", "Hostname %{p0}"); + + var part1185 = match("MESSAGE#693:00059:05/0_1", "nwparser.payload", "Source interface %{p0}"); + + var part1186 = match("MESSAGE#693:00059:05/0_2", "nwparser.payload", "Username and password %{p0}"); + + var part1187 = match("MESSAGE#693:00059:05/0_3", "nwparser.payload", "Server %{p0}"); + + var select268 = linear_select([ + part1184, + part1185, + part1186, + part1187, + ]); + + var part1188 = match("MESSAGE#693:00059:05/1", "nwparser.p0", "of DDNS entry with id %{fld2->} is cleared."); + + var all244 = all_match({ + processors: [ + select268, + part1188, + ], + on_success: processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg703 = msg("00059:05", all244); + + var part1189 = match("MESSAGE#694:00059:06", "nwparser.payload", "Agent of DDNS entry with id %{fld2->} is reset to its default value.", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg704 = msg("00059:06", part1189); + + var part1190 = match("MESSAGE#695:00059:07", "nwparser.payload", "Updates for DDNS entry with id %{fld2->} are set to be sent in secure (%{protocol}) mode.", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg705 = msg("00059:07", part1190); + + var part1191 = match("MESSAGE#696:00059:08/0_0", "nwparser.payload", "Refresh %{p0}"); + + var part1192 = match("MESSAGE#696:00059:08/0_1", "nwparser.payload", "Minimum update %{p0}"); + + var select269 = linear_select([ + part1191, + part1192, + ]); + + var part1193 = match("MESSAGE#696:00059:08/1", "nwparser.p0", "interval of DDNS entry with id %{fld2->} is set to default value (%{fld3})."); + + var all245 = all_match({ + processors: [ + select269, + part1193, + ], + on_success: processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg706 = msg("00059:08", all245); + + var part1194 = match("MESSAGE#697:00059:09/1_0", "nwparser.p0", "No-Change %{p0}"); + + var part1195 = match("MESSAGE#697:00059:09/1_1", "nwparser.p0", "Error %{p0}"); + + var select270 = linear_select([ + part1194, + part1195, + ]); + + var part1196 = match("MESSAGE#697:00059:09/2", "nwparser.p0", "response received for DDNS entry update for id %{fld2->} user \"%{username}\" domain \"%{domain}\" server type \" d%{p0}"); + + var part1197 = match("MESSAGE#697:00059:09/3_1", "nwparser.p0", "yndns %{p0}"); + + var select271 = linear_select([ + dup261, + part1197, + ]); + + var part1198 = match("MESSAGE#697:00059:09/4", "nwparser.p0", "\", server name \"%{hostname}\""); + + var all246 = all_match({ + processors: [ + dup160, + select270, + part1196, + select271, + part1198, + ], + on_success: processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg707 = msg("00059:09", all246); + + var part1199 = match("MESSAGE#698:00059:01", "nwparser.payload", "DDNS entry with id %{fld2->} is %{disposition}.", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg708 = msg("00059:01", part1199); + + var select272 = linear_select([ + msg699, + msg700, + msg701, + msg702, + msg703, + msg704, + msg705, + msg706, + msg707, + msg708, + ]); + + var part1200 = match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip->} failed. (%{event_time_string})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Track IP failed"), + ])); + + var msg709 = msg("00062:01", part1200); + + var part1201 = match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached threshold. (%{event_time_string})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Track IP failure reached threshold"), + ])); + + var msg710 = msg("00062:02", part1201); + + var part1202 = match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip->} succeeded. (%{event_time_string})", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Track IP succeeded"), + ])); + + var msg711 = msg("00062:03", part1202); + + var part1203 = match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg712 = msg("00062", part1203); + + var select273 = linear_select([ + msg709, + msg710, + msg711, + msg712, + ]); + + var part1204 = match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{disposition}!", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg713 = msg("00063", part1204); + + var part1205 = match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg714 = msg("00064", part1205); + + var part1206 = match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches threshold system may fail over!%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg715 = msg("00064:01", part1206); + + var part1207 = match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from policy ID %{policy_id}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg716 = msg("00064:02", part1207); + + var select274 = linear_select([ + msg714, + msg715, + msg716, + ]); + + var msg717 = msg("00070", dup411); + + var part1208 = match("MESSAGE#708:00070:01/2", "nwparser.p0", "%{}Device group %{group->} changed state from %{fld3->} to %{p0}"); + + var part1209 = match("MESSAGE#708:00070:01/3_0", "nwparser.p0", "Init%{}"); + + var part1210 = match("MESSAGE#708:00070:01/3_1", "nwparser.p0", "init. (%{fld1})"); + + var select275 = linear_select([ + part1209, + part1210, + ]); + + var all247 = all_match({ + processors: [ + dup267, + dup391, + part1208, + select275, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg718 = msg("00070:01", all247); + + var part1211 = match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel change to %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg719 = msg("00070:02", part1211); + + var select276 = linear_select([ + msg717, + msg718, + msg719, + ]); + + var msg720 = msg("00071", dup411); + + var part1212 = match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in the Virtual Security Device group %{group->} changed state", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg721 = msg("00071:01", part1212); + + var select277 = linear_select([ + msg720, + msg721, + ]); + + var msg722 = msg("00072", dup411); + + var msg723 = msg("00072:01", dup412); + + var select278 = linear_select([ + msg722, + msg723, + ]); + + var msg724 = msg("00073", dup411); + + var msg725 = msg("00073:01", dup412); + + var select279 = linear_select([ + msg724, + msg725, + ]); + + var msg726 = msg("00074", dup392); + + var all248 = all_match({ + processors: [ + dup263, + dup390, + dup271, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg727 = msg("00075", all248); + + var part1213 = match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} changed state from %{event_state->} to inoperable. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","local device in the Virtual Security Device group changed state to inoperable"), + ])); + + var msg728 = msg("00075:02", part1213); + + var part1214 = match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg729 = msg("00075:01", part1214); + + var select280 = linear_select([ + msg727, + msg728, + msg729, + ]); + + var msg730 = msg("00076", dup392); + + var part1215 = match("MESSAGE#721:00076:01/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} send 2nd path request to unit=%{fld3}"); + + var all249 = all_match({ + processors: [ + dup263, + dup390, + part1215, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg731 = msg("00076:01", all249); + + var select281 = linear_select([ + msg730, + msg731, + ]); + + var part1216 = match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use second path of HA%{}", processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg732 = msg("00077", part1216); + + var all250 = all_match({ + processors: [ + dup263, + dup390, + dup271, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg733 = msg("00077:01", all250); + + var part1217 = match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group}", processor_chain([ + setc("eventcategory","1607000000"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg734 = msg("00077:02", part1217); + + var select282 = linear_select([ + msg732, + msg733, + msg734, + ]); + + var part1218 = match("MESSAGE#725:00084", "nwparser.payload", "RTSYNC: NSRP route synchronization is %{disposition}", processor_chain([ + dup272, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg735 = msg("00084", part1218); + + var part1219 = match("MESSAGE#726:00090/0_0", "nwparser.payload", "Failover %{p0}"); + + var part1220 = match("MESSAGE#726:00090/0_1", "nwparser.payload", "Recovery %{p0}"); + + var select283 = linear_select([ + part1219, + part1220, + ]); + + var part1221 = match("MESSAGE#726:00090/3", "nwparser.p0", "untrust interface occurred.%{}"); + + var all251 = all_match({ + processors: [ + select283, + dup103, + dup369, + part1221, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg736 = msg("00090", all251); + + var part1222 = match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to the device because the maximum number of system route entries %{fld2->} has been exceeded", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg737 = msg("00200", part1222); + + var part1223 = match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cannot be added to the virtual router %{node->} because the number of route entries in the virtual router exceeds the maximum number of routes %{fld3->} allowed", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg738 = msg("00201", part1223); + + var part1224 = match("MESSAGE#729:00202", "nwparser.payload", "%{fld2->} hello-packet flood from neighbor (ip = %{hostip->} router-id = %{fld3}) on interface %{interface->} packet is dropped", processor_chain([ + dup272, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg739 = msg("00202", part1224); + + var part1225 = match("MESSAGE#730:00203", "nwparser.payload", "%{fld2->} lsa flood on interface %{interface->} has dropped a packet.", processor_chain([ + dup272, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg740 = msg("00203", part1225); + + var part1226 = match("MESSAGE#731:00206/0", "nwparser.payload", "The total number of redistributed routes into %{p0}"); + + var part1227 = match("MESSAGE#731:00206/1_0", "nwparser.p0", "BGP %{p0}"); + + var part1228 = match("MESSAGE#731:00206/1_1", "nwparser.p0", "OSPF %{p0}"); + + var select284 = linear_select([ + part1227, + part1228, + ]); + + var part1229 = match("MESSAGE#731:00206/2", "nwparser.p0", "in vrouter %{node->} exceeded system limit (%{fld2})"); + + var all252 = all_match({ + processors: [ + part1226, + select284, + part1229, + ], + on_success: processor_chain([ + dup272, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg741 = msg("00206", all252); + + var part1230 = match("MESSAGE#732:00206:01/0", "nwparser.payload", "LSA flood in OSPF with router-id %{fld2->} on %{p0}"); + + var part1231 = match("MESSAGE#732:00206:01/2", "nwparser.p0", "%{interface->} forced the interface to drop a packet."); + + var all253 = all_match({ + processors: [ + part1230, + dup352, + part1231, + ], + on_success: processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg742 = msg("00206:01", all253); + + var part1232 = match("MESSAGE#733:00206:02/0", "nwparser.payload", "OSPF instance with router-id %{fld3->} received a Hello packet flood from neighbor (IP address %{hostip}, router ID %{fld2}) on %{p0}"); + + var part1233 = match("MESSAGE#733:00206:02/2", "nwparser.p0", "%{interface->} forcing the interface to drop the packet."); + + var all254 = all_match({ + processors: [ + part1232, + dup352, + part1233, + ], + on_success: processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg743 = msg("00206:02", all254); + + var part1234 = match("MESSAGE#734:00206:03", "nwparser.payload", "Link State Advertisement Id %{fld2}, router ID %{fld3}, type %{fld4->} cannot be deleted from the real-time database in area %{fld5}", processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg744 = msg("00206:03", part1234); + + var part1235 = match("MESSAGE#735:00206:04", "nwparser.payload", "Reject second OSPF neighbor (%{fld2}) on interface (%{interface}) since it_s configured as point-to-point interface", processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg745 = msg("00206:04", part1235); + + var select285 = linear_select([ + msg741, + msg742, + msg743, + msg744, + msg745, + ]); + + var part1236 = match("MESSAGE#736:00207", "nwparser.payload", "System wide RIP route limit exceeded, RIP route dropped.%{}", processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg746 = msg("00207", part1236); + + var part1237 = match("MESSAGE#737:00207:01", "nwparser.payload", "%{fld2->} RIP routes dropped from last system wide RIP route limit exceed.", processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg747 = msg("00207:01", part1237); + + var part1238 = match("MESSAGE#738:00207:02", "nwparser.payload", "RIP database size limit exceeded for %{fld2}, RIP route dropped.", processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg748 = msg("00207:02", part1238); + + var part1239 = match("MESSAGE#739:00207:03", "nwparser.payload", "%{fld2->} RIP routes dropped from the last database size exceed in vr %{fld3}.", processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg749 = msg("00207:03", part1239); + + var select286 = linear_select([ + msg746, + msg747, + msg748, + msg749, + ]); + + var part1240 = match("MESSAGE#740:00257", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup276, + dup277, + dup278, + ])); + + var msg750 = msg("00257", part1240); + + var part1241 = match("MESSAGE#741:00257:14", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup279, + dup276, + dup277, + dup280, + ])); + + var msg751 = msg("00257:14", part1241); + + var part1242 = match("MESSAGE#742:00257:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup282, + dup278, + ])); + + var msg752 = msg("00257:01", part1242); + + var part1243 = match("MESSAGE#743:00257:15", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup279, + dup282, + dup280, + ])); + + var msg753 = msg("00257:15", part1243); + + var part1244 = match("MESSAGE#744:00257:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup276, + dup277, + ])); + + var msg754 = msg("00257:02", part1244); + + var part1245 = match("MESSAGE#745:00257:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup282, + ])); + + var msg755 = msg("00257:03", part1245); + + var part1246 = match("MESSAGE#746:00257:04", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup276, + dup277, + ])); + + var msg756 = msg("00257:04", part1246); + + var part1247 = match("MESSAGE#747:00257:05", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid->} reason=%{result}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup282, + ])); + + var msg757 = msg("00257:05", part1247); + + var part1248 = match("MESSAGE#748:00257:19/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} icmp code=%{icmpcode->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid->} reason=%{result}"); + + var all255 = all_match({ + processors: [ + dup283, + dup393, + part1248, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup282, + ]), + }); + + var msg758 = msg("00257:19", all255); + + var part1249 = match("MESSAGE#749:00257:16/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid}"); + + var all256 = all_match({ + processors: [ + dup283, + dup393, + part1249, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup282, + ]), + }); + + var msg759 = msg("00257:16", all256); + + var part1250 = match("MESSAGE#750:00257:17/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid}"); + + var all257 = all_match({ + processors: [ + dup283, + dup393, + part1250, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup282, + ]), + }); + + var msg760 = msg("00257:17", all257); + + var part1251 = match("MESSAGE#751:00257:18/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} session_id=%{sessionid}"); + + var all258 = all_match({ + processors: [ + dup283, + dup393, + part1251, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup282, + ]), + }); + + var msg761 = msg("00257:18", all258); + + var part1252 = match("MESSAGE#752:00257:06/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{p0}"); + + var part1253 = match("MESSAGE#752:00257:06/1_0", "nwparser.p0", "%{dport->} session_id=%{sessionid}"); + + var part1254 = match_copy("MESSAGE#752:00257:06/1_1", "nwparser.p0", "dport"); + + var select287 = linear_select([ + part1253, + part1254, + ]); + + var all259 = all_match({ + processors: [ + part1252, + select287, + ], + on_success: processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup276, + dup277, + ]), + }); + + var msg762 = msg("00257:06", all259); + + var part1255 = match("MESSAGE#753:00257:07", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup282, + ])); + + var msg763 = msg("00257:07", part1255); + + var part1256 = match("MESSAGE#754:00257:08", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} tcp=%{icmptype}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup276, + dup277, + ])); + + var msg764 = msg("00257:08", part1256); + + var part1257 = match("MESSAGE#755:00257:09/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{p0}"); + + var part1258 = match("MESSAGE#755:00257:09/1_0", "nwparser.p0", "%{icmptype->} icmp code=%{icmpcode->} session_id=%{sessionid->} reason=%{result}"); + + var part1259 = match("MESSAGE#755:00257:09/1_1", "nwparser.p0", "%{icmptype->} session_id=%{sessionid}"); + + var part1260 = match_copy("MESSAGE#755:00257:09/1_2", "nwparser.p0", "icmptype"); + + var select288 = linear_select([ + part1258, + part1259, + part1260, + ]); + + var all260 = all_match({ + processors: [ + part1257, + select288, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup282, + ]), + }); + + var msg765 = msg("00257:09", all260); + + var part1261 = match("MESSAGE#756:00257:10/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); + + var part1262 = match("MESSAGE#756:00257:10/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid}"); + + var select289 = linear_select([ + part1262, + dup286, + ]); + + var all261 = all_match({ + processors: [ + part1261, + select289, + ], + on_success: processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup276, + dup277, + ]), + }); + + var msg766 = msg("00257:10", all261); + + var part1263 = match("MESSAGE#757:00257:11/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); + + var part1264 = match("MESSAGE#757:00257:11/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid->} reason=%{result}"); + + var select290 = linear_select([ + part1264, + dup286, + ]); + + var all262 = all_match({ + processors: [ + part1263, + select290, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup282, + ]), + }); + + var msg767 = msg("00257:11", all262); + + var part1265 = match("MESSAGE#758:00257:12", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} type=%{fld3}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup282, + ])); + + var msg768 = msg("00257:12", part1265); + + var part1266 = match("MESSAGE#759:00257:13", "nwparser.payload", "start_time=\"%{fld2}", processor_chain([ + dup281, + dup2, + dup3, + dup274, + dup4, + dup5, + ])); + + var msg769 = msg("00257:13", part1266); + + var select291 = linear_select([ + msg750, + msg751, + msg752, + msg753, + msg754, + msg755, + msg756, + msg757, + msg758, + msg759, + msg760, + msg761, + msg762, + msg763, + msg764, + msg765, + msg766, + msg767, + msg768, + msg769, + ]); + + var part1267 = match("MESSAGE#760:00259/1", "nwparser.p0", "user %{username->} has logged on via %{p0}"); + + var part1268 = match("MESSAGE#760:00259/2_0", "nwparser.p0", "the console %{p0}"); + + var select292 = linear_select([ + part1268, + dup289, + dup241, + ]); + + var part1269 = match("MESSAGE#760:00259/3", "nwparser.p0", "from %{saddr}:%{sport}"); + + var all263 = all_match({ + processors: [ + dup394, + part1267, + select292, + part1269, + ], + on_success: processor_chain([ + dup28, + dup29, + dup30, + dup31, + dup32, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg770 = msg("00259", all263); + + var part1270 = match("MESSAGE#761:00259:07/1", "nwparser.p0", "user %{administrator->} has logged out via %{logon_type->} from %{saddr}:%{sport}"); + + var all264 = all_match({ + processors: [ + dup394, + part1270, + ], + on_success: processor_chain([ + dup33, + dup29, + dup34, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg771 = msg("00259:07", all264); + + var part1271 = match("MESSAGE#762:00259:01", "nwparser.payload", "Management session via %{logon_type->} from %{saddr}:%{sport->} for [vsys] admin %{administrator->} has timed out", processor_chain([ + dup290, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg772 = msg("00259:01", part1271); + + var part1272 = match("MESSAGE#763:00259:02", "nwparser.payload", "Management session via %{logon_type->} for [ vsys ] admin %{administrator->} has timed out", processor_chain([ + dup290, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg773 = msg("00259:02", part1272); + + var part1273 = match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by admin %{administrator->} via the %{logon_type->} has failed", processor_chain([ + dup206, + dup29, + dup30, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg774 = msg("00259:03", part1273); + + var part1274 = match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{logon_type->} from %{saddr}:%{sport->} has failed", processor_chain([ + dup206, + dup29, + dup30, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg775 = msg("00259:04", part1274); + + var part1275 = match("MESSAGE#766:00259:05/0", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the %{p0}"); + + var part1276 = match("MESSAGE#766:00259:05/1_2", "nwparser.p0", "Web %{p0}"); + + var select293 = linear_select([ + dup241, + dup289, + part1276, + ]); + + var part1277 = match("MESSAGE#766:00259:05/2", "nwparser.p0", "session on host %{daddr}:%{dport}"); + + var all265 = all_match({ + processors: [ + part1275, + select293, + part1277, + ], + on_success: processor_chain([ + dup290, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg776 = msg("00259:05", all265); + + var part1278 = match("MESSAGE#767:00259:06", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the serial console session.", processor_chain([ + dup290, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg777 = msg("00259:06", part1278); + + var select294 = linear_select([ + msg770, + msg771, + msg772, + msg773, + msg774, + msg775, + msg776, + msg777, + ]); + + var part1279 = match("MESSAGE#768:00262", "nwparser.payload", "Admin user %{administrator->} has been rejected via the %{logon_type->} server at %{hostip}", processor_chain([ + dup290, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg778 = msg("00262", part1279); + + var part1280 = match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} has been accepted via the %{logon_type->} server at %{hostip}", processor_chain([ + setc("eventcategory","1401050100"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg779 = msg("00263", part1280); + + var part1281 = match("MESSAGE#770:00400/0_0", "nwparser.payload", "ActiveX control %{p0}"); + + var part1282 = match("MESSAGE#770:00400/0_1", "nwparser.payload", "JAVA applet %{p0}"); + + var part1283 = match("MESSAGE#770:00400/0_2", "nwparser.payload", "EXE file %{p0}"); + + var part1284 = match("MESSAGE#770:00400/0_3", "nwparser.payload", "ZIP file %{p0}"); + + var select295 = linear_select([ + part1281, + part1282, + part1283, + part1284, + ]); + + var part1285 = match("MESSAGE#770:00400/1", "nwparser.p0", "has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{dinterface->} in zone %{dst_zone}. %{info}"); + + var all266 = all_match({ + processors: [ + select295, + part1285, + ], + on_success: processor_chain([ + setc("eventcategory","1003000000"), + dup2, + dup4, + dup5, + dup3, + dup61, + ]), + }); + + var msg780 = msg("00400", all266); + + var part1286 = match("MESSAGE#771:00401", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup85, + dup2, + dup4, + dup5, + dup3, + dup291, + ])); + + var msg781 = msg("00401", part1286); + + var part1287 = match("MESSAGE#772:00402", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup85, + dup2, + dup4, + dup5, + dup3, + dup292, + ])); + + var msg782 = msg("00402", part1287); + + var part1288 = match("MESSAGE#773:00402:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at %{p0}"); + + var part1289 = match("MESSAGE#773:00402:01/2", "nwparser.p0", "%{} %{interface->} in zone %{zone}. %{info}"); + + var all267 = all_match({ + processors: [ + part1288, + dup337, + part1289, + ], + on_success: processor_chain([ + dup85, + dup2, + dup4, + dup5, + dup3, + dup292, + ]), + }); + + var msg783 = msg("00402:01", all267); + + var select296 = linear_select([ + msg782, + msg783, + ]); + + var part1290 = match("MESSAGE#774:00403", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup85, + dup2, + dup4, + dup5, + dup3, + dup291, + ])); + + var msg784 = msg("00403", part1290); + + var part1291 = match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup4, + dup5, + dup3, + dup292, + ])); + + var msg785 = msg("00404", part1291); + + var part1292 = match("MESSAGE#776:00405", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup147, + dup2, + dup4, + dup5, + dup3, + dup291, + ])); + + var msg786 = msg("00405", part1292); + + var msg787 = msg("00406", dup413); + + var msg788 = msg("00407", dup413); + + var msg789 = msg("00408", dup413); + + var all268 = all_match({ + processors: [ + dup132, + dup343, + dup293, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup60, + ]), + }); + + var msg790 = msg("00409", all268); + + var msg791 = msg("00410", dup413); + + var part1293 = match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup60, + ])); + + var msg792 = msg("00410:01", part1293); + + var select297 = linear_select([ + msg791, + msg792, + ]); + + var part1294 = match("MESSAGE#783:00411/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto TCP (zone %{zone->} %{p0}"); + + var all269 = all_match({ + processors: [ + part1294, + dup343, + dup293, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg793 = msg("00411", all269); + + var part1295 = match("MESSAGE#784:00413/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at %{p0}"); + + var part1296 = match("MESSAGE#784:00413/2", "nwparser.p0", "%{} %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); + + var all270 = all_match({ + processors: [ + part1295, + dup337, + part1296, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg794 = msg("00413", all270); + + var part1297 = match("MESSAGE#785:00413:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}(zone %{group->} %{p0}"); + + var all271 = all_match({ + processors: [ + part1297, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup61, + ]), + }); + + var msg795 = msg("00413:01", all271); + + var part1298 = match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup59, + dup5, + dup9, + ])); + + var msg796 = msg("00413:02", part1298); + + var select298 = linear_select([ + msg794, + msg795, + msg796, + ]); + + var part1299 = match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + ])); + + var msg797 = msg("00414", part1299); + + var part1300 = match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup9, + ])); + + var msg798 = msg("00414:01", part1300); + + var select299 = linear_select([ + msg797, + msg798, + ]); + + var part1301 = match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg799 = msg("00415", part1301); + + var all272 = all_match({ + processors: [ + dup132, + dup343, + dup294, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup60, + ]), + }); + + var msg800 = msg("00423", all272); + + var all273 = all_match({ + processors: [ + dup80, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup60, + ]), + }); + + var msg801 = msg("00429", all273); + + var all274 = all_match({ + processors: [ + dup132, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup60, + ]), + }); + + var msg802 = msg("00429:01", all274); + + var select300 = linear_select([ + msg801, + msg802, + ]); + + var all275 = all_match({ + processors: [ + dup80, + dup343, + dup295, + dup351, + ], + on_success: processor_chain([ + dup85, + dup2, + dup59, + dup3, + dup9, + dup4, + dup5, + dup61, + ]), + }); + + var msg803 = msg("00430", all275); + + var all276 = all_match({ + processors: [ + dup132, + dup343, + dup295, + dup351, + ], + on_success: processor_chain([ + dup85, + dup2, + dup59, + dup3, + dup9, + dup4, + dup5, + dup60, + ]), + }); + + var msg804 = msg("00430:01", all276); + + var select301 = linear_select([ + msg803, + msg804, + ]); + + var msg805 = msg("00431", dup414); + + var msg806 = msg("00432", dup414); + + var msg807 = msg("00433", dup415); + + var msg808 = msg("00434", dup415); + + var msg809 = msg("00435", dup395); + + var all277 = all_match({ + processors: [ + dup132, + dup343, + dup294, + ], + on_success: processor_chain([ + dup58, + dup2, + dup4, + dup59, + dup5, + dup3, + dup60, + ]), + }); + + var msg810 = msg("00435:01", all277); + + var select302 = linear_select([ + msg809, + msg810, + ]); + + var msg811 = msg("00436", dup395); + + var all278 = all_match({ + processors: [ + dup64, + dup338, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup9, + dup4, + dup5, + dup3, + dup60, + ]), + }); + + var msg812 = msg("00436:01", all278); + + var select303 = linear_select([ + msg811, + msg812, + ]); + + var part1302 = match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg813 = msg("00437", part1302); + + var all279 = all_match({ + processors: [ + dup299, + dup338, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + dup9, + ]), + }); + + var msg814 = msg("00437:01", all279); + + var part1303 = match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + dup9, + ])); + + var msg815 = msg("00437:02", part1303); + + var select304 = linear_select([ + msg813, + msg814, + msg815, + ]); + + var part1304 = match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg816 = msg("00438", part1304); + + var part1305 = match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg817 = msg("00438:01", part1305); + + var all280 = all_match({ + processors: [ + dup299, + dup338, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup61, + ]), + }); + + var msg818 = msg("00438:02", all280); + + var select305 = linear_select([ + msg816, + msg817, + msg818, + ]); + + var part1306 = match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup60, + ])); + + var msg819 = msg("00440", part1306); + + var part1307 = match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup61, + ])); + + var msg820 = msg("00440:02", part1307); + + var all281 = all_match({ + processors: [ + dup239, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup9, + dup61, + ]), + }); + + var msg821 = msg("00440:01", all281); + + var part1308 = match("MESSAGE#812:00440:03/0", "nwparser.payload", "Fragmented traffic! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{group->} %{p0}"); + + var all282 = all_match({ + processors: [ + part1308, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup9, + dup60, + ]), + }); + + var msg822 = msg("00440:03", all282); + + var select306 = linear_select([ + msg819, + msg820, + msg821, + msg822, + ]); + + var part1309 = match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup4, + dup59, + dup5, + dup9, + dup2, + dup3, + dup60, + ])); + + var msg823 = msg("00441", part1309); + + var msg824 = msg("00442", dup396); + + var msg825 = msg("00443", dup396); + + var part1310 = match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued command %{fld2->} to redirect output.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg826 = msg("00511", part1310); + + var part1311 = match("MESSAGE#817:00511:01/0", "nwparser.payload", "All System Config saved by admin %{p0}"); + + var all283 = all_match({ + processors: [ + part1311, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg827 = msg("00511:01", all283); + + var part1312 = match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms are cleared by admin %{administrator}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg828 = msg("00511:02", part1312); + + var part1313 = match("MESSAGE#819:00511:03/0", "nwparser.payload", "Get new software from flash to slot (file: %{fld2}) by admin %{p0}"); + + var all284 = all_match({ + processors: [ + part1313, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg829 = msg("00511:03", all284); + + var part1314 = match("MESSAGE#820:00511:04/0", "nwparser.payload", "Get new software from %{hostip->} (file: %{fld2}) to slot (file: %{fld3}) by admin %{p0}"); + + var all285 = all_match({ + processors: [ + part1314, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg830 = msg("00511:04", all285); + + var part1315 = match("MESSAGE#821:00511:05/0", "nwparser.payload", "Get new software to %{hostip->} (file: %{fld2}) by admin %{p0}"); + + var all286 = all_match({ + processors: [ + part1315, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg831 = msg("00511:05", all286); + + var part1316 = match("MESSAGE#822:00511:06/0", "nwparser.payload", "Log setting is modified by admin %{p0}"); + + var all287 = all_match({ + processors: [ + part1316, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg832 = msg("00511:06", all287); + + var part1317 = match("MESSAGE#823:00511:07/0", "nwparser.payload", "Save configuration to %{hostip->} (file: %{fld2}) by admin %{p0}"); + + var all288 = all_match({ + processors: [ + part1317, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg833 = msg("00511:07", all288); + + var part1318 = match("MESSAGE#824:00511:08/0", "nwparser.payload", "Save new software from slot (file: %{fld2}) to flash by admin %{p0}"); + + var all289 = all_match({ + processors: [ + part1318, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg834 = msg("00511:08", all289); + + var part1319 = match("MESSAGE#825:00511:09/0", "nwparser.payload", "Save new software from %{hostip->} (file: %{result}) to flash by admin %{p0}"); + + var all290 = all_match({ + processors: [ + part1319, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg835 = msg("00511:09", all290); + + var part1320 = match("MESSAGE#826:00511:10/0", "nwparser.payload", "System Config from flash to slot - %{fld2->} by admin %{p0}"); + + var all291 = all_match({ + processors: [ + part1320, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg836 = msg("00511:10", all291); + + var part1321 = match("MESSAGE#827:00511:11/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) to slot - %{fld3->} by admin %{p0}"); + + var all292 = all_match({ + processors: [ + part1321, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg837 = msg("00511:11", all292); + + var part1322 = match("MESSAGE#828:00511:12/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) by admin %{p0}"); + + var all293 = all_match({ + processors: [ + part1322, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg838 = msg("00511:12", all293); + + var part1323 = match("MESSAGE#829:00511:13/0", "nwparser.payload", "The system configuration was loaded from the slot by admin %{p0}"); + + var all294 = all_match({ + processors: [ + part1323, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg839 = msg("00511:13", all294); + + var part1324 = match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS shared secret with invalid length %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg840 = msg("00511:14", part1324); + + var select307 = linear_select([ + msg826, + msg827, + msg828, + msg829, + msg830, + msg831, + msg832, + msg833, + msg834, + msg835, + msg836, + msg837, + msg838, + msg839, + msg840, + ]); + + var part1325 = match("MESSAGE#831:00513/0", "nwparser.payload", "The physical state of %{p0}"); + + var part1326 = match("MESSAGE#831:00513/1_1", "nwparser.p0", "the Interface %{p0}"); + + var select308 = linear_select([ + dup123, + part1326, + dup122, + ]); + + var part1327 = match("MESSAGE#831:00513/2", "nwparser.p0", "%{interface->} has changed to %{p0}"); + + var part1328 = match("MESSAGE#831:00513/3_0", "nwparser.p0", "%{result}. (%{fld1})"); + + var part1329 = match_copy("MESSAGE#831:00513/3_1", "nwparser.p0", "result"); + + var select309 = linear_select([ + part1328, + part1329, + ]); + + var all295 = all_match({ + processors: [ + part1325, + select308, + part1327, + select309, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + dup9, + ]), + }); + + var msg841 = msg("00513", all295); + + var part1330 = match("MESSAGE#832:00515/0_0", "nwparser.payload", "Vsys Admin %{p0}"); + + var select310 = linear_select([ + part1330, + dup287, + ]); + + var part1331 = match("MESSAGE#832:00515/1", "nwparser.p0", "%{administrator->} has logged on via the %{logon_type->} ( HTTP%{p0}"); + + var part1332 = match("MESSAGE#832:00515/2_1", "nwparser.p0", "S%{p0}"); + + var select311 = linear_select([ + dup96, + part1332, + ]); + + var part1333 = match("MESSAGE#832:00515/3", "nwparser.p0", "%{}) to port %{interface->} from %{saddr}:%{sport}"); + + var all296 = all_match({ + processors: [ + select310, + part1331, + select311, + part1333, + ], + on_success: processor_chain([ + dup301, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg842 = msg("00515", all296); + + var part1334 = match("MESSAGE#833:00515:01/0", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{p0}"); + + var part1335 = match("MESSAGE#833:00515:01/1_0", "nwparser.p0", "the %{logon_type->} has failed %{p0}"); + + var part1336 = match("MESSAGE#833:00515:01/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} has failed %{p0}"); + + var select312 = linear_select([ + part1335, + part1336, + ]); + + var part1337 = match_copy("MESSAGE#833:00515:01/2", "nwparser.p0", "fld2"); + + var all297 = all_match({ + processors: [ + part1334, + select312, + part1337, + ], + on_success: processor_chain([ + dup206, + dup29, + dup30, + dup31, + dup54, + dup2, + dup4, + dup5, + dup302, + dup3, + ]), + }); + + var msg843 = msg("00515:01", all297); + + var part1338 = match("MESSAGE#834:00515:02/0", "nwparser.payload", "Management session via %{p0}"); + + var part1339 = match("MESSAGE#834:00515:02/1_0", "nwparser.p0", "the %{logon_type->} for %{p0}"); + + var part1340 = match("MESSAGE#834:00515:02/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} for %{p0}"); + + var select313 = linear_select([ + part1339, + part1340, + ]); + + var part1341 = match("MESSAGE#834:00515:02/2_0", "nwparser.p0", "[vsys] admin %{p0}"); + + var part1342 = match("MESSAGE#834:00515:02/2_1", "nwparser.p0", "vsys admin %{p0}"); + + var select314 = linear_select([ + part1341, + part1342, + dup15, + ]); + + var part1343 = match("MESSAGE#834:00515:02/3", "nwparser.p0", "%{administrator->} has timed out"); + + var all298 = all_match({ + processors: [ + part1338, + select313, + select314, + part1343, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg844 = msg("00515:02", all298); + + var part1344 = match("MESSAGE#835:00515:04/0_0", "nwparser.payload", "[Vsys] %{p0}"); + + var part1345 = match("MESSAGE#835:00515:04/0_1", "nwparser.payload", "Vsys %{p0}"); + + var select315 = linear_select([ + part1344, + part1345, + ]); + + var part1346 = match("MESSAGE#835:00515:04/1", "nwparser.p0", "Admin %{administrator->} has logged o%{p0}"); + + var part1347 = match_copy("MESSAGE#835:00515:04/4_1", "nwparser.p0", "logon_type"); + + var select316 = linear_select([ + dup304, + part1347, + ]); + + var all299 = all_match({ + processors: [ + select315, + part1346, + dup398, + dup40, + select316, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg845 = msg("00515:04", all299); + + var part1348 = match("MESSAGE#836:00515:06", "nwparser.payload", "Admin User %{administrator->} has logged on via %{logon_type->} from %{saddr}:%{sport}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg846 = msg("00515:06", part1348); + + var part1349 = match("MESSAGE#837:00515:05/0", "nwparser.payload", "%{}Admin %{p0}"); + + var select317 = linear_select([ + dup305, + dup16, + ]); + + var part1350 = match("MESSAGE#837:00515:05/2", "nwparser.p0", "%{administrator->} has logged o%{p0}"); + + var part1351 = match("MESSAGE#837:00515:05/5_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{fld2})"); + + var select318 = linear_select([ + dup306, + part1351, + dup304, + ]); + + var all300 = all_match({ + processors: [ + part1349, + select317, + part1350, + dup398, + dup40, + select318, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg847 = msg("00515:05", all300); + + var part1352 = match("MESSAGE#838:00515:07", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(http) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg848 = msg("00515:07", part1352); + + var part1353 = match("MESSAGE#839:00515:08/0", "nwparser.payload", "%{fld2->} Admin User \"%{administrator}\" logged in for %{logon_type}(http%{p0}"); + + var part1354 = match("MESSAGE#839:00515:08/1_0", "nwparser.p0", ") %{p0}"); + + var part1355 = match("MESSAGE#839:00515:08/1_1", "nwparser.p0", "s) %{p0}"); + + var select319 = linear_select([ + part1354, + part1355, + ]); + + var part1356 = match("MESSAGE#839:00515:08/2", "nwparser.p0", "management (port %{network_port}) from %{saddr}:%{sport}"); + + var all301 = all_match({ + processors: [ + part1353, + select319, + part1356, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg849 = msg("00515:08", all301); + + var part1357 = match("MESSAGE#840:00515:09", "nwparser.payload", "User %{username->} telnet management session from (%{saddr}:%{sport}) timed out", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg850 = msg("00515:09", part1357); + + var part1358 = match("MESSAGE#841:00515:10", "nwparser.payload", "User %{username->} logged out of telnet session from %{saddr}:%{sport}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg851 = msg("00515:10", part1358); + + var part1359 = match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on zone %{zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg852 = msg("00515:11", part1359); + + var part1360 = match("MESSAGE#843:00515:12/0", "nwparser.payload", "[ Vsys ] Admin User \"%{administrator}\" logged in for Web( http%{p0}"); + + var part1361 = match("MESSAGE#843:00515:12/2", "nwparser.p0", ") management (port %{network_port})"); + + var all302 = all_match({ + processors: [ + part1360, + dup399, + part1361, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg853 = msg("00515:12", all302); + + var select320 = linear_select([ + dup288, + dup287, + ]); + + var part1362 = match("MESSAGE#844:00515:13/1", "nwparser.p0", "user %{administrator->} has logged o%{p0}"); + + var select321 = linear_select([ + dup306, + dup304, + ]); + + var all303 = all_match({ + processors: [ + select320, + part1362, + dup398, + dup40, + select321, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg854 = msg("00515:13", all303); + + var part1363 = match("MESSAGE#845:00515:14/0_0", "nwparser.payload", "Admin user %{administrator->} has been forced to log o%{p0}"); + + var part1364 = match("MESSAGE#845:00515:14/0_1", "nwparser.payload", "%{username->} %{fld1->} has been forced to log o%{p0}"); + + var select322 = linear_select([ + part1363, + part1364, + ]); + + var part1365 = match("MESSAGE#845:00515:14/2", "nwparser.p0", "of the %{p0}"); + + var part1366 = match("MESSAGE#845:00515:14/3_0", "nwparser.p0", "serial %{logon_type->} session."); + + var part1367 = match("MESSAGE#845:00515:14/3_1", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port->} (%{event_time})"); + + var part1368 = match("MESSAGE#845:00515:14/3_2", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port}"); + + var select323 = linear_select([ + part1366, + part1367, + part1368, + ]); + + var all304 = all_match({ + processors: [ + select322, + dup398, + part1365, + select323, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg855 = msg("00515:14", all304); + + var part1369 = match("MESSAGE#846:00515:15/0", "nwparser.payload", "%{fld2}: Admin User %{administrator->} has logged o%{p0}"); + + var part1370 = match("MESSAGE#846:00515:15/3_0", "nwparser.p0", "the %{logon_type->} (%{p0}"); + + var part1371 = match("MESSAGE#846:00515:15/3_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{p0}"); + + var select324 = linear_select([ + part1370, + part1371, + ]); + + var all305 = all_match({ + processors: [ + part1369, + dup398, + dup40, + select324, + dup41, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg856 = msg("00515:15", all305); + + var part1372 = match("MESSAGE#847:00515:16/0_0", "nwparser.payload", "%{fld2}: Admin %{p0}"); + + var select325 = linear_select([ + part1372, + dup287, + ]); + + var part1373 = match("MESSAGE#847:00515:16/1", "nwparser.p0", "user %{administrator->} attempt access to %{url->} illegal from %{logon_type}( http%{p0}"); + + var part1374 = match("MESSAGE#847:00515:16/3", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}. (%{fld1})"); + + var all306 = all_match({ + processors: [ + select325, + part1373, + dup399, + part1374, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg857 = msg("00515:16", all306); + + var part1375 = match("MESSAGE#848:00515:17/0", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{p0}"); + + var part1376 = match("MESSAGE#848:00515:17/1_0", "nwparser.p0", "https %{p0}"); + + var part1377 = match("MESSAGE#848:00515:17/1_1", "nwparser.p0", " http %{p0}"); + + var select326 = linear_select([ + part1376, + part1377, + ]); + + var part1378 = match("MESSAGE#848:00515:17/2", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}"); + + var all307 = all_match({ + processors: [ + part1375, + select326, + part1378, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg858 = msg("00515:17", all307); + + var part1379 = match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(https) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ + dup240, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg859 = msg("00515:18", part1379); + + var part1380 = match("MESSAGE#850:00515:19/0", "nwparser.payload", "Vsys admin user %{administrator->} logged on via %{p0}"); + + var part1381 = match("MESSAGE#850:00515:19/1_0", "nwparser.p0", "%{logon_type->} from remote IP address %{saddr->} using port %{sport}. (%{p0}"); + + var part1382 = match("MESSAGE#850:00515:19/1_1", "nwparser.p0", "the console. (%{p0}"); + + var select327 = linear_select([ + part1381, + part1382, + ]); + + var all308 = all_match({ + processors: [ + part1380, + select327, + dup41, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg860 = msg("00515:19", all308); + + var part1383 = match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session via SCS from %{saddr}:%{sport->} for admin netscreen has timed out (%{fld1})", processor_chain([ + dup240, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg861 = msg("00515:20", part1383); + + var select328 = linear_select([ + msg842, + msg843, + msg844, + msg845, + msg846, + msg847, + msg848, + msg849, + msg850, + msg851, + msg852, + msg853, + msg854, + msg855, + msg856, + msg857, + msg858, + msg859, + msg860, + msg861, + ]); + + var part1384 = match("MESSAGE#852:00518", "nwparser.payload", "Admin user %{administrator->} %{fld1}at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg862 = msg("00518", part1384); + + var part1385 = match("MESSAGE#853:00518:17", "nwparser.payload", "Admin user %{administrator->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg863 = msg("00518:17", part1385); + + var part1386 = match("MESSAGE#854:00518:01", "nwparser.payload", "Local authentication for WebAuth user %{username->} was %{disposition}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg864 = msg("00518:01", part1386); + + var part1387 = match("MESSAGE#855:00518:02", "nwparser.payload", "Local authentication for user %{username->} was %{disposition}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg865 = msg("00518:02", part1387); + + var part1388 = match("MESSAGE#856:00518:03", "nwparser.payload", "User %{username->} at %{saddr->} must enter \"Next Code\" for SecurID %{hostip}", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg866 = msg("00518:03", part1388); + + var part1389 = match("MESSAGE#857:00518:04", "nwparser.payload", "WebAuth user %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup203, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg867 = msg("00518:04", part1389); + + var part1390 = match("MESSAGE#858:00518:05", "nwparser.payload", "User %{username->} at %{saddr->} has been challenged via the %{authmethod->} server at %{hostip->} (Rejected since challenge is not supported for %{logon_type})", processor_chain([ + dup203, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg868 = msg("00518:05", part1390); + + var part1391 = match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for WebAuth user %{username}", processor_chain([ + dup35, + dup29, + dup31, + dup54, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg869 = msg("00518:06", part1391); + + var part1392 = match("MESSAGE#860:00518:07/0", "nwparser.payload", "Authentication for user %{username->} was denied (long %{p0}"); + + var part1393 = match("MESSAGE#860:00518:07/1_1", "nwparser.p0", "username %{p0}"); + + var select329 = linear_select([ + dup24, + part1393, + ]); + + var part1394 = match("MESSAGE#860:00518:07/2", "nwparser.p0", ")%{}"); + + var all309 = all_match({ + processors: [ + part1392, + select329, + part1394, + ], + on_success: processor_chain([ + dup53, + dup29, + dup31, + dup54, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg870 = msg("00518:07", all309); + + var part1395 = match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr->} %{authmethod->} authentication attempt has timed out", processor_chain([ + dup35, + dup29, + dup31, + dup39, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg871 = msg("00518:08", part1395); + + var part1396 = match("MESSAGE#862:00518:09", "nwparser.payload", "User %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup203, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg872 = msg("00518:09", part1396); + + var part1397 = match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed due to %{result}. (%{fld1})", processor_chain([ + dup206, + dup29, + dup30, + dup31, + dup54, + dup2, + dup4, + dup9, + dup5, + dup3, + dup302, + ])); + + var msg873 = msg("00518:10", part1397); + + var part1398 = match("MESSAGE#864:00518:11/0", "nwparser.payload", "ADM: Local admin authentication failed for login name %{p0}"); + + var part1399 = match("MESSAGE#864:00518:11/1_0", "nwparser.p0", "'%{username}': %{p0}"); + + var part1400 = match("MESSAGE#864:00518:11/1_1", "nwparser.p0", "%{username}: %{p0}"); + + var select330 = linear_select([ + part1399, + part1400, + ]); + + var part1401 = match("MESSAGE#864:00518:11/2", "nwparser.p0", "%{result->} (%{fld1})"); + + var all310 = all_match({ + processors: [ + part1398, + select330, + part1401, + ], + on_success: processor_chain([ + dup206, + dup29, + dup30, + dup31, + dup54, + dup2, + dup9, + dup4, + dup5, + dup3, + ]), + }); + + var msg874 = msg("00518:11", all310); + + var part1402 = match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ + dup240, + dup2, + dup4, + dup9, + dup5, + dup3, + ])); + + var msg875 = msg("00518:12", part1402); + + var part1403 = match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr->} is rejected by the Radius server at %{hostip}. (%{fld1})", processor_chain([ + dup290, + dup2, + dup3, + dup4, + dup9, + dup5, + ])); + + var msg876 = msg("00518:13", part1403); + + var part1404 = match("MESSAGE#867:00518:14", "nwparser.payload", "%{fld2}: Admin user has been rejected via the Radius server at %{hostip->} (%{fld1})", processor_chain([ + dup290, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg877 = msg("00518:14", part1404); + + var select331 = linear_select([ + msg862, + msg863, + msg864, + msg865, + msg866, + msg867, + msg868, + msg869, + msg870, + msg871, + msg872, + msg873, + msg874, + msg875, + msg876, + msg877, + ]); + + var part1405 = match("MESSAGE#868:00519/0", "nwparser.payload", "Admin user %{administrator->} %{p0}"); + + var part1406 = match("MESSAGE#868:00519/1_1", "nwparser.p0", "of group %{group->} at %{saddr->} has %{p0}"); + + var part1407 = match("MESSAGE#868:00519/1_2", "nwparser.p0", "%{group->} at %{saddr->} has %{p0}"); + + var select332 = linear_select([ + dup194, + part1406, + part1407, + ]); + + var part1408 = match("MESSAGE#868:00519/2", "nwparser.p0", "been %{disposition->} via the %{logon_type->} server %{p0}"); + + var part1409 = match("MESSAGE#868:00519/3_0", "nwparser.p0", "at %{p0}"); + + var select333 = linear_select([ + part1409, + dup16, + ]); + + var part1410 = match("MESSAGE#868:00519/4", "nwparser.p0", "%{hostip}"); + + var all311 = all_match({ + processors: [ + part1405, + select332, + part1408, + select333, + part1410, + ], + on_success: processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg878 = msg("00519", all311); + + var part1411 = match("MESSAGE#869:00519:01/0", "nwparser.payload", "Local authentication for %{p0}"); + + var select334 = linear_select([ + dup307, + dup305, + ]); + + var part1412 = match("MESSAGE#869:00519:01/2", "nwparser.p0", "%{username->} was %{disposition}"); + + var all312 = all_match({ + processors: [ + part1411, + select334, + part1412, + ], + on_success: processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg879 = msg("00519:01", all312); + + var part1413 = match("MESSAGE#870:00519:02/1_1", "nwparser.p0", "User %{p0}"); + + var select335 = linear_select([ + dup307, + part1413, + ]); + + var part1414 = match("MESSAGE#870:00519:02/2", "nwparser.p0", "%{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}"); + + var all313 = all_match({ + processors: [ + dup160, + select335, + part1414, + ], + on_success: processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg880 = msg("00519:02", all313); + + var part1415 = match("MESSAGE#871:00519:03", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{fld4}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg881 = msg("00519:03", part1415); + + var part1416 = match("MESSAGE#872:00519:04", "nwparser.payload", "ADM: Local admin authentication successful for login name %{username->} (%{fld1})", processor_chain([ + dup240, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg882 = msg("00519:04", part1416); + + var part1417 = match("MESSAGE#873:00519:05", "nwparser.payload", "%{fld2}Admin user %{administrator->} has been accepted via the Radius server at %{hostip}(%{fld1})", processor_chain([ + dup240, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg883 = msg("00519:05", part1417); + + var select336 = linear_select([ + msg878, + msg879, + msg880, + msg881, + msg882, + msg883, + ]); + + var part1418 = match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authentication attempt has timed out", processor_chain([ + dup35, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg884 = msg("00520", part1418); + + var part1419 = match("MESSAGE#875:00520:01/0", "nwparser.payload", "User %{username->} at %{hostip->} %{p0}"); + + var part1420 = match("MESSAGE#875:00520:01/1_0", "nwparser.p0", "RADIUS %{p0}"); + + var part1421 = match("MESSAGE#875:00520:01/1_1", "nwparser.p0", "SecurID %{p0}"); + + var part1422 = match("MESSAGE#875:00520:01/1_2", "nwparser.p0", "LDAP %{p0}"); + + var part1423 = match("MESSAGE#875:00520:01/1_3", "nwparser.p0", "Local %{p0}"); + + var select337 = linear_select([ + part1420, + part1421, + part1422, + part1423, + ]); + + var part1424 = match("MESSAGE#875:00520:01/2", "nwparser.p0", "authentication attempt has timed out%{}"); + + var all314 = all_match({ + processors: [ + part1419, + select337, + part1424, + ], + on_success: processor_chain([ + dup35, + dup31, + dup39, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg885 = msg("00520:01", all314); + + var part1425 = match("MESSAGE#876:00520:02/0", "nwparser.payload", "Trying %{p0}"); + + var part1426 = match("MESSAGE#876:00520:02/2", "nwparser.p0", "server %{fld2}"); + + var all315 = all_match({ + processors: [ + part1425, + dup400, + part1426, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg886 = msg("00520:02", all315); + + var part1427 = match("MESSAGE#877:00520:03/1_0", "nwparser.p0", "Primary %{p0}"); + + var part1428 = match("MESSAGE#877:00520:03/1_1", "nwparser.p0", "Backup1 %{p0}"); + + var part1429 = match("MESSAGE#877:00520:03/1_2", "nwparser.p0", "Backup2 %{p0}"); + + var select338 = linear_select([ + part1427, + part1428, + part1429, + ]); + + var part1430 = match("MESSAGE#877:00520:03/2", "nwparser.p0", "%{fld2}, %{p0}"); + + var part1431 = match("MESSAGE#877:00520:03/4", "nwparser.p0", "%{fld3}, and %{p0}"); + + var part1432 = match("MESSAGE#877:00520:03/6", "nwparser.p0", "%{fld4->} servers failed"); + + var all316 = all_match({ + processors: [ + dup160, + select338, + part1430, + dup400, + part1431, + dup400, + part1432, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg887 = msg("00520:03", all316); + + var part1433 = match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hostip->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg888 = msg("00520:04", part1433); + + var part1434 = match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: New requests for %{fld31->} server will try %{fld32->} from now on. (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg889 = msg("00520:05", part1434); + + var select339 = linear_select([ + msg884, + msg885, + msg886, + msg887, + msg888, + msg889, + ]); + + var part1435 = match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server %{hostip}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg890 = msg("00521", part1435); + + var part1436 = match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg891 = msg("00522", part1436); + + var part1437 = match("MESSAGE#881:00523", "nwparser.payload", "URL filtering received an error from %{fld2->} (error %{resultcode}).", processor_chain([ + dup232, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg892 = msg("00523", part1437); + + var part1438 = match("MESSAGE#882:00524", "nwparser.payload", "NetScreen device at %{hostip}:%{network_port->} has responded successfully to SNMP request from %{saddr}:%{sport}", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg893 = msg("00524", part1438); + + var part1439 = match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown SNMP community public at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg894 = msg("00524:02", part1439); + + var part1440 = match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has responded successfully to the SNMP request from %{saddr}:%{sport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg895 = msg("00524:03", part1440); + + var part1441 = match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown SNMP community admin at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg896 = msg("00524:04", part1441); + + var part1442 = match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ + dup18, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg897 = msg("00524:05", part1442); + + var part1443 = match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been received from an unknown host in SNMP community %{fld2->} at %{hostip}:%{network_port}. (%{fld1})", processor_chain([ + dup18, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg898 = msg("00524:06", part1443); + + var part1444 = match("MESSAGE#888:00524:12", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{saddr}:%{sport->} to %{daddr}:%{dport->} has been received", processor_chain([ + dup18, + dup2, + dup4, + dup5, + ])); + + var msg899 = msg("00524:12", part1444); + + var part1445 = match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{sport->} has been received, but the SNMP version type is incorrect. (%{fld1})", processor_chain([ + dup19, + dup2, + dup4, + setc("result","the SNMP version type is incorrect"), + dup5, + dup9, + ])); + + var msg900 = msg("00524:14", part1445); + + var part1446 = match("MESSAGE#890:00524:13/0", "nwparser.payload", "SNMP request has been received%{p0}"); + + var part1447 = match("MESSAGE#890:00524:13/2", "nwparser.p0", "%{}but %{result}"); + + var all317 = all_match({ + processors: [ + part1446, + dup401, + part1447, + ], + on_success: processor_chain([ + dup18, + dup2, + dup4, + dup5, + ]), + }); + + var msg901 = msg("00524:13", all317); + + var part1448 = match("MESSAGE#891:00524:07", "nwparser.payload", "Response to SNMP request from %{saddr}:%{sport->} to %{daddr}:%{dport->} has %{disposition->} due to %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + ])); + + var msg902 = msg("00524:07", part1448); + + var part1449 = match("MESSAGE#892:00524:08", "nwparser.payload", "SNMP community %{fld2->} cannot be added because %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + ])); + + var msg903 = msg("00524:08", part1449); + + var part1450 = match("MESSAGE#893:00524:09", "nwparser.payload", "SNMP host %{hostip->} cannot be added to community %{fld2->} because of %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + ])); + + var msg904 = msg("00524:09", part1450); + + var part1451 = match("MESSAGE#894:00524:10", "nwparser.payload", "SNMP host %{hostip->} cannot be added because %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + ])); + + var msg905 = msg("00524:10", part1451); + + var part1452 = match("MESSAGE#895:00524:11", "nwparser.payload", "SNMP host %{hostip->} cannot be removed from community %{fld2->} because %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + ])); + + var msg906 = msg("00524:11", part1452); + + var part1453 = match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34->} doesn't exist. (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg907 = msg("00524:16", part1453); + + var select340 = linear_select([ + msg893, + msg894, + msg895, + msg896, + msg897, + msg898, + msg899, + msg900, + msg901, + msg902, + msg903, + msg904, + msg905, + msg906, + msg907, + ]); + + var part1454 = match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username->} at %{hostip->} has been %{disposition->} by SecurID %{fld2}", processor_chain([ + dup203, + setc("ec_subject","Password"), + dup38, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg908 = msg("00525", part1454); + + var part1455 = match("MESSAGE#897:00525:01", "nwparser.payload", "User %{username->} at %{hostip->} has selected a system-generated PIN for authentication with SecurID %{fld2}", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg909 = msg("00525:01", part1455); + + var part1456 = match("MESSAGE#898:00525:02", "nwparser.payload", "User %{username->} at %{hostip->} must enter the \"new PIN\" for SecurID %{fld2}", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg910 = msg("00525:02", part1456); + + var part1457 = match("MESSAGE#899:00525:03", "nwparser.payload", "User %{username->} at %{hostip->} must make a \"New PIN\" choice for SecurID %{fld2}", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg911 = msg("00525:03", part1457); + + var select341 = linear_select([ + msg908, + msg909, + msg910, + msg911, + ]); + + var part1458 = match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded and %{hostip->} cannot be added", processor_chain([ + dup37, + dup219, + dup38, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg912 = msg("00526", part1458); + + var part1459 = match("MESSAGE#901:00527/0", "nwparser.payload", "A DHCP-%{p0}"); + + var part1460 = match("MESSAGE#901:00527/1_1", "nwparser.p0", " assigned %{p0}"); + + var select342 = linear_select([ + dup311, + part1460, + ]); + + var part1461 = match("MESSAGE#901:00527/2", "nwparser.p0", "IP address %{hostip->} has been %{p0}"); + + var part1462 = match("MESSAGE#901:00527/3_1", "nwparser.p0", "freed from %{p0}"); + + var part1463 = match("MESSAGE#901:00527/3_2", "nwparser.p0", "freed %{p0}"); + + var select343 = linear_select([ + dup312, + part1462, + part1463, + ]); + + var all318 = all_match({ + processors: [ + part1459, + select342, + part1461, + select343, + dup108, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg913 = msg("00527", all318); + + var part1464 = match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address has been manually released%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg914 = msg("00527:01", part1464); + + var part1465 = match("MESSAGE#903:00527:02/0", "nwparser.payload", "DHCP server has %{p0}"); + + var part1466 = match("MESSAGE#903:00527:02/1_1", "nwparser.p0", "released %{p0}"); + + var part1467 = match("MESSAGE#903:00527:02/1_2", "nwparser.p0", "assigned or released %{p0}"); + + var select344 = linear_select([ + dup311, + part1466, + part1467, + ]); + + var part1468 = match("MESSAGE#903:00527:02/2", "nwparser.p0", "an IP address%{}"); + + var all319 = all_match({ + processors: [ + part1465, + select344, + part1468, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg915 = msg("00527:02", all319); + + var part1469 = match("MESSAGE#904:00527:03", "nwparser.payload", "MAC address %{macaddr->} has detected an IP conflict and has declined address %{hostip}", processor_chain([ + dup272, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg916 = msg("00527:03", part1469); + + var part1470 = match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP addresses have been manually released.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg917 = msg("00527:04", part1470); + + var part1471 = match("MESSAGE#906:00527:05/2", "nwparser.p0", "%{} %{interface->} is more than %{fld2->} allocated."); + + var all320 = all_match({ + processors: [ + dup210, + dup337, + part1471, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg918 = msg("00527:05", all320); + + var part1472 = match("MESSAGE#907:00527:06/0", "nwparser.payload", "IP address %{hostip->} %{p0}"); + + var select345 = linear_select([ + dup106, + dup127, + ]); + + var part1473 = match("MESSAGE#907:00527:06/3_1", "nwparser.p0", "released from %{p0}"); + + var select346 = linear_select([ + dup312, + part1473, + ]); + + var part1474 = match("MESSAGE#907:00527:06/4", "nwparser.p0", "%{fld2->} (%{fld1})"); + + var all321 = all_match({ + processors: [ + part1472, + select345, + dup23, + select346, + part1474, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg919 = msg("00527:06", all321); + + var part1475 = match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have expired. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg920 = msg("00527:07", part1475); + + var part1476 = match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{interface->} received %{protocol_detail->} from %{smacaddr->} requesting out-of-scope IP address %{hostip}/%{mask->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg921 = msg("00527:08", part1476); + + var part1477 = match("MESSAGE#910:00527:09/0", "nwparser.payload", "MAC address %{macaddr->} has %{disposition->} %{p0}"); + + var part1478 = match("MESSAGE#910:00527:09/1_0", "nwparser.p0", "address %{hostip->} (%{p0}"); + + var part1479 = match("MESSAGE#910:00527:09/1_1", "nwparser.p0", "%{hostip->} (%{p0}"); + + var select347 = linear_select([ + part1478, + part1479, + ]); + + var all322 = all_match({ + processors: [ + part1477, + select347, + dup41, + ], + on_success: processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg922 = msg("00527:09", all322); + + var part1480 = match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are expired. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg923 = msg("00527:10", part1480); + + var select348 = linear_select([ + msg913, + msg914, + msg915, + msg916, + msg917, + msg918, + msg919, + msg920, + msg921, + msg922, + msg923, + ]); + + var part1481 = match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenticated using password :", processor_chain([ + setc("eventcategory","1302010000"), + dup29, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg924 = msg("00528", part1481); + + var part1482 = match("MESSAGE#913:00528:01", "nwparser.payload", "SCS: Connection terminated for user %{username->} from", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg925 = msg("00528:01", part1482); + + var part1483 = match("MESSAGE#914:00528:02", "nwparser.payload", "SCS: Disabled for all root/vsys on device. Client host attempting connection to interface '%{interface}' with address %{hostip->} from %{saddr}", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg926 = msg("00528:02", part1483); + + var part1484 = match("MESSAGE#915:00528:03", "nwparser.payload", "SSH: NetScreen device %{disposition->} to identify itself to the SSH client at %{hostip}", processor_chain([ + dup203, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg927 = msg("00528:03", part1484); + + var part1485 = match("MESSAGE#916:00528:04", "nwparser.payload", "SSH: Incompatible SSH version string has been received from SSH client at %{hostip}", processor_chain([ + dup203, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg928 = msg("00528:04", part1485); + + var part1486 = match("MESSAGE#917:00528:05", "nwparser.payload", "SSH: %{disposition->} to send identification string to client host at %{hostip}", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg929 = msg("00528:05", part1486); + + var part1487 = match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} attempted to connect with invalid version string.", processor_chain([ + dup313, + dup2, + dup3, + dup4, + dup5, + setc("result","invalid version string"), + ])); + + var msg930 = msg("00528:06", part1487); + + var part1488 = match("MESSAGE#919:00528:07/0", "nwparser.payload", "SSH: %{disposition->} to negotiate %{p0}"); + + var part1489 = match("MESSAGE#919:00528:07/1_1", "nwparser.p0", "MAC %{p0}"); + + var part1490 = match("MESSAGE#919:00528:07/1_2", "nwparser.p0", "key exchange %{p0}"); + + var part1491 = match("MESSAGE#919:00528:07/1_3", "nwparser.p0", "host key %{p0}"); + + var select349 = linear_select([ + dup88, + part1489, + part1490, + part1491, + ]); + + var part1492 = match("MESSAGE#919:00528:07/2", "nwparser.p0", "algorithm with host %{hostip}"); + + var all323 = all_match({ + processors: [ + part1488, + select349, + part1492, + ], + on_success: processor_chain([ + dup314, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg931 = msg("00528:07", all323); + + var part1493 = match("MESSAGE#920:00528:08", "nwparser.payload", "SSH: Unsupported cipher type %{fld2->} requested from %{saddr}", processor_chain([ + dup314, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg932 = msg("00528:08", part1493); + + var part1494 = match("MESSAGE#921:00528:09", "nwparser.payload", "SSH: Host client has requested NO cipher from %{saddr}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg933 = msg("00528:09", part1494); + + var part1495 = match("MESSAGE#922:00528:10", "nwparser.payload", "SSH: Disabled for '%{vsys}'. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg934 = msg("00528:10", part1495); + + var part1496 = match("MESSAGE#923:00528:11", "nwparser.payload", "SSH: Disabled for %{fld2->} Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg935 = msg("00528:11", part1496); + + var part1497 = match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} at %{saddr->} tried unsuccessfully to log in to %{vsys->} using the shared untrusted interface. SSH disabled on that interface.", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + setc("disposition","disabled"), + ])); + + var msg936 = msg("00528:12", part1497); + + var part1498 = match("MESSAGE#925:00528:13/0", "nwparser.payload", "SSH: SSH client at %{saddr->} tried unsuccessfully to %{p0}"); + + var part1499 = match("MESSAGE#925:00528:13/1_0", "nwparser.p0", "make %{p0}"); + + var part1500 = match("MESSAGE#925:00528:13/1_1", "nwparser.p0", "establish %{p0}"); + + var select350 = linear_select([ + part1499, + part1500, + ]); + + var part1501 = match("MESSAGE#925:00528:13/2", "nwparser.p0", "an SSH connection to %{p0}"); + + var part1502 = match("MESSAGE#925:00528:13/4", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} SSH %{p0}"); + + var part1503 = match("MESSAGE#925:00528:13/5_0", "nwparser.p0", "not enabled %{p0}"); + + var select351 = linear_select([ + part1503, + dup157, + ]); + + var part1504 = match("MESSAGE#925:00528:13/6", "nwparser.p0", "on that interface.%{}"); + + var all324 = all_match({ + processors: [ + part1498, + select350, + part1501, + dup337, + part1502, + select351, + part1504, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg937 = msg("00528:13", all324); + + var part1505 = match("MESSAGE#926:00528:14", "nwparser.payload", "SSH: SSH client %{saddr->} unsuccessfully attempted to make an SSH connection to %{vsys->} SSH was not completely initialized for that system.", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg938 = msg("00528:14", part1505); + + var part1506 = match("MESSAGE#927:00528:15/0", "nwparser.payload", "SSH: Admin user %{p0}"); + + var part1507 = match("MESSAGE#927:00528:15/1_1", "nwparser.p0", "%{administrator->} %{p0}"); + + var select352 = linear_select([ + dup315, + part1507, + ]); + + var part1508 = match("MESSAGE#927:00528:15/2", "nwparser.p0", "at host %{saddr->} requested unsupported %{p0}"); + + var part1509 = match("MESSAGE#927:00528:15/3_0", "nwparser.p0", "PKA algorithm %{p0}"); + + var part1510 = match("MESSAGE#927:00528:15/3_1", "nwparser.p0", "authentication method %{p0}"); + + var select353 = linear_select([ + part1509, + part1510, + ]); + + var all325 = all_match({ + processors: [ + part1506, + select352, + part1508, + select353, + dup108, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg939 = msg("00528:15", all325); + + var part1511 = match("MESSAGE#928:00528:16", "nwparser.payload", "SCP: Admin '%{administrator}' at host %{saddr->} executed invalid scp command: '%{fld2}'", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg940 = msg("00528:16", part1511); + + var part1512 = match("MESSAGE#929:00528:17", "nwparser.payload", "SCP: Disabled for '%{username}'. Attempted file transfer failed from host %{saddr}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg941 = msg("00528:17", part1512); + + var part1513 = match("MESSAGE#930:00528:18/2", "nwparser.p0", "authentication successful for admin user %{p0}"); + + var all326 = all_match({ + processors: [ + dup316, + dup402, + part1513, + dup403, + dup320, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + setc("disposition","successful"), + setc("event_description","authentication successful for admin user"), + ]), + }); + + var msg942 = msg("00528:18", all326); + + var part1514 = match("MESSAGE#931:00528:26/2", "nwparser.p0", "authentication failed for admin user %{p0}"); + + var all327 = all_match({ + processors: [ + dup316, + dup402, + part1514, + dup403, + dup320, + ], + on_success: processor_chain([ + dup206, + dup29, + dup31, + dup54, + dup2, + dup4, + dup5, + dup302, + dup3, + setc("event_description","authentication failed for admin user"), + ]), + }); + + var msg943 = msg("00528:26", all327); + + var part1515 = match("MESSAGE#932:00528:19/2", "nwparser.p0", ": SSH user %{username->} has been %{disposition->} using password from %{saddr}:%{sport}"); + + var all328 = all_match({ + processors: [ + dup321, + dup404, + part1515, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg944 = msg("00528:19", all328); + + var part1516 = match("MESSAGE#933:00528:20/2", "nwparser.p0", ": Connection has been %{disposition->} for admin user %{administrator->} at %{saddr}:%{sport}"); + + var all329 = all_match({ + processors: [ + dup321, + dup404, + part1516, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg945 = msg("00528:20", all329); + + var part1517 = match("MESSAGE#934:00528:21", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has requested PKA RSA authentication, which is not supported for that client.", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg946 = msg("00528:21", part1517); + + var part1518 = match("MESSAGE#935:00528:22/0", "nwparser.payload", "SCS: SSH client at %{saddr->} has attempted to make an SCS connection to %{p0}"); + + var part1519 = match("MESSAGE#935:00528:22/2", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} but %{disposition->} because SCS is not enabled for that interface."); + + var all330 = all_match({ + processors: [ + part1518, + dup337, + part1519, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + setc("result","SCS is not enabled for that interface"), + ]), + }); + + var msg947 = msg("00528:22", all330); + + var part1520 = match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to vsys %{vsys->} because SCS cannot generate the host and server keys before timing out.", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + setc("result","SCS cannot generate the host and server keys before timing out"), + ])); + + var msg948 = msg("00528:23", part1520); + + var part1521 = match("MESSAGE#937:00528:24", "nwparser.payload", "SSH: %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup281, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg949 = msg("00528:24", part1521); + + var part1522 = match("MESSAGE#938:00528:25/0", "nwparser.payload", "SSH: Admin %{p0}"); + + var part1523 = match("MESSAGE#938:00528:25/2", "nwparser.p0", "at host %{saddr->} attempted to be authenticated with no authentication methods enabled."); + + var all331 = all_match({ + processors: [ + part1522, + dup403, + part1523, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg950 = msg("00528:25", all331); + + var select354 = linear_select([ + msg924, + msg925, + msg926, + msg927, + msg928, + msg929, + msg930, + msg931, + msg932, + msg933, + msg934, + msg935, + msg936, + msg937, + msg938, + msg939, + msg940, + msg941, + msg942, + msg943, + msg944, + msg945, + msg946, + msg947, + msg948, + msg949, + msg950, + ]); + + var part1524 = match("MESSAGE#939:00529/1_0", "nwparser.p0", "manually %{p0}"); + + var part1525 = match("MESSAGE#939:00529/1_1", "nwparser.p0", "automatically %{p0}"); + + var select355 = linear_select([ + part1524, + part1525, + ]); + + var part1526 = match("MESSAGE#939:00529/2", "nwparser.p0", "refreshed%{}"); + + var all332 = all_match({ + processors: [ + dup63, + select355, + part1526, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg951 = msg("00529", all332); + + var part1527 = match("MESSAGE#940:00529:01/0", "nwparser.payload", "DNS entries have been refreshed by %{p0}"); + + var part1528 = match("MESSAGE#940:00529:01/1_0", "nwparser.p0", "state change%{}"); + + var part1529 = match("MESSAGE#940:00529:01/1_1", "nwparser.p0", "HA%{}"); + + var select356 = linear_select([ + part1528, + part1529, + ]); + + var all333 = all_match({ + processors: [ + part1527, + select356, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg952 = msg("00529:01", all333); + + var select357 = linear_select([ + msg951, + msg952, + ]); + + var part1530 = match("MESSAGE#941:00530", "nwparser.payload", "An IP conflict has been detected and the DHCP client has declined address %{hostip}", processor_chain([ + dup272, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg953 = msg("00530", part1530); + + var part1531 = match("MESSAGE#942:00530:01/0", "nwparser.payload", "DHCP client IP %{hostip->} for the %{p0}"); + + var part1532 = match("MESSAGE#942:00530:01/2", "nwparser.p0", "%{} %{interface->} has been manually released"); + + var all334 = all_match({ + processors: [ + part1531, + dup337, + part1532, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg954 = msg("00530:01", all334); + + var part1533 = match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get an IP address for the %{interface->} interface", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg955 = msg("00530:02", part1533); + + var part1534 = match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hostip->} has expired", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg956 = msg("00530:03", part1534); + + var part1535 = match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has assigned the untrust Interface %{interface->} with lease %{fld2}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg957 = msg("00530:04", part1535); + + var part1536 = match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has assigned the %{interface->} interface %{fld2->} with lease %{fld3}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg958 = msg("00530:05", part1536); + + var part1537 = match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get IP address for the untrust interface.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg959 = msg("00530:06", part1537); + + var select358 = linear_select([ + msg953, + msg954, + msg955, + msg956, + msg957, + msg958, + msg959, + ]); + + var part1538 = match("MESSAGE#948:00531/0", "nwparser.payload", "System clock configurations have been changed by admin %{p0}"); + + var all335 = all_match({ + processors: [ + part1538, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg960 = msg("00531", all335); + + var part1539 = match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg961 = msg("00531:01", part1539); + + var part1540 = match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been updated through NTP.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg962 = msg("00531:02", part1540); + + var part1541 = match("MESSAGE#951:00531:03/0", "nwparser.payload", "The system clock was updated from %{type->} NTP server type %{hostname->} with a%{p0}"); + + var part1542 = match("MESSAGE#951:00531:03/1_0", "nwparser.p0", " ms %{p0}"); + + var select359 = linear_select([ + part1542, + dup115, + ]); + + var part1543 = match("MESSAGE#951:00531:03/2", "nwparser.p0", "adjustment of %{fld3}. Authentication was %{fld4}. Update mode was %{p0}"); + + var part1544 = match("MESSAGE#951:00531:03/3_0", "nwparser.p0", "%{fld5}(%{fld2})"); + + var part1545 = match_copy("MESSAGE#951:00531:03/3_1", "nwparser.p0", "fld5"); + + var select360 = linear_select([ + part1544, + part1545, + ]); + + var all336 = all_match({ + processors: [ + part1541, + select359, + part1543, + select360, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup146, + ]), + }); + + var msg963 = msg("00531:03", all336); + + var part1546 = match("MESSAGE#952:00531:04/0", "nwparser.payload", "The NetScreen device is attempting to contact the %{p0}"); + + var part1547 = match("MESSAGE#952:00531:04/1_0", "nwparser.p0", "primary backup %{p0}"); + + var part1548 = match("MESSAGE#952:00531:04/1_1", "nwparser.p0", "secondary backup %{p0}"); + + var select361 = linear_select([ + part1547, + part1548, + dup189, + ]); + + var part1549 = match("MESSAGE#952:00531:04/2", "nwparser.p0", "NTP server %{hostname}"); + + var all337 = all_match({ + processors: [ + part1546, + select361, + part1549, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg964 = msg("00531:04", all337); + + var part1550 = match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contacted. (%{fld1})", processor_chain([ + dup86, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg965 = msg("00531:05", part1550); + + var part1551 = match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustment of %{fld2->} from NTP server %{hostname->} exceeds the allowed adjustment of %{fld3}. (%{fld1})", processor_chain([ + dup86, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg966 = msg("00531:06", part1551); + + var part1552 = match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be obtained from any NTP server. (%{fld1})", processor_chain([ + dup86, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg967 = msg("00531:07", part1552); + + var part1553 = match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator->} changed the %{change_attribute->} from %{change_old->} to %{change_new->} (by %{fld3->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}) (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg968 = msg("00531:08", part1553); + + var part1554 = match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol settings changed. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg969 = msg("00531:09", part1554); + + var part1555 = match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition->} on interface %{interface->} (%{fld1})", processor_chain([ + dup86, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg970 = msg("00531:10", part1555); + + var part1556 = match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be changed from %{change_old->} to %{change_new->} received from primary NTP server %{hostip->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","system clock changed based on receive from primary NTP server"), + ])); + + var msg971 = msg("00531:11", part1556); + + var part1557 = match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{saddr->} could not be contacted. (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg972 = msg("00531:12", part1557); + + var select362 = linear_select([ + msg960, + msg961, + msg962, + msg963, + msg964, + msg965, + msg966, + msg967, + msg968, + msg969, + msg970, + msg971, + msg972, + ]); + + var part1558 = match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now responding", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg973 = msg("00533", part1558); + + var part1559 = match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg974 = msg("00534", part1559); + + var part1560 = match("MESSAGE#962:00535", "nwparser.payload", "Cannot find the CA certificate with distinguished name %{fld2}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg975 = msg("00535", part1560); + + var part1561 = match("MESSAGE#963:00535:01", "nwparser.payload", "Distinguished name %{dn->} in the X509 certificate request is %{disposition}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg976 = msg("00535:01", part1561); + + var part1562 = match("MESSAGE#964:00535:02", "nwparser.payload", "Local certificate with distinguished name %{dn->} is %{disposition}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg977 = msg("00535:02", part1562); + + var part1563 = match("MESSAGE#965:00535:03", "nwparser.payload", "PKCS #7 data cannot be decapsulated%{}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg978 = msg("00535:03", part1563); + + var part1564 = match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been received from the CA%{}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + setc("result","SCEP_FAILURE message"), + ])); + + var msg979 = msg("00535:04", part1564); + + var part1565 = match("MESSAGE#967:00535:05", "nwparser.payload", "PKI error message has been received: %{result}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg980 = msg("00535:05", part1565); + + var part1566 = match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration (CA cert subject name %{dn}). (%{event_time_string})", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Saved CA configuration - cert subject name"), + ])); + + var msg981 = msg("00535:06", part1566); + + var select363 = linear_select([ + msg975, + msg976, + msg977, + msg978, + msg979, + msg980, + msg981, + ]); + + var part1567 = match("MESSAGE#969:00536:49/0", "nwparser.payload", "IKE %{hostip->} %{p0}"); + + var part1568 = match("MESSAGE#969:00536:49/1_0", "nwparser.p0", "Phase 2 msg ID %{sessionid}: %{disposition}. %{p0}"); + + var part1569 = match("MESSAGE#969:00536:49/1_1", "nwparser.p0", "Phase 1: %{disposition->} %{p0}"); + + var part1570 = match("MESSAGE#969:00536:49/1_2", "nwparser.p0", "phase 2:%{disposition}. %{p0}"); + + var part1571 = match("MESSAGE#969:00536:49/1_3", "nwparser.p0", "phase 1:%{disposition}. %{p0}"); + + var select364 = linear_select([ + part1568, + part1569, + part1570, + part1571, + ]); + + var all338 = all_match({ + processors: [ + part1567, + select364, + dup10, + ], + on_success: processor_chain([ + dup44, + dup2, + dup9, + dup3, + dup4, + dup5, + ]), + }); + + var msg982 = msg("00536:49", all338); + + var part1572 = match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received from %{saddr}/%{sport->} at interface %{interface->} at %{daddr}/%{dport}", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup3, + dup61, + ])); + + var msg983 = msg("00536", part1572); + + var part1573 = match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2}) without IP address at both end points! Check outgoing interface.", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg984 = msg("00536:01", part1573); + + var part1574 = match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip->} in %{fld4->} mode with ID: %{fld3->} has been %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg985 = msg("00536:02", part1574); + + var part1575 = match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has been %{disposition}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg986 = msg("00536:03", part1575); + + var part1576 = match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{group->} has deactivated the SA with ID %{fld2}.", processor_chain([ + setc("eventcategory","1801010100"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg987 = msg("00536:04", part1576); + + var part1577 = match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assigned%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg988 = msg("00536:05", part1577); + + var part1578 = match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has changed to %{fld2}. VPNs cannot terminate at an interface with IP %{hostip}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg989 = msg("00536:06", part1578); + + var part1579 = match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has changed from %{change_old->} to another setting", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg990 = msg("00536:07", part1579); + + var part1580 = match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification message", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg991 = msg("00536:08", part1580); + + var part1581 = match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg992 = msg("00536:09", part1581); + + var part1582 = match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a packet with a bad SPI after rebooting", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg993 = msg("00536:10", part1582); + + var part1583 = match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase 2 SAs after receiving a notification message", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg994 = msg("00536:11", part1583); + + var part1584 = match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first Phase 1 packet from an unrecognized source", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg995 = msg("00536:12", part1584); + + var part1585 = match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an initial Phase 1 packet from an unrecognized peer gateway", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg996 = msg("00536:13", part1585); + + var part1586 = match("MESSAGE#984:00536:14/0", "nwparser.payload", "IKE %{hostip}: Received initial contact notification and removed Phase %{p0}"); + + var part1587 = match("MESSAGE#984:00536:14/2", "nwparser.p0", "SAs%{}"); + + var all339 = all_match({ + processors: [ + part1586, + dup383, + part1587, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg997 = msg("00536:14", all339); + + var part1588 = match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a notification message for %{disposition}. (%{fld1})", processor_chain([ + dup44, + dup2, + dup9, + dup3, + dup4, + dup5, + ])); + + var msg998 = msg("00536:50", part1588); + + var part1589 = match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incorrect ID payload: IP address %{fld2->} instead of IP address %{fld3}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg999 = msg("00536:15", part1589); + + var part1590 = match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negotiation request is already in the task list", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1000 = msg("00536:16", part1590); + + var part1591 = match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats have been lost %{fld2->} times", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1001 = msg("00536:17", part1591); + + var part1592 = match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer packet because no policy uses the peer configuration", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1002 = msg("00536:18", part1592); + + var part1593 = match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1003 = msg("00536:19", part1593); + + var part1594 = match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the initial contact task to the task list", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1004 = msg("00536:20", part1594); + + var part1595 = match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 session tasks to the task list", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1005 = msg("00536:21", part1595); + + var part1596 = match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{disposition->} proposals from peer. Negotiations failed", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + setc("result","Negotiations failed"), + ])); + + var msg1006 = msg("00536:22", part1596); + + var part1597 = match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Aborted negotiations because the time limit has elapsed", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + setc("result","The time limit has elapsed"), + setc("disposition","Aborted"), + ])); + + var msg1007 = msg("00536:23", part1597); + + var part1598 = match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1008 = msg("00536:24", part1598); + + var part1599 = match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Received DH group %{fld2->} instead of expected group %{fld3->} for PFS", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1009 = msg("00536:25", part1599); + + var part1600 = match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No policy exists for the proxy ID received: local ID %{fld2->} remote ID %{fld3}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1010 = msg("00536:26", part1600); + + var part1601 = match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA private key is needed to sign packets", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1011 = msg("00536:27", part1601); + + var part1602 = match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggressive mode negotiations have %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1012 = msg("00536:28", part1602); + + var part1603 = match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Vendor ID payload indicates that the peer does not support NAT-T", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1013 = msg("00536:29", part1603); + + var part1604 = match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Retransmission limit has been reached", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1014 = msg("00536:30", part1604); + + var part1605 = match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an invalid RSA signature", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1015 = msg("00536:31", part1605); + + var part1606 = match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an incorrect public key authentication method", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1016 = msg("00536:32", part1606); + + var part1607 = match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No private key exists to sign packets", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1017 = msg("00536:33", part1607); + + var part1608 = match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1018 = msg("00536:34", part1608); + + var part1609 = match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE initiator has detected NAT in front of the local device", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1019 = msg("00536:35", part1609); + + var part1610 = match("MESSAGE#1007:00536:36/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Discarded a second initial packet%{p0}"); + + var part1611 = match("MESSAGE#1007:00536:36/2", "nwparser.p0", "%{}which arrived within %{fld2->} after the first"); + + var all340 = all_match({ + processors: [ + part1610, + dup401, + part1611, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1020 = msg("00536:36", all340); + + var part1612 = match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Completed Aggressive mode negotiations with a %{fld2->} lifetime", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1021 = msg("00536:37", part1612); + + var part1613 = match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a subject name that does not match the ID payload", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1022 = msg("00536:38", part1613); + + var part1614 = match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a different IP address %{fld2->} than expected", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1023 = msg("00536:39", part1614); + + var part1615 = match("MESSAGE#1011:00536:40", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot use a preshared key because the peer%{quote}s gateway has a dynamic IP address and negotiations are in Main mode", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1024 = msg("00536:40", part1615); + + var part1616 = match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated negotiations in Aggressive mode", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1025 = msg("00536:47", part1616); + + var part1617 = match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot verify RSA signature", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1026 = msg("00536:41", part1617); + + var part1618 = match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated Main mode negotiations", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1027 = msg("00536:42", part1618); + + var part1619 = match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Initiated negotiations", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1028 = msg("00536:43", part1619); + + var part1620 = match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heartbeat interval to %{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1029 = msg("00536:44", part1620); + + var part1621 = match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats have been %{disposition->} because %{result}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1030 = msg("00536:45", part1621); + + var part1622 = match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{interface->} from %{saddr}:%{sport->} to %{daddr}:%{dport}/%{fld1}. Cookies: %{ike_cookie1}, %{ike_cookie2}. (%{event_time_string})", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Received an IKE packet on interface"), + ])); + + var msg1031 = msg("00536:48", part1622); + + var part1623 = match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a bad SPI", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1032 = msg("00536:46", part1623); + + var select365 = linear_select([ + msg982, + msg983, + msg984, + msg985, + msg986, + msg987, + msg988, + msg989, + msg990, + msg991, + msg992, + msg993, + msg994, + msg995, + msg996, + msg997, + msg998, + msg999, + msg1000, + msg1001, + msg1002, + msg1003, + msg1004, + msg1005, + msg1006, + msg1007, + msg1008, + msg1009, + msg1010, + msg1011, + msg1012, + msg1013, + msg1014, + msg1015, + msg1016, + msg1017, + msg1018, + msg1019, + msg1020, + msg1021, + msg1022, + msg1023, + msg1024, + msg1025, + msg1026, + msg1027, + msg1028, + msg1029, + msg1030, + msg1031, + msg1032, + ]); + + var part1624 = match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to establish a session: %{info}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg1033 = msg("00537", part1624); + + var part1625 = match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{result}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1034 = msg("00537:01", part1625); + + var part1626 = match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: %{result}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1035 = msg("00537:02", part1626); + + var part1627 = match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successfully established%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1036 = msg("00537:03", part1627); + + var select366 = linear_select([ + msg1033, + msg1034, + msg1035, + msg1036, + ]); + + var part1628 = match("MESSAGE#1024:00538/0", "nwparser.payload", "NACN failed to register to Policy Manager %{fld2->} because %{p0}"); + + var select367 = linear_select([ + dup111, + dup119, + ]); + + var part1629 = match("MESSAGE#1024:00538/2", "nwparser.p0", "%{result}"); + + var all341 = all_match({ + processors: [ + part1628, + select367, + part1629, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1037 = msg("00538", all341); + + var part1630 = match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered to Policy Manager %{fld2}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1038 = msg("00538:01", part1630); + + var part1631 = match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has started for Policy Manager %{fld2->} on hostname %{hostname->} IP address %{hostip->} port %{network_port}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1039 = msg("00538:02", part1631); + + var part1632 = match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server at %{hostip->} (%{fld2->} connect attempt(s)) %{fld3}", processor_chain([ + dup19, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg1040 = msg("00538:03", part1632); + + var part1633 = match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Global PRO data collector at %{hostip}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1041 = msg("00538:04", part1633); + + var part1634 = match("MESSAGE#1029:00538:05/0", "nwparser.payload", "Lost %{p0}"); + + var part1635 = match("MESSAGE#1029:00538:05/1_0", "nwparser.p0", "socket connection%{p0}"); + + var part1636 = match("MESSAGE#1029:00538:05/1_1", "nwparser.p0", "connection%{p0}"); + + var select368 = linear_select([ + part1635, + part1636, + ]); + + var part1637 = match("MESSAGE#1029:00538:05/2", "nwparser.p0", "%{}to Global PRO data collector at %{hostip}"); + + var all342 = all_match({ + processors: [ + part1634, + select368, + part1637, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1042 = msg("00538:05", all342); + + var part1638 = match("MESSAGE#1030:00538:06/0", "nwparser.payload", "Device has connected to the Global PRO%{p0}"); + + var part1639 = match("MESSAGE#1030:00538:06/1_0", "nwparser.p0", " %{fld2->} primary data collector at %{p0}"); + + var part1640 = match("MESSAGE#1030:00538:06/1_1", "nwparser.p0", " primary data collector at %{p0}"); + + var select369 = linear_select([ + part1639, + part1640, + ]); + + var part1641 = match_copy("MESSAGE#1030:00538:06/2", "nwparser.p0", "hostip"); + + var all343 = all_match({ + processors: [ + part1638, + select369, + part1641, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1043 = msg("00538:06", all343); + + var part1642 = match("MESSAGE#1031:00538:07/0", "nwparser.payload", "Connection to Global PRO data collector at %{hostip->} has%{p0}"); + + var part1643 = match("MESSAGE#1031:00538:07/1_0", "nwparser.p0", " been%{p0}"); + + var select370 = linear_select([ + part1643, + dup16, + ]); + + var all344 = all_match({ + processors: [ + part1642, + select370, + dup136, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1044 = msg("00538:07", all344); + + var part1644 = match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO data collector at %{hostip}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1045 = msg("00538:08", part1644); + + var part1645 = match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server at %{hostip->} (%{info}) (%{fld1})", processor_chain([ + dup301, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","Connected to NSM server"), + ])); + + var msg1046 = msg("00538:09", part1645); + + var part1646 = match("MESSAGE#1034:00538:10/0", "nwparser.payload", "NSM: Connection to NSM server at %{hostip->} is down. Reason: %{resultcode}, %{result->} (%{p0}"); + + var part1647 = match("MESSAGE#1034:00538:10/1_0", "nwparser.p0", "%{info}) (%{fld1})"); + + var select371 = linear_select([ + part1647, + dup41, + ]); + + var all345 = all_match({ + processors: [ + part1646, + select371, + ], + on_success: processor_chain([ + dup198, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","Connection to NSM server is down"), + ]), + }); + + var msg1047 = msg("00538:10", all345); + + var part1648 = match("MESSAGE#1035:00538:11", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld2->} connect attempt(s)) (%{fld1})", processor_chain([ + dup198, + dup2, + dup3, + dup9, + dup4, + dup5, + dup323, + ])); + + var msg1048 = msg("00538:11", part1648); + + var part1649 = match("MESSAGE#1036:00538:12", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld1})", processor_chain([ + dup198, + dup2, + dup3, + dup9, + dup4, + dup5, + dup323, + ])); + + var msg1049 = msg("00538:12", part1649); + + var part1650 = match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","Sent 2B message"), + ])); + + var msg1050 = msg("00538:13", part1650); + + var select372 = linear_select([ + msg1037, + msg1038, + msg1039, + msg1040, + msg1041, + msg1042, + msg1043, + msg1044, + msg1045, + msg1046, + msg1047, + msg1048, + msg1049, + msg1050, + ]); + + var part1651 = match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool for user %{username}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1051 = msg("00539", part1651); + + var part1652 = match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{username}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1052 = msg("00539:01", part1652); + + var part1653 = match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from Pool %{group_object->} for user %{username}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1053 = msg("00539:02", part1653); + + var part1654 = match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to establish a session: %{fld2}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1054 = msg("00539:03", part1654); + + var part1655 = match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has successfully established.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1055 = msg("00539:04", part1655); + + var part1656 = match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned. You cannot allocate an IP address%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1056 = msg("00539:05", part1656); + + var part1657 = match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1057 = msg("00539:06", part1657); + + var select373 = linear_select([ + msg1051, + msg1052, + msg1053, + msg1054, + msg1055, + msg1056, + msg1057, + ]); + + var part1658 = match("MESSAGE#1045:00541", "nwparser.payload", "ScreenOS %{fld2->} serial # %{serial_number}: Asset recovery has been %{disposition}", processor_chain([ + dup324, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1058 = msg("00541", part1658); + + var part1659 = match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2->} IP address - %{hostip->} changed its state to %{change_new}. (%{fld1})", processor_chain([ + dup273, + dup9, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1059 = msg("00541:01", part1659); + + var part1660 = match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from %{change_old->} to %{change_new->} state, (neighbor router-id 1%{fld2}, ip-address %{hostip}). (%{fld1})", processor_chain([ + dup273, + dup9, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1060 = msg("00541:02", part1660); + + var part1661 = match("MESSAGE#1219:00541:03/0", "nwparser.payload", "LSA in following area aged out: LSA area ID %{fld3}, LSA ID %{fld4}, router ID %{fld2}, type %{fld7->} in OSPF. (%{fld1})%{p0}"); + + var part1662 = match("MESSAGE#1219:00541:03/1_0", "nwparser.p0", "\u003c\u003c%{fld16}>"); + + var select374 = linear_select([ + part1662, + dup21, + ]); + + var all346 = all_match({ + processors: [ + part1661, + select374, + ], + on_success: processor_chain([ + dup44, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1061 = msg("00541:03", all346); + + var select375 = linear_select([ + msg1058, + msg1059, + msg1060, + msg1061, + ]); + + var part1663 = match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix adding: %{fld2}, ribin overflow %{fld3->} times (max rib-in %{fld4})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1062 = msg("00542", part1663); + + var part1664 = match("MESSAGE#1047:00543/0", "nwparser.payload", "Access for %{p0}"); + + var part1665 = match("MESSAGE#1047:00543/1_0", "nwparser.p0", "WebAuth firewall %{p0}"); + + var part1666 = match("MESSAGE#1047:00543/1_1", "nwparser.p0", "firewall %{p0}"); + + var select376 = linear_select([ + part1665, + part1666, + ]); + + var part1667 = match("MESSAGE#1047:00543/2", "nwparser.p0", "user %{username->} %{space}at %{hostip->} (accepted at %{fld2->} for duration %{duration->} via the %{logon_type}) %{p0}"); + + var part1668 = match("MESSAGE#1047:00543/3_0", "nwparser.p0", "by policy id %{policy_id->} is %{p0}"); + + var select377 = linear_select([ + part1668, + dup106, + ]); + + var part1669 = match("MESSAGE#1047:00543/4", "nwparser.p0", "now over (%{fld1})"); + + var all347 = all_match({ + processors: [ + part1664, + select376, + part1667, + select377, + part1669, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup9, + dup3, + ]), + }); + + var msg1063 = msg("00543", all347); + + var part1670 = match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group %{group->} ] at %{hostip->} has been challenged by the RADIUS server at %{daddr}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup60, + setc("action","RADIUS server challenge"), + ])); + + var msg1064 = msg("00544", part1670); + + var part1671 = match("MESSAGE#1049:00546", "nwparser.payload", "delete-route-> trust-vr: %{fld2}", processor_chain([ + dup281, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1065 = msg("00546", part1671); + + var part1672 = match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned because max content size was exceeded.", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup3, + dup61, + ])); + + var msg1066 = msg("00547", part1672); + + var part1673 = match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned due to a scan engine error or constraint.", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup3, + dup61, + ])); + + var msg1067 = msg("00547:01", part1673); + + var part1674 = match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has been %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1068 = msg("00547:02", part1674); + + var part1675 = match("MESSAGE#1053:00547:03/0", "nwparser.payload", "AV: Content from %{location_desc}, http url: %{url}, is passed %{p0}"); + + var part1676 = match("MESSAGE#1053:00547:03/1_0", "nwparser.p0", "due to %{p0}"); + + var part1677 = match("MESSAGE#1053:00547:03/1_1", "nwparser.p0", "because %{p0}"); + + var select378 = linear_select([ + part1676, + part1677, + ]); + + var part1678 = match("MESSAGE#1053:00547:03/2", "nwparser.p0", "%{result}. (%{event_time_string})"); + + var all348 = all_match({ + processors: [ + part1675, + select378, + part1678, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Content is bypassed for connection"), + ]), + }); + + var msg1069 = msg("00547:03", all348); + + var select379 = linear_select([ + msg1066, + msg1067, + msg1068, + msg1069, + ]); + + var part1679 = match("MESSAGE#1054:00549", "nwparser.payload", "add-route-> untrust-vr: %{fld2}", processor_chain([ + dup281, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1070 = msg("00549", part1679); + + var part1680 = match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred during configlet file processing.", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1071 = msg("00551", part1680); + + var part1681 = match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurred, causing failure to establish secure management with Management System.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1072 = msg("00551:01", part1681); + + var part1682 = match("MESSAGE#1057:00551:02/0", "nwparser.payload", "Configlet file %{p0}"); + + var part1683 = match("MESSAGE#1057:00551:02/1_0", "nwparser.p0", "decryption %{p0}"); + + var select380 = linear_select([ + part1683, + dup89, + ]); + + var all349 = all_match({ + processors: [ + part1682, + select380, + dup128, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1073 = msg("00551:02", all349); + + var part1684 = match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot start because gateway has undergone configuration changes. (%{fld1})", processor_chain([ + dup18, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1074 = msg("00551:03", part1684); + + var part1685 = match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management established successfully with remote server. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1075 = msg("00551:04", part1685); + + var select381 = linear_select([ + msg1071, + msg1072, + msg1073, + msg1074, + msg1075, + ]); + + var part1686 = match("MESSAGE#1060:00553/0", "nwparser.payload", "SCAN-MGR: Failed to get %{p0}"); + + var part1687 = match("MESSAGE#1060:00553/1_0", "nwparser.p0", "AltServer %{p0}"); + + var part1688 = match("MESSAGE#1060:00553/1_1", "nwparser.p0", "Version %{p0}"); + + var part1689 = match("MESSAGE#1060:00553/1_2", "nwparser.p0", "Path_GateLockCE %{p0}"); + + var select382 = linear_select([ + part1687, + part1688, + part1689, + ]); + + var all350 = all_match({ + processors: [ + part1686, + select382, + dup325, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1076 = msg("00553", all350); + + var part1690 = match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size from server.ini.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1077 = msg("00553:01", part1690); + + var part1691 = match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from server.ini is too large: %{bytes->} (bytes).", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1078 = msg("00553:02", part1691); + + var part1692 = match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from server.ini is too long: %{fld2}; max is %{fld3}.", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1079 = msg("00553:03", part1692); + + var part1693 = match("MESSAGE#1064:00553:04/0", "nwparser.payload", "SCAN-MGR: Failed to retrieve %{p0}"); + + var select383 = linear_select([ + dup326, + dup327, + ]); + + var part1694 = match("MESSAGE#1064:00553:04/2", "nwparser.p0", "file: %{fld2}; http status code: %{resultcode}."); + + var all351 = all_match({ + processors: [ + part1693, + select383, + part1694, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1080 = msg("00553:04", all351); + + var part1695 = match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pattern into a RAM file.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1081 = msg("00553:05", part1695); + + var part1696 = match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File failed: code from VSAPI: %{resultcode}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1082 = msg("00553:06", part1696); + + var part1697 = match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pattern into flash.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1083 = msg("00553:07", part1697); + + var part1698 = match("MESSAGE#1068:00553:08/0", "nwparser.payload", "SCAN-MGR: Internal error while setting up for retrieving %{p0}"); + + var select384 = linear_select([ + dup327, + dup326, + ]); + + var all352 = all_match({ + processors: [ + part1698, + select384, + dup328, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1084 = msg("00553:08", all352); + + var part1699 = match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{disposition}: Err: %{resultcode}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1085 = msg("00553:09", part1699); + + var part1700 = match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{disposition->} due to %{result}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1086 = msg("00553:10", part1700); + + var part1701 = match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern Creation Date(%{fld2}) is after AV Key Expiration date(%{fld3}).", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1087 = msg("00553:11", part1701); + + var part1702 = match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompressLayer %{disposition}: Layer: %{fld2}, Err: %{resultcode}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1088 = msg("00553:12", part1702); + + var part1703 = match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFileSizeLimit %{disposition}: Limit: %{fld2}, Err: %{resultcode}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1089 = msg("00553:13", part1703); + + var part1704 = match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{disposition}: ret: %{fld2}; cpapiErrCode: %{resultcode}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1090 = msg("00553:14", part1704); + + var part1705 = match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usage error. Left usage: %{fld2}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1091 = msg("00553:15", part1705); + + var part1706 = match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress layer to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1092 = msg("00553:16", part1706); + + var part1707 = match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum content size to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1093 = msg("00553:17", part1707); + + var part1708 = match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number of concurrent messages to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1094 = msg("00553:18", part1708); + + var part1709 = match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1095 = msg("00553:19", part1709); + + var part1710 = match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to %{fld2}; update interval is %{fld3}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1096 = msg("00553:20", part1710); + + var part1711 = match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1097 = msg("00553:21", part1711); + + var part1712 = match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern updated: version: %{version}, size: %{bytes->} (bytes).", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1098 = msg("00553:22", part1712); + + var select385 = linear_select([ + msg1076, + msg1077, + msg1078, + msg1079, + msg1080, + msg1081, + msg1082, + msg1083, + msg1084, + msg1085, + msg1086, + msg1087, + msg1088, + msg1089, + msg1090, + msg1091, + msg1092, + msg1093, + msg1094, + msg1095, + msg1096, + msg1097, + msg1098, + ]); + + var part1713 = match("MESSAGE#1083:00554/0", "nwparser.payload", "SCAN-MGR: Cannot get %{p0}"); + + var part1714 = match("MESSAGE#1083:00554/1_0", "nwparser.p0", "AltServer info %{p0}"); + + var part1715 = match("MESSAGE#1083:00554/1_1", "nwparser.p0", "Version number %{p0}"); + + var part1716 = match("MESSAGE#1083:00554/1_2", "nwparser.p0", "Path_GateLockCE info %{p0}"); + + var select386 = linear_select([ + part1714, + part1715, + part1716, + ]); + + var all353 = all_match({ + processors: [ + part1713, + select386, + dup325, + ], + on_success: processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1099 = msg("00554", all353); + + var part1717 = match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini file, the AV pattern file size is zero.%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1100 = msg("00554:01", part1717); + + var part1718 = match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file size is too large (%{bytes->} bytes).", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1101 = msg("00554:02", part1718); + + var part1719 = match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV pattern file server URL is too long: %{bytes->} bytes. Max: %{fld2->} bytes.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1102 = msg("00554:03", part1719); + + var part1720 = match("MESSAGE#1087:00554:04/0", "nwparser.payload", "SCAN-MGR: Cannot retrieve %{p0}"); + + var part1721 = match("MESSAGE#1087:00554:04/2", "nwparser.p0", "file from %{hostip}:%{network_port}. HTTP status code: %{fld2}."); + + var all354 = all_match({ + processors: [ + part1720, + dup405, + part1721, + ], + on_success: processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1103 = msg("00554:04", all354); + + var part1722 = match("MESSAGE#1088:00554:05/0", "nwparser.payload", "SCAN-MGR: Cannot write AV pattern file to %{p0}"); + + var part1723 = match("MESSAGE#1088:00554:05/1_0", "nwparser.p0", "RAM %{p0}"); + + var part1724 = match("MESSAGE#1088:00554:05/1_1", "nwparser.p0", "flash %{p0}"); + + var select387 = linear_select([ + part1723, + part1724, + ]); + + var all355 = all_match({ + processors: [ + part1722, + select387, + dup116, + ], + on_success: processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1104 = msg("00554:05", all355); + + var part1725 = match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pattern file. VSAPI code: %{fld2}", processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1105 = msg("00554:06", part1725); + + var part1726 = match("MESSAGE#1090:00554:07/0", "nwparser.payload", "SCAN-MGR: Internal error occurred while retrieving %{p0}"); + + var all356 = all_match({ + processors: [ + part1726, + dup405, + dup328, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1106 = msg("00554:07", all356); + + var part1727 = match("MESSAGE#1091:00554:08/0", "nwparser.payload", "SCAN-MGR: Internal error occurred when calling this function: %{fld2}. %{fld3->} %{p0}"); + + var part1728 = match("MESSAGE#1091:00554:08/1_0", "nwparser.p0", "Error: %{resultcode->} %{p0}"); + + var part1729 = match("MESSAGE#1091:00554:08/1_1", "nwparser.p0", "Returned a NULL VSC handler %{p0}"); + + var part1730 = match("MESSAGE#1091:00554:08/1_2", "nwparser.p0", "cpapiErrCode: %{resultcode->} %{p0}"); + + var select388 = linear_select([ + part1728, + part1729, + part1730, + ]); + + var all357 = all_match({ + processors: [ + part1727, + select388, + dup116, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1107 = msg("00554:08", all357); + + var part1731 = match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompression layers has been set to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1108 = msg("00554:09", part1731); + + var part1732 = match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content size has been set to %{fld2->} KB.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1109 = msg("00554:10", part1732); + + var part1733 = match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of concurrent messages has been set to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1110 = msg("00554:11", part1733); + + var part1734 = match("MESSAGE#1095:00554:12/0", "nwparser.payload", "SCAN-MGR: Fail mode has been set to %{p0}"); + + var part1735 = match("MESSAGE#1095:00554:12/1_0", "nwparser.p0", "drop %{p0}"); + + var part1736 = match("MESSAGE#1095:00554:12/1_1", "nwparser.p0", "pass %{p0}"); + + var select389 = linear_select([ + part1735, + part1736, + ]); + + var part1737 = match("MESSAGE#1095:00554:12/2", "nwparser.p0", "unexamined traffic if %{p0}"); + + var part1738 = match("MESSAGE#1095:00554:12/3_0", "nwparser.p0", "content size %{p0}"); + + var part1739 = match("MESSAGE#1095:00554:12/3_1", "nwparser.p0", "number of concurrent messages %{p0}"); + + var select390 = linear_select([ + part1738, + part1739, + ]); + + var part1740 = match("MESSAGE#1095:00554:12/4", "nwparser.p0", "exceeds max.%{}"); + + var all358 = all_match({ + processors: [ + part1734, + select389, + part1737, + select390, + part1740, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1111 = msg("00554:12", all358); + + var part1741 = match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been set to %{fld2}, and the update interval to %{fld3->} minutes.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1112 = msg("00554:13", part1741); + + var part1742 = match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1113 = msg("00554:14", part1742); + + var part1743 = match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern file has been updated. Version: %{version}; size: %{bytes->} bytes.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1114 = msg("00554:15", part1743); + + var part1744 = match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: %{fld2}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1115 = msg("00554:16", part1744); + + var part1745 = match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load AV pattern file created %{fld2->} after the AV subscription expired. (Exp: %{fld3})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1116 = msg("00554:17", part1745); + + var select391 = linear_select([ + msg1099, + msg1100, + msg1101, + msg1102, + msg1103, + msg1104, + msg1105, + msg1106, + msg1107, + msg1108, + msg1109, + msg1110, + msg1111, + msg1112, + msg1113, + msg1114, + msg1115, + msg1116, + ]); + + var part1746 = match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot process non-multicast address %{hostip}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1117 = msg("00555", part1746); + + var part1747 = match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a request. Reason: %{result}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1118 = msg("00556", part1747); + + var part1748 = match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a transaction. Reason: %{result}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1119 = msg("00556:01", part1748); + + var part1749 = match("MESSAGE#1104:00556:02/0", "nwparser.payload", "UF-MGR: UF %{p0}"); + + var part1750 = match("MESSAGE#1104:00556:02/1_0", "nwparser.p0", "K%{p0}"); + + var part1751 = match("MESSAGE#1104:00556:02/1_1", "nwparser.p0", "k%{p0}"); + + var select392 = linear_select([ + part1750, + part1751, + ]); + + var part1752 = match("MESSAGE#1104:00556:02/2", "nwparser.p0", "ey %{p0}"); + + var part1753 = match("MESSAGE#1104:00556:02/3_0", "nwparser.p0", "Expired%{p0}"); + + var part1754 = match("MESSAGE#1104:00556:02/3_1", "nwparser.p0", "expired%{p0}"); + + var select393 = linear_select([ + part1753, + part1754, + ]); + + var part1755 = match("MESSAGE#1104:00556:02/4", "nwparser.p0", "%{}(expiration date: %{fld2}; current date: %{fld3})."); + + var all359 = all_match({ + processors: [ + part1749, + select392, + part1752, + select393, + part1755, + ], + on_success: processor_chain([ + dup254, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1120 = msg("00556:02", all359); + + var part1756 = match("MESSAGE#1105:00556:03/0", "nwparser.payload", "UF-MGR: Failed to %{p0}"); + + var part1757 = match("MESSAGE#1105:00556:03/1_0", "nwparser.p0", "enable %{p0}"); + + var part1758 = match("MESSAGE#1105:00556:03/1_1", "nwparser.p0", "disable %{p0}"); + + var select394 = linear_select([ + part1757, + part1758, + ]); + + var part1759 = match("MESSAGE#1105:00556:03/2", "nwparser.p0", "cache.%{}"); + + var all360 = all_match({ + processors: [ + part1756, + select394, + part1759, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1121 = msg("00556:03", all360); + + var part1760 = match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{resultcode}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1122 = msg("00556:04", part1760); + + var part1761 = match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed to %{fld2}(K).", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1123 = msg("00556:05", part1761); + + var part1762 = match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout changes to %{fld2->} (hours).", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1124 = msg("00556:06", part1762); + + var part1763 = match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update interval changed to %{fld2->} (weeks).", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1125 = msg("00556:07", part1763); + + var part1764 = match("MESSAGE#1110:00556:08/0", "nwparser.payload", "UF-MGR: Cache %{p0}"); + + var all361 = all_match({ + processors: [ + part1764, + dup358, + dup116, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1126 = msg("00556:08", all361); + + var part1765 = match("MESSAGE#1111:00556:09", "nwparser.payload", "UF-MGR: URL BLOCKED: ip_addr (%{fld2}) -> ip_addr (%{fld3}), %{fld4->} action: %{disposition}, category: %{fld5}, reason %{result}", processor_chain([ + dup232, + dup2, + dup3, + dup4, + dup5, + dup282, + ])); + + var msg1127 = msg("00556:09", part1765); + + var part1766 = match("MESSAGE#1112:00556:10", "nwparser.payload", "UF-MGR: URL FILTER ERR: ip_addr (%{fld2}) -> ip_addr (%{fld3}), host: %{fld5->} page: %{fld4->} code: %{resultcode->} reason: %{result}.", processor_chain([ + dup232, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1128 = msg("00556:10", part1766); + + var part1767 = match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server changed to %{fld2}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1129 = msg("00556:11", part1767); + + var part1768 = match("MESSAGE#1114:00556:12/0", "nwparser.payload", "UF-MGR: %{fld2->} CPA server %{p0}"); + + var select395 = linear_select([ + dup140, + dup169, + ]); + + var part1769 = match("MESSAGE#1114:00556:12/2", "nwparser.p0", "changed to %{fld3}."); + + var all362 = all_match({ + processors: [ + part1768, + select395, + part1769, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1130 = msg("00556:12", all362); + + var part1770 = match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filtering %{disposition}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1131 = msg("00556:13", part1770); + + var part1771 = match("MESSAGE#1116:00556:14/0", "nwparser.payload", "UF-MGR: The url %{url->} was %{p0}"); + + var part1772 = match("MESSAGE#1116:00556:14/2", "nwparser.p0", "category %{fld2}."); + + var all363 = all_match({ + processors: [ + part1771, + dup406, + part1772, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1132 = msg("00556:14", all363); + + var part1773 = match("MESSAGE#1117:00556:15/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was %{p0}"); + + var part1774 = match("MESSAGE#1117:00556:15/2", "nwparser.p0", "profile %{fld3->} with action %{disposition}."); + + var all364 = all_match({ + processors: [ + part1773, + dup406, + part1774, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + dup282, + ]), + }); + + var msg1133 = msg("00556:15", all364); + + var part1775 = match("MESSAGE#1118:00556:16/0", "nwparser.payload", "UF-MGR: The %{p0}"); + + var part1776 = match("MESSAGE#1118:00556:16/1_0", "nwparser.p0", "profile %{p0}"); + + var part1777 = match("MESSAGE#1118:00556:16/1_1", "nwparser.p0", "category %{p0}"); + + var select396 = linear_select([ + part1776, + part1777, + ]); + + var part1778 = match("MESSAGE#1118:00556:16/2", "nwparser.p0", "%{fld2->} was %{p0}"); + + var select397 = linear_select([ + dup104, + dup120, + ]); + + var all365 = all_match({ + processors: [ + part1775, + select396, + part1778, + select397, + dup116, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1134 = msg("00556:16", all365); + + var part1779 = match("MESSAGE#1119:00556:17/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was set in profile %{profile->} as the %{p0}"); + + var part1780 = match("MESSAGE#1119:00556:17/1_0", "nwparser.p0", "black %{p0}"); + + var part1781 = match("MESSAGE#1119:00556:17/1_1", "nwparser.p0", "white %{p0}"); + + var select398 = linear_select([ + part1780, + part1781, + ]); + + var part1782 = match("MESSAGE#1119:00556:17/2", "nwparser.p0", "list.%{}"); + + var all366 = all_match({ + processors: [ + part1779, + select398, + part1782, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1135 = msg("00556:17", all366); + + var part1783 = match("MESSAGE#1120:00556:18/0", "nwparser.payload", "UF-MGR: The action for %{fld2->} in profile %{profile->} was %{p0}"); + + var part1784 = match("MESSAGE#1120:00556:18/1_1", "nwparser.p0", "changed %{p0}"); + + var select399 = linear_select([ + dup101, + part1784, + ]); + + var part1785 = match("MESSAGE#1120:00556:18/2", "nwparser.p0", "to %{fld3}."); + + var all367 = all_match({ + processors: [ + part1783, + select399, + part1785, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1136 = msg("00556:18", all367); + + var part1786 = match("MESSAGE#1121:00556:20/0", "nwparser.payload", "UF-MGR: The category list from the CPA server %{p0}"); + + var part1787 = match("MESSAGE#1121:00556:20/2", "nwparser.p0", "updated on%{p0}"); + + var select400 = linear_select([ + dup103, + dup96, + ]); + + var part1788 = match("MESSAGE#1121:00556:20/4", "nwparser.p0", "the device.%{}"); + + var all368 = all_match({ + processors: [ + part1786, + dup355, + part1787, + select400, + part1788, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1137 = msg("00556:20", all368); + + var part1789 = match("MESSAGE#1122:00556:21", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} action: %{disposition}, category: %{category}, reason: %{result->} (%{fld1})", processor_chain([ + dup232, + dup2, + dup3, + dup9, + dup4, + dup5, + dup282, + ])); + + var msg1138 = msg("00556:21", part1789); + + var part1790 = match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} (%{fld1})", processor_chain([ + dup232, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1139 = msg("00556:22", part1790); + + var select401 = linear_select([ + msg1118, + msg1119, + msg1120, + msg1121, + msg1122, + msg1123, + msg1124, + msg1125, + msg1126, + msg1127, + msg1128, + msg1129, + msg1130, + msg1131, + msg1132, + msg1133, + msg1134, + msg1135, + msg1136, + msg1137, + msg1138, + msg1139, + ]); + + var part1791 = match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interface->} is %{fld2}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1140 = msg("00572", part1791); + + var part1792 = match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on interface %{interface}: %{result}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1141 = msg("00572:01", part1792); + + var part1793 = match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface->} is %{disposition->} by receiving Terminate-Request. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1142 = msg("00572:03", part1793); + + var select402 = linear_select([ + msg1140, + msg1141, + msg1142, + ]); + + var part1794 = match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" rebuilding lookup tree for virtual router \"%{node}\". (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg1143 = msg("00615", part1794); + + var part1795 = match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" lookup tree rebuilt successfully in virtual router \"%{node}\". (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg1144 = msg("00615:01", part1795); + + var select403 = linear_select([ + msg1143, + msg1144, + ]); + + var part1796 = match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}, through policy %{policyname}. Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup9, + dup4, + dup5, + dup61, + ])); + + var msg1145 = msg("00601", part1796); + + var part1797 = match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detected from %{saddr}/%{sport->} to %{daddr}/%{dport->} through policy %{policyname->} %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup9, + dup4, + dup5, + dup61, + ])); + + var msg1146 = msg("00601:01", part1797); + + var part1798 = match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multicast.%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1147 = msg("00601:18", part1798); + + var select404 = linear_select([ + msg1145, + msg1146, + msg1147, + ]); + + var part1799 = match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing interface state change%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1148 = msg("00602", part1799); + + var part1800 = match("MESSAGE#1133:00612/0", "nwparser.payload", "Switch event: the status of ethernet port %{fld2->} changed to link %{p0}"); + + var part1801 = match("MESSAGE#1133:00612/2", "nwparser.p0", ", duplex %{p0}"); + + var part1802 = match("MESSAGE#1133:00612/3_0", "nwparser.p0", "full %{p0}"); + + var part1803 = match("MESSAGE#1133:00612/3_1", "nwparser.p0", "half %{p0}"); + + var select405 = linear_select([ + part1802, + part1803, + ]); + + var part1804 = match("MESSAGE#1133:00612/4", "nwparser.p0", ", speed 10%{p0}"); + + var part1805 = match("MESSAGE#1133:00612/5_0", "nwparser.p0", "0 %{p0}"); + + var select406 = linear_select([ + part1805, + dup96, + ]); + + var part1806 = match("MESSAGE#1133:00612/6", "nwparser.p0", "M. (%{fld1})"); + + var all369 = all_match({ + processors: [ + part1800, + dup353, + part1801, + select405, + part1804, + select406, + part1806, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1149 = msg("00612", all369); + + var part1807 = match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send all the DRP routes to backup device. (%{fld1})", processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1150 = msg("00620", part1807); + + var part1808 = match("MESSAGE#1135:00620:01/0", "nwparser.payload", "RTSYNC: %{p0}"); + + var part1809 = match("MESSAGE#1135:00620:01/1_0", "nwparser.p0", "Serviced%{p0}"); + + var part1810 = match("MESSAGE#1135:00620:01/1_1", "nwparser.p0", "Recieved%{p0}"); + + var select407 = linear_select([ + part1809, + part1810, + ]); + + var part1811 = match("MESSAGE#1135:00620:01/2", "nwparser.p0", "%{}coldstart request for route synchronization from NSRP peer. (%{fld1})"); + + var all370 = all_match({ + processors: [ + part1808, + select407, + part1811, + ], + on_success: processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1151 = msg("00620:01", all370); + + var part1812 = match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to purge all the DRP backup routes - %{fld2->} (%{fld1})", processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1152 = msg("00620:02", part1812); + + var part1813 = match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purge backup routes in all vrouters. (%{fld1})", processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1153 = msg("00620:03", part1813); + + var part1814 = match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the DRP backup routes is stopped. (%{fld1})", processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1154 = msg("00620:04", part1814); + + var select408 = linear_select([ + msg1150, + msg1151, + msg1152, + msg1153, + msg1154, + ]); + + var part1815 = match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual router %{node->} is created. (%{fld1})", processor_chain([ + dup273, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1155 = msg("00622", part1815); + + var part1816 = match("MESSAGE#1140:00625/0", "nwparser.payload", "Session (id %{sessionid->} src-ip %{saddr->} dst-ip %{daddr->} dst port %{dport}) route is %{p0}"); + + var part1817 = match("MESSAGE#1140:00625/1_0", "nwparser.p0", "invalid%{p0}"); + + var part1818 = match("MESSAGE#1140:00625/1_1", "nwparser.p0", "valid%{p0}"); + + var select409 = linear_select([ + part1817, + part1818, + ]); + + var all371 = all_match({ + processors: [ + part1816, + select409, + dup49, + ], + on_success: processor_chain([ + dup273, + dup2, + dup4, + dup5, + dup9, + ]), + }); + + var msg1156 = msg("00625", all371); + + var part1819 = match("MESSAGE#1141:00628/0", "nwparser.payload", "audit log queue %{p0}"); + + var part1820 = match("MESSAGE#1141:00628/1_0", "nwparser.p0", "Traffic Log %{p0}"); + + var part1821 = match("MESSAGE#1141:00628/1_1", "nwparser.p0", "Event Alarm Log %{p0}"); + + var part1822 = match("MESSAGE#1141:00628/1_2", "nwparser.p0", "Event Log %{p0}"); + + var select410 = linear_select([ + part1820, + part1821, + part1822, + ]); + + var part1823 = match("MESSAGE#1141:00628/2", "nwparser.p0", "is overwritten (%{fld1})"); + + var all372 = all_match({ + processors: [ + part1819, + select410, + part1823, + ], + on_success: processor_chain([ + dup223, + dup2, + dup4, + dup5, + dup9, + ]), + }); + + var msg1157 = msg("00628", all372); + + var part1824 = match("MESSAGE#1142:00767:50", "nwparser.payload", "Log setting was modified to %{disposition->} %{fld2->} level by admin %{administrator->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, + dup282, + ])); + + var msg1158 = msg("00767:50", part1824); + + var part1825 = match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg1159 = msg("00767:51", part1825); + + var part1826 = match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg1160 = msg("00767:52", part1826); + + var part1827 = match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is added to attack group %{group->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg1161 = msg("00767:53", part1827); + + var part1828 = match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID server%{}", processor_chain([ + dup27, + setc("ec_theme","Communication"), + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1162 = msg("00767", part1828); + + var part1829 = match("MESSAGE#1147:00767:01/0", "nwparser.payload", "System auto-config of file %{fld2->} from TFTP server %{hostip->} has %{p0}"); + + var part1830 = match("MESSAGE#1147:00767:01/1_0", "nwparser.p0", "been loaded successfully%{}"); + + var part1831 = match("MESSAGE#1147:00767:01/1_1", "nwparser.p0", "failed%{}"); + + var select411 = linear_select([ + part1830, + part1831, + ]); + + var all373 = all_match({ + processors: [ + part1829, + select411, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1163 = msg("00767:01", all373); + + var part1832 = match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config saved from host %{saddr}", processor_chain([ + setc("eventcategory","1702000000"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1164 = msg("00767:02", part1832); + + var part1833 = match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filename %{filename}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1165 = msg("00767:03", part1833); + + var part1834 = match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1166 = msg("00767:04", part1834); + + var part1835 = match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact the SecurID server%{}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1167 = msg("00767:05", part1835); + + var part1836 = match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data to the SecurID server%{}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1168 = msg("00767:06", part1836); + + var part1837 = match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was saved from peer unit by admin%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1169 = msg("00767:07", part1837); + + var part1838 = match("MESSAGE#1154:00767:08/0", "nwparser.payload", "The system configuration was saved by admin %{p0}"); + + var all374 = all_match({ + processors: [ + part1838, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1170 = msg("00767:08", all374); + + var part1839 = match("MESSAGE#1155:00767:09/0", "nwparser.payload", "traffic shaping is turned O%{p0}"); + + var part1840 = match("MESSAGE#1155:00767:09/1_0", "nwparser.p0", "N%{}"); + + var part1841 = match("MESSAGE#1155:00767:09/1_1", "nwparser.p0", "FF%{}"); + + var select412 = linear_select([ + part1840, + part1841, + ]); + + var all375 = all_match({ + processors: [ + part1839, + select412, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1171 = msg("00767:09", all375); + + var part1842 = match("MESSAGE#1156:00767:10/0", "nwparser.payload", "The system configuration was saved from host %{saddr->} by admin %{p0}"); + + var all376 = all_match({ + processors: [ + part1842, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1172 = msg("00767:10", all376); + + var part1843 = match("MESSAGE#1157:00767:11/0", "nwparser.payload", "Fatal error. The NetScreen device was unable to upgrade the %{p0}"); + + var part1844 = match("MESSAGE#1157:00767:11/1_1", "nwparser.p0", "file system %{p0}"); + + var select413 = linear_select([ + dup331, + part1844, + ]); + + var part1845 = match("MESSAGE#1157:00767:11/2", "nwparser.p0", ", and the %{p0}"); + + var part1846 = match("MESSAGE#1157:00767:11/3_1", "nwparser.p0", "old file system %{p0}"); + + var select414 = linear_select([ + dup331, + part1846, + ]); + + var part1847 = match("MESSAGE#1157:00767:11/4", "nwparser.p0", "is damaged.%{}"); + + var all377 = all_match({ + processors: [ + part1843, + select413, + part1845, + select414, + part1847, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1173 = msg("00767:11", all377); + + var part1848 = match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1174 = msg("00767:12", part1848); + + var part1849 = match("MESSAGE#1159:00767:13/0", "nwparser.payload", "%{fld2}Environment variable %{fld3->} is changed to %{fld4->} by admin %{p0}"); + + var all378 = all_match({ + processors: [ + part1849, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1175 = msg("00767:13", all378); + + var part1850 = match("MESSAGE#1160:00767:14/0", "nwparser.payload", "System was %{p0}"); + + var part1851 = match("MESSAGE#1160:00767:14/1_0", "nwparser.p0", "reset %{p0}"); + + var select415 = linear_select([ + part1851, + dup262, + ]); + + var part1852 = match("MESSAGE#1160:00767:14/2", "nwparser.p0", "at %{fld2->} by %{p0}"); + + var part1853 = match("MESSAGE#1160:00767:14/3_0", "nwparser.p0", "admin %{administrator}"); + + var part1854 = match_copy("MESSAGE#1160:00767:14/3_1", "nwparser.p0", "username"); + + var select416 = linear_select([ + part1853, + part1854, + ]); + + var all379 = all_match({ + processors: [ + part1850, + select415, + part1852, + select416, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1176 = msg("00767:14", all379); + + var part1855 = match("MESSAGE#1161:00767:15/1_0", "nwparser.p0", "System %{p0}"); + + var part1856 = match("MESSAGE#1161:00767:15/1_1", "nwparser.p0", "Event %{p0}"); + + var part1857 = match("MESSAGE#1161:00767:15/1_2", "nwparser.p0", "Traffic %{p0}"); + + var select417 = linear_select([ + part1855, + part1856, + part1857, + ]); + + var part1858 = match("MESSAGE#1161:00767:15/2", "nwparser.p0", "log was reviewed by %{p0}"); + + var part1859 = match("MESSAGE#1161:00767:15/4", "nwparser.p0", "%{} %{username}."); + + var all380 = all_match({ + processors: [ + dup183, + select417, + part1858, + dup336, + part1859, + ], + on_success: processor_chain([ + dup223, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1177 = msg("00767:15", all380); + + var part1860 = match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administrator->} issued command %{info->} to redirect output.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1178 = msg("00767:16", part1860); + + var part1861 = match("MESSAGE#1163:00767:17/0", "nwparser.payload", "%{fld2->} Save new software from %{fld3->} to flash by admin %{p0}"); + + var all381 = all_match({ + processors: [ + part1861, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1179 = msg("00767:17", all381); + + var part1862 = match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{version->} has been %{fld2->} saved to flash.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1180 = msg("00767:18", part1862); + + var part1863 = match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{version->} was rejected because the authentication check failed.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1181 = msg("00767:19", part1863); + + var part1864 = match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version of the RADIUS server %{hostname->} does not match %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1182 = msg("00767:20", part1864); + + var part1865 = match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, %{fld4}) cleared %{fld5}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1183 = msg("00767:21", part1865); + + var part1866 = match("MESSAGE#1168:00767:22/0", "nwparser.payload", "The system configuration was not saved %{p0}"); + + var part1867 = match("MESSAGE#1168:00767:22/1_0", "nwparser.p0", "%{fld2->} by admin %{administrator->} via NSRP Peer %{p0}"); + + var part1868 = match("MESSAGE#1168:00767:22/1_1", "nwparser.p0", "%{fld2->} %{p0}"); + + var select418 = linear_select([ + part1867, + part1868, + ]); + + var part1869 = match("MESSAGE#1168:00767:22/2", "nwparser.p0", "by administrator %{fld3}. %{p0}"); + + var part1870 = match("MESSAGE#1168:00767:22/3_0", "nwparser.p0", "It was locked %{p0}"); + + var part1871 = match("MESSAGE#1168:00767:22/3_1", "nwparser.p0", "Locked %{p0}"); + + var select419 = linear_select([ + part1870, + part1871, + ]); + + var part1872 = match("MESSAGE#1168:00767:22/4", "nwparser.p0", "by administrator %{fld4->} %{p0}"); + + var all382 = all_match({ + processors: [ + part1866, + select418, + part1869, + select419, + part1872, + dup354, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1184 = msg("00767:22", all382); + + var part1873 = match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot filename %{filename->} to flash memory by administrator %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1185 = msg("00767:23", part1873); + + var part1874 = match("MESSAGE#1170:00767:25/0", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from %{p0}"); + + var select420 = linear_select([ + dup169, + dup16, + ]); + + var part1875 = match("MESSAGE#1170:00767:25/3_0", "nwparser.p0", "%{saddr}:%{sport->} by %{p0}"); + + var part1876 = match("MESSAGE#1170:00767:25/3_1", "nwparser.p0", "%{saddr->} by %{p0}"); + + var select421 = linear_select([ + part1875, + part1876, + ]); + + var all383 = all_match({ + processors: [ + part1874, + select420, + dup23, + select421, + dup108, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1186 = msg("00767:25", all383); + + var part1877 = match("MESSAGE#1171:00767:26/0", "nwparser.payload", "Lock configuration %{p0}"); + + var part1878 = match("MESSAGE#1171:00767:26/1_0", "nwparser.p0", "started%{p0}"); + + var part1879 = match("MESSAGE#1171:00767:26/1_1", "nwparser.p0", "ended%{p0}"); + + var select422 = linear_select([ + part1878, + part1879, + ]); + + var part1880 = match("MESSAGE#1171:00767:26/2", "nwparser.p0", "%{}by task %{p0}"); + + var part1881 = match("MESSAGE#1171:00767:26/3_0", "nwparser.p0", "%{fld3}, with a timeout value of %{fld2}"); + + var part1882 = match("MESSAGE#1171:00767:26/3_1", "nwparser.p0", "%{fld2->} (%{fld1})"); + + var select423 = linear_select([ + part1881, + part1882, + ]); + + var all384 = all_match({ + processors: [ + part1877, + select422, + part1880, + select423, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1187 = msg("00767:26", all384); + + var part1883 = match("MESSAGE#1172:00767:27/0", "nwparser.payload", "Environment variable %{fld2->} changed to %{p0}"); + + var part1884 = match("MESSAGE#1172:00767:27/1_0", "nwparser.p0", "%{fld3->} by %{username->} (%{fld1})"); + + var part1885 = match_copy("MESSAGE#1172:00767:27/1_1", "nwparser.p0", "fld3"); + + var select424 = linear_select([ + part1884, + part1885, + ]); + + var all385 = all_match({ + processors: [ + part1883, + select424, + ], + on_success: processor_chain([ + dup223, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1188 = msg("00767:27", all385); + + var part1886 = match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was loaded from IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1189 = msg("00767:28", part1886); + + var part1887 = match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1190 = msg("00767:29", part1887); + + var part1888 = match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configuration was saved from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1191 = msg("00767:30", part1888); + + var part1889 = match("MESSAGE#1176:00767:31/1_0", "nwparser.p0", "logged events or alarms %{p0}"); + + var part1890 = match("MESSAGE#1176:00767:31/1_1", "nwparser.p0", "traffic logs %{p0}"); + + var select425 = linear_select([ + part1889, + part1890, + ]); + + var part1891 = match("MESSAGE#1176:00767:31/2", "nwparser.p0", "were cleared by admin %{p0}"); + + var all386 = all_match({ + processors: [ + dup186, + select425, + part1891, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1192 = msg("00767:31", all386); + + var part1892 = match("MESSAGE#1177:00767:32/0", "nwparser.payload", "SIP parser error %{p0}"); + + var part1893 = match("MESSAGE#1177:00767:32/1_0", "nwparser.p0", "SIP-field%{p0}"); + + var part1894 = match("MESSAGE#1177:00767:32/1_1", "nwparser.p0", "Message%{p0}"); + + var select426 = linear_select([ + part1893, + part1894, + ]); + + var part1895 = match("MESSAGE#1177:00767:32/2", "nwparser.p0", ": %{result}(%{fld1})"); + + var all387 = all_match({ + processors: [ + part1892, + select426, + part1895, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1193 = msg("00767:32", all387); + + var part1896 = match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has started. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1194 = msg("00767:33", part1896); + + var part1897 = match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not support multiple IP addresses %{hostip->} or ports %{network_port->} in SIP headers RESPONSE (%{fld1})", processor_chain([ + dup313, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1195 = msg("00767:34", part1897); + + var part1898 = match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2->} set to %{fld3->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1196 = msg("00767:35", part1898); + + var part1899 = match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved from %{fld2->} by %{username->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1197 = msg("00767:36", part1899); + + var part1900 = match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to download to enable advanced features. %{space->} To find out, please visit %{url->} (%{fld1})", processor_chain([ + dup254, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1198 = msg("00767:37", part1900); + + var part1901 = match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and remaining messages were sent to external destination. %{fld2->} packets were dropped. (%{fld1})", processor_chain([ + setc("eventcategory","1602000000"), + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1199 = msg("00767:38", part1901); + + var part1902 = match("MESSAGE#1184:00767:39/0", "nwparser.payload", "Cannot %{p0}"); + + var part1903 = match("MESSAGE#1184:00767:39/1_0", "nwparser.p0", "download %{p0}"); + + var part1904 = match("MESSAGE#1184:00767:39/1_1", "nwparser.p0", "parse %{p0}"); + + var select427 = linear_select([ + part1903, + part1904, + ]); + + var part1905 = match("MESSAGE#1184:00767:39/2", "nwparser.p0", "attack database %{p0}"); + + var part1906 = match("MESSAGE#1184:00767:39/3_0", "nwparser.p0", "from %{url->} (%{result}). %{p0}"); + + var part1907 = match("MESSAGE#1184:00767:39/3_1", "nwparser.p0", "%{fld2->} %{p0}"); + + var select428 = linear_select([ + part1906, + part1907, + ]); + + var all388 = all_match({ + processors: [ + part1902, + select427, + part1905, + select428, + dup10, + ], + on_success: processor_chain([ + dup324, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1200 = msg("00767:39", all388); + + var part1908 = match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key is %{disposition}. (%{fld1})", processor_chain([ + dup62, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1201 = msg("00767:40", part1908); + + var part1909 = match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1202 = msg("00767:42", part1909); + + var part1910 = match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1203 = msg("00767:43", part1910); + + var part1911 = match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind by %{fld2->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1204 = msg("00767:44", part1911); + + var part1912 = match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{version->} is saved to flash. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1205 = msg("00767:45", part1912); + + var part1913 = match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved by netscreen via %{logon_type->} by netscreen. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1206 = msg("00767:46", part1913); + + var part1914 = match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs to a different group in the RADIUS server than that allowed in the device. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup9, + ])); + + var msg1207 = msg("00767:47", part1914); + + var part1915 = match("MESSAGE#1192:00767:24/0", "nwparser.payload", "System configuration saved by %{p0}"); + + var part1916 = match("MESSAGE#1192:00767:24/2", "nwparser.p0", "%{logon_type->} by %{fld2->} (%{fld1})"); + + var all389 = all_match({ + processors: [ + part1915, + dup364, + part1916, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1208 = msg("00767:24", all389); + + var part1917 = match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. (%{fld1})", processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1209 = msg("00767:48", part1917); + + var part1918 = match("MESSAGE#1194:00767:49/0", "nwparser.payload", "%{fld2->} turn o%{p0}"); + + var part1919 = match("MESSAGE#1194:00767:49/1_0", "nwparser.p0", "n%{p0}"); + + var part1920 = match("MESSAGE#1194:00767:49/1_1", "nwparser.p0", "ff%{p0}"); + + var select429 = linear_select([ + part1919, + part1920, + ]); + + var part1921 = match("MESSAGE#1194:00767:49/2", "nwparser.p0", "%{}debug switch for %{fld3->} (%{fld1})"); + + var all390 = all_match({ + processors: [ + part1918, + select429, + part1921, + ], + on_success: processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, + ]), + }); + + var msg1210 = msg("00767:49", all390); + + var select430 = linear_select([ + msg1158, + msg1159, + msg1160, + msg1161, + msg1162, + msg1163, + msg1164, + msg1165, + msg1166, + msg1167, + msg1168, + msg1169, + msg1170, + msg1171, + msg1172, + msg1173, + msg1174, + msg1175, + msg1176, + msg1177, + msg1178, + msg1179, + msg1180, + msg1181, + msg1182, + msg1183, + msg1184, + msg1185, + msg1186, + msg1187, + msg1188, + msg1189, + msg1190, + msg1191, + msg1192, + msg1193, + msg1194, + msg1195, + msg1196, + msg1197, + msg1198, + msg1199, + msg1200, + msg1201, + msg1202, + msg1203, + msg1204, + msg1205, + msg1206, + msg1207, + msg1208, + msg1209, + msg1210, + ]); + + var part1922 = match("MESSAGE#1195:01269", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup277, + dup3, + dup275, + dup60, + ])); + + var msg1211 = msg("01269", part1922); + + var msg1212 = msg("01269:01", dup407); + + var msg1213 = msg("01269:02", dup408); + + var msg1214 = msg("01269:03", dup409); + + var select431 = linear_select([ + msg1211, + msg1212, + msg1213, + msg1214, + ]); + + var part1923 = match("MESSAGE#1199:17852", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup276, + dup277, + dup275, + dup332, + ])); + + var msg1215 = msg("17852", part1923); + + var part1924 = match("MESSAGE#1200:17852:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup332, + dup282, + ])); + + var msg1216 = msg("17852:01", part1924); + + var part1925 = match("MESSAGE#1201:17852:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup276, + dup277, + dup61, + ])); + + var msg1217 = msg("17852:02", part1925); + + var part1926 = match("MESSAGE#1202:17852:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup332, + dup282, + ])); + + var msg1218 = msg("17852:03", part1926); + + var select432 = linear_select([ + msg1215, + msg1216, + msg1217, + msg1218, + ]); + + var msg1219 = msg("23184", dup410); + + var part1927 = match("MESSAGE#1204:23184:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup61, + dup282, + ])); + + var msg1220 = msg("23184:01", part1927); + + var part1928 = match("MESSAGE#1205:23184:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup276, + dup277, + dup275, + dup61, + ])); + + var msg1221 = msg("23184:02", part1928); + + var part1929 = match("MESSAGE#1206:23184:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup332, + dup282, + ])); + + var msg1222 = msg("23184:03", part1929); + + var select433 = linear_select([ + msg1219, + msg1220, + msg1221, + msg1222, + ]); + + var msg1223 = msg("27052", dup410); + + var part1930 = match("MESSAGE#1208:27052:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol}direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup61, + dup282, + ])); + + var msg1224 = msg("27052:01", part1930); + + var select434 = linear_select([ + msg1223, + msg1224, + ]); + + var part1931 = match("MESSAGE#1209:39568", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, + dup2, + dup4, + dup277, + dup5, + dup274, + dup3, + dup275, + dup276, + dup60, + ])); + + var msg1225 = msg("39568", part1931); + + var msg1226 = msg("39568:01", dup407); + + var msg1227 = msg("39568:02", dup408); + + var msg1228 = msg("39568:03", dup409); + + var select435 = linear_select([ + msg1225, + msg1226, + msg1227, + msg1228, + ]); + + var chain1 = processor_chain([ + select2, + msgid_select({ + "00001": select6, + "00002": select29, + "00003": select31, + "00004": select33, + "00005": select39, + "00006": select40, + "00007": select63, + "00008": select66, + "00009": select83, + "00010": select86, + "00011": select100, + "00012": select101, + "00013": select102, + "00014": select104, + "00015": select114, + "00016": select115, + "00017": select125, + "00018": select138, + "00019": select147, + "00020": select150, + "00021": select151, + "00022": select163, + "00023": select164, + "00024": select170, + "00025": select171, + "00026": select176, + "00027": select184, + "00028": msg469, + "00029": select188, + "00030": select197, + "00031": select205, + "00032": select207, + "00033": select214, + "00034": select225, + "00035": select232, + "00036": select234, + "00037": select241, + "00038": msg660, + "00039": msg661, + "00040": select244, + "00041": select245, + "00042": select246, + "00043": msg668, + "00044": select248, + "00045": msg671, + "00047": msg672, + "00048": select257, + "00049": select258, + "00050": msg682, + "00051": msg683, + "00052": msg684, + "00055": select265, + "00056": msg696, + "00057": msg697, + "00058": msg698, + "00059": select272, + "00062": select273, + "00063": msg713, + "00064": select274, + "00070": select276, + "00071": select277, + "00072": select278, + "00073": select279, + "00074": msg726, + "00075": select280, + "00076": select281, + "00077": select282, + "00084": msg735, + "00090": msg736, + "00200": msg737, + "00201": msg738, + "00202": msg739, + "00203": msg740, + "00206": select285, + "00207": select286, + "00257": select291, + "00259": select294, + "00262": msg778, + "00263": msg779, + "00400": msg780, + "00401": msg781, + "00402": select296, + "00403": msg784, + "00404": msg785, + "00405": msg786, + "00406": msg787, + "00407": msg788, + "00408": msg789, + "00409": msg790, + "00410": select297, + "00411": msg793, + "00413": select298, + "00414": select299, + "00415": msg799, + "00423": msg800, + "00429": select300, + "00430": select301, + "00431": msg805, + "00432": msg806, + "00433": msg807, + "00434": msg808, + "00435": select302, + "00436": select303, + "00437": select304, + "00438": select305, + "00440": select306, + "00441": msg823, + "00442": msg824, + "00443": msg825, + "00511": select307, + "00513": msg841, + "00515": select328, + "00518": select331, + "00519": select336, + "00520": select339, + "00521": msg890, + "00522": msg891, + "00523": msg892, + "00524": select340, + "00525": select341, + "00526": msg912, + "00527": select348, + "00528": select354, + "00529": select357, + "00530": select358, + "00531": select362, + "00533": msg973, + "00534": msg974, + "00535": select363, + "00536": select365, + "00537": select366, + "00538": select372, + "00539": select373, + "00541": select375, + "00542": msg1062, + "00543": msg1063, + "00544": msg1064, + "00546": msg1065, + "00547": select379, + "00549": msg1070, + "00551": select381, + "00553": select385, + "00554": select391, + "00555": msg1117, + "00556": select401, + "00572": select402, + "00601": select404, + "00602": msg1148, + "00612": msg1149, + "00615": select403, + "00620": select408, + "00622": msg1155, + "00625": msg1156, + "00628": msg1157, + "00767": select430, + "01269": select431, + "17852": select432, + "23184": select433, + "27052": select434, + "39568": select435, + }), + ]); + + var part1932 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); + + var part1933 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); + + var part1934 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); + + var part1935 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); + + var part1936 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); + + var part1937 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); + + var part1938 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); + + var part1939 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); + + var part1940 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); + + var part1941 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); + + var part1942 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); + + var part1943 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); + + var part1944 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); + + var part1945 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); + + var part1946 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); + + var part1947 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); + + var part1948 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); + + var part1949 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); + + var part1950 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); + + var part1951 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); + + var part1952 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); + + var part1953 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); + + var part1954 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); + + var part1955 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); + + var part1956 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); + + var part1957 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); + + var part1958 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); + + var part1959 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); + + var part1960 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); + + var part1961 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); + + var part1962 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); + + var part1963 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); + + var part1964 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); + + var part1965 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); + + var part1966 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); + + var part1967 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); + + var part1968 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); + + var part1969 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); + + var part1970 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); + + var part1971 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); + + var part1972 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); + + var part1973 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); + + var part1974 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); + + var part1975 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); + + var part1976 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); + + var part1977 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var part1978 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); + + var part1979 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); + + var part1980 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); + + var part1981 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); + + var part1982 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); + + var part1983 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); + + var part1984 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); + + var part1985 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); + + var part1986 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); + + var part1987 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); + + var part1988 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); + + var part1989 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); + + var part1990 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); + + var part1991 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); + + var part1992 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); + + var part1993 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); + + var part1994 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); + + var part1995 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); + + var part1996 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); + + var part1997 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); + + var part1998 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); + + var part1999 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); + + var part2000 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); + + var part2001 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); + + var part2002 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); + + var part2003 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); + + var part2004 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); + + var part2005 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); + + var part2006 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); + + var part2007 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); + + var part2008 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); + + var part2009 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); + + var part2010 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); + + var part2011 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); + + var part2012 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); + + var part2013 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); + + var part2014 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); + + var part2015 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); + + var part2016 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); + + var part2017 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); + + var part2018 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); + + var part2019 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); + + var part2020 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); + + var part2021 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); + + var part2022 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var part2023 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); + + var part2024 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); + + var part2025 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); + + var part2026 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); + + var part2027 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); + + var part2028 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); + + var part2029 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); + + var part2030 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); + + var part2031 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); + + var part2032 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); + + var part2033 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); + + var part2034 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); + + var part2035 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); + + var part2036 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); + + var part2037 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); + + var part2038 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); + + var part2039 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); + + var part2040 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); + + var part2041 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); + + var part2042 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); + + var part2043 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); + + var part2044 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); + + var part2045 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); + + var part2046 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); + + var part2047 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); + + var part2048 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); + + var part2049 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); + + var part2050 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); + + var part2051 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); + + var part2052 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); + + var part2053 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); + + var part2054 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); + + var part2055 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); + + var part2056 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); + + var part2057 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); + + var part2058 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); + + var part2059 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); + + var part2060 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); + + var part2061 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); + + var part2062 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); + + var part2063 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); + + var part2064 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); + + var part2065 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); + + var part2066 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); + + var part2067 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); + + var part2068 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); + + var part2069 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); + + var part2070 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); + + var part2071 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); + + var part2072 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); + + var part2073 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); + + var part2074 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); + + var part2075 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); + + var part2076 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); + + var part2077 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); + + var part2078 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); + + var part2079 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); + + var part2080 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); + + var part2081 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); + + var part2082 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); + + var part2083 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); + + var part2084 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); + + var part2085 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); + + var part2086 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); + + var part2087 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); + + var part2088 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); + + var part2089 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); + + var part2090 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); + + var part2091 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); + + var part2092 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); + + var part2093 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); + + var part2094 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); + + var part2095 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); + + var part2096 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); + + var part2097 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); + + var part2098 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); + + var part2099 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); + + var part2100 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); + + var part2101 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); + + var part2102 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); + + var part2103 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); + + var part2104 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); + + var part2105 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); + + var part2106 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var part2107 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); + + var part2108 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); + + var part2109 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); + + var part2110 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); + + var part2111 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); + + var part2112 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); + + var part2113 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); + + var part2114 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); + + var part2115 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); + + var part2116 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); + + var part2117 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); + + var part2118 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); + + var part2119 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); + + var part2120 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); + + var part2121 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); + + var part2122 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); + + var part2123 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); + + var part2124 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); + + var part2125 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); + + var part2126 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); + + var part2127 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); + + var part2128 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); + + var part2129 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); + + var part2130 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); + + var part2131 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); + + var part2132 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); + + var part2133 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); + + var part2134 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); + + var part2135 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); + + var part2136 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); + + var part2137 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); + + var part2138 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); + + var part2139 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); + + var part2140 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); + + var part2141 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); + + var part2142 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); + + var part2143 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); + + var part2144 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); + + var part2145 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); + + var part2146 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); + + var part2147 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var part2148 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var part2149 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); + + var part2150 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); + + var part2151 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); + + var part2152 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); + + var part2153 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); + + var part2154 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); + + var part2155 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); + + var part2156 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); + + var part2157 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); + + var part2158 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); + + var part2159 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); + + var part2160 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); + + var part2161 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); + + var part2162 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); + + var part2163 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); + + var part2164 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); + + var part2165 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); + + var part2166 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); + + var part2167 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); + + var part2168 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); + + var part2169 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); + + var part2170 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); + + var part2171 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); + + var part2172 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); + + var part2173 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); + + var part2174 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); + + var part2175 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); + + var select436 = linear_select([ + dup10, + dup11, + ]); + + var part2176 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var select437 = linear_select([ + dup13, + dup14, + ]); + + var select438 = linear_select([ + dup15, + dup16, + ]); + + var select439 = linear_select([ + dup56, + dup57, + ]); + + var select440 = linear_select([ + dup65, + dup66, + ]); + + var select441 = linear_select([ + dup68, + dup69, + ]); + + var select442 = linear_select([ + dup71, + dup72, + ]); + + var part2177 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, + ])); + + var select443 = linear_select([ + dup74, + dup75, + ]); + + var select444 = linear_select([ + dup81, + dup82, + ]); + + var select445 = linear_select([ + dup24, + dup90, + ]); + + var select446 = linear_select([ + dup94, + dup95, + ]); + + var select447 = linear_select([ + dup98, + dup99, + ]); + + var select448 = linear_select([ + dup100, + dup101, + dup102, + ]); + + var select449 = linear_select([ + dup113, + dup114, + ]); + + var select450 = linear_select([ + dup111, + dup16, + ]); + + var select451 = linear_select([ + dup127, + dup107, + ]); + + var select452 = linear_select([ + dup8, + dup21, + ]); + + var select453 = linear_select([ + dup122, + dup133, + ]); + + var select454 = linear_select([ + dup142, + dup143, + ]); + + var select455 = linear_select([ + dup145, + dup21, + ]); + + var select456 = linear_select([ + dup127, + dup106, + ]); + + var select457 = linear_select([ + dup152, + dup96, + ]); + + var select458 = linear_select([ + dup154, + dup155, + ]); + + var select459 = linear_select([ + dup156, + dup157, + ]); + + var select460 = linear_select([ + dup99, + dup134, + ]); + + var select461 = linear_select([ + dup158, + dup159, + ]); + + var select462 = linear_select([ + dup161, + dup162, + ]); + + var select463 = linear_select([ + dup163, + dup103, + ]); + + var select464 = linear_select([ + dup162, + dup161, + ]); + + var select465 = linear_select([ + dup46, + dup47, + ]); + + var select466 = linear_select([ + dup166, + dup167, + ]); + + var select467 = linear_select([ + dup172, + dup173, + ]); + + var select468 = linear_select([ + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + ]); + + var select469 = linear_select([ + dup49, + dup21, + ]); + + var select470 = linear_select([ + dup189, + dup190, + ]); + + var select471 = linear_select([ + dup96, + dup152, + ]); + + var select472 = linear_select([ + dup196, + dup197, + ]); + + var select473 = linear_select([ + dup24, + dup200, + ]); + + var select474 = linear_select([ + dup103, + dup163, + ]); + + var select475 = linear_select([ + dup205, + dup118, + ]); + + var part2178 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var select476 = linear_select([ + dup212, + dup213, + ]); + + var select477 = linear_select([ + dup215, + dup216, + ]); + + var select478 = linear_select([ + dup222, + dup215, + ]); + + var select479 = linear_select([ + dup224, + dup225, + ]); + + var select480 = linear_select([ + dup231, + dup124, + ]); + + var select481 = linear_select([ + dup229, + dup230, + ]); + + var select482 = linear_select([ + dup233, + dup234, + ]); + + var select483 = linear_select([ + dup236, + dup237, + ]); + + var select484 = linear_select([ + dup242, + dup243, + ]); + + var select485 = linear_select([ + dup245, + dup246, + ]); + + var select486 = linear_select([ + dup247, + dup248, + ]); + + var select487 = linear_select([ + dup249, + dup250, + ]); + + var select488 = linear_select([ + dup251, + dup252, + ]); + + var select489 = linear_select([ + dup260, + dup261, + ]); + + var select490 = linear_select([ + dup264, + dup265, + ]); + + var select491 = linear_select([ + dup268, + dup269, + ]); + + var part2179 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var select492 = linear_select([ + dup284, + dup285, + ]); + + var select493 = linear_select([ + dup287, + dup288, + ]); + + var part2180 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup60, + ])); + + var part2181 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup4, + dup59, + dup5, + dup9, + dup2, + dup3, + dup60, + ])); + + var select494 = linear_select([ + dup300, + dup26, + ]); + + var select495 = linear_select([ + dup115, + dup303, + ]); + + var select496 = linear_select([ + dup125, + dup96, + ]); + + var select497 = linear_select([ + dup189, + dup308, + dup309, + ]); + + var select498 = linear_select([ + dup310, + dup16, + ]); + + var select499 = linear_select([ + dup317, + dup318, + ]); + + var select500 = linear_select([ + dup319, + dup315, + ]); + + var select501 = linear_select([ + dup322, + dup250, + ]); + + var select502 = linear_select([ + dup327, + dup329, + ]); + + var select503 = linear_select([ + dup330, + dup129, + ]); + + var part2182 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup60, + dup282, + ])); + + var part2183 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup276, + dup277, + dup60, + ])); + + var part2184 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup60, + dup282, + ])); + + var part2185 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup276, + dup277, + dup61, + ])); + + var all391 = all_match({ + processors: [ + dup263, + dup390, + dup266, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var all392 = all_match({ + processors: [ + dup267, + dup391, + dup270, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var all393 = all_match({ + processors: [ + dup80, + dup343, + dup293, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var all394 = all_match({ + processors: [ + dup296, + dup343, + dup131, + ], + on_success: processor_chain([ + dup297, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup61, + ]), + }); + + var all395 = all_match({ + processors: [ + dup298, + dup343, + dup131, + ], + on_success: processor_chain([ + dup297, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup61, + ]), + }); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/juniper/1.1.1/data_stream/netscreen/agent/stream/tcp.yml.hbs b/packages/juniper/1.1.1/data_stream/netscreen/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..0a6ba053fa --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/netscreen/agent/stream/tcp.yml.hbs @@ -0,0 +1,26354 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Juniper" + product: "Netscreen" + type: "Firewall" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} for %{p0}"); + + var dup7 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); + + var dup8 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); + + var dup9 = date_time({ + dest: "event_time", + args: ["fld1"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup10 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); + + var dup11 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); + + var dup12 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); + + var dup13 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); + + var dup14 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); + + var dup15 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); + + var dup16 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); + + var dup17 = setc("eventcategory","1502000000"); + + var dup18 = setc("eventcategory","1703000000"); + + var dup19 = setc("eventcategory","1603000000"); + + var dup20 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); + + var dup21 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); + + var dup22 = setc("eventcategory","1502050000"); + + var dup23 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); + + var dup24 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); + + var dup25 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); + + var dup26 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); + + var dup27 = setc("eventcategory","1801010000"); + + var dup28 = setc("eventcategory","1401060000"); + + var dup29 = setc("ec_subject","User"); + + var dup30 = setc("ec_activity","Logon"); + + var dup31 = setc("ec_theme","Authentication"); + + var dup32 = setc("ec_outcome","Success"); + + var dup33 = setc("eventcategory","1401070000"); + + var dup34 = setc("ec_activity","Logoff"); + + var dup35 = setc("eventcategory","1303000000"); + + var dup36 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); + + var dup37 = setc("eventcategory","1402020200"); + + var dup38 = setc("ec_theme","UserGroup"); + + var dup39 = setc("ec_outcome","Error"); + + var dup40 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); + + var dup41 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); + + var dup42 = setc("eventcategory","1402020300"); + + var dup43 = setc("ec_activity","Modify"); + + var dup44 = setc("eventcategory","1605000000"); + + var dup45 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); + + var dup46 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); + + var dup47 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); + + var dup48 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); + + var dup49 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); + + var dup50 = setc("eventcategory","1701020000"); + + var dup51 = setc("ec_theme","Configuration"); + + var dup52 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); + + var dup53 = setc("eventcategory","1301000000"); + + var dup54 = setc("ec_outcome","Failure"); + + var dup55 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); + + var dup56 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); + + var dup57 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); + + var dup58 = setc("eventcategory","1001000000"); + + var dup59 = setc("dclass_counter1_string","Number of times the attack occurred"); + + var dup60 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$OUT"), + field("saddr"), + field("daddr"), + ], + }); + + var dup61 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$OUT"), + field("saddr"), + field("daddr"), + field("sport"), + field("dport"), + ], + }); + + var dup62 = setc("eventcategory","1608010000"); + + var dup63 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); + + var dup64 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); + + var dup65 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); + + var dup66 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); + + var dup67 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); + + var dup68 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); + + var dup69 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); + + var dup70 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); + + var dup71 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); + + var dup72 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); + + var dup73 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); + + var dup74 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); + + var dup75 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); + + var dup76 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); + + var dup77 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); + + var dup78 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); + + var dup79 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); + + var dup80 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var dup81 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); + + var dup82 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); + + var dup83 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); + + var dup84 = setc("eventcategory","1002020000"); + + var dup85 = setc("eventcategory","1002000000"); + + var dup86 = setc("eventcategory","1603110000"); + + var dup87 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); + + var dup88 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); + + var dup89 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); + + var dup90 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); + + var dup91 = setc("eventcategory","1613040200"); + + var dup92 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); + + var dup93 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); + + var dup94 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); + + var dup95 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); + + var dup96 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); + + var dup97 = setc("eventcategory","1613050200"); + + var dup98 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); + + var dup99 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); + + var dup100 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); + + var dup101 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); + + var dup102 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); + + var dup103 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); + + var dup104 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); + + var dup105 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); + + var dup106 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); + + var dup107 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); + + var dup108 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); + + var dup109 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); + + var dup110 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); + + var dup111 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); + + var dup112 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); + + var dup113 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); + + var dup114 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); + + var dup115 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); + + var dup116 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); + + var dup117 = setc("eventcategory","1603090000"); + + var dup118 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); + + var dup119 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); + + var dup120 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); + + var dup121 = setc("eventcategory","1603030000"); + + var dup122 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); + + var dup123 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); + + var dup124 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); + + var dup125 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); + + var dup126 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); + + var dup127 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); + + var dup128 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); + + var dup129 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); + + var dup130 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); + + var dup131 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); + + var dup132 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var dup133 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); + + var dup134 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); + + var dup135 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); + + var dup136 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); + + var dup137 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); + + var dup138 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); + + var dup139 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); + + var dup140 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); + + var dup141 = setc("eventcategory","1702030000"); + + var dup142 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); + + var dup143 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); + + var dup144 = setc("eventcategory","1601000000"); + + var dup145 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); + + var dup146 = date_time({ + dest: "event_time", + args: ["fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup147 = setc("eventcategory","1103000000"); + + var dup148 = setc("ec_subject","NetworkComm"); + + var dup149 = setc("ec_activity","Scan"); + + var dup150 = setc("ec_theme","TEV"); + + var dup151 = setc("eventcategory","1103010000"); + + var dup152 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); + + var dup153 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); + + var dup154 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); + + var dup155 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); + + var dup156 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); + + var dup157 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); + + var dup158 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); + + var dup159 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); + + var dup160 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); + + var dup161 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); + + var dup162 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); + + var dup163 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); + + var dup164 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); + + var dup165 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); + + var dup166 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); + + var dup167 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); + + var dup168 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); + + var dup169 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); + + var dup170 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); + + var dup171 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); + + var dup172 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); + + var dup173 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); + + var dup174 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); + + var dup175 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); + + var dup176 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); + + var dup177 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); + + var dup178 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); + + var dup179 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); + + var dup180 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); + + var dup181 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); + + var dup182 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); + + var dup183 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); + + var dup184 = setc("eventcategory","1603020000"); + + var dup185 = setc("eventcategory","1803000000"); + + var dup186 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); + + var dup187 = setc("eventcategory","1603010000"); + + var dup188 = setc("eventcategory","1603100000"); + + var dup189 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); + + var dup190 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); + + var dup191 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); + + var dup192 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); + + var dup193 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); + + var dup194 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); + + var dup195 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); + + var dup196 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); + + var dup197 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); + + var dup198 = setc("eventcategory","1801030000"); + + var dup199 = setc("eventcategory","1302010200"); + + var dup200 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); + + var dup201 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); + + var dup202 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); + + var dup203 = setc("eventcategory","1304000000"); + + var dup204 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); + + var dup205 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); + + var dup206 = setc("eventcategory","1401030000"); + + var dup207 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); + + var dup208 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); + + var dup209 = setc("eventcategory","1605020000"); + + var dup210 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); + + var dup211 = setc("ec_subject","Certificate"); + + var dup212 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); + + var dup213 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); + + var dup214 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); + + var dup215 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); + + var dup216 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); + + var dup217 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); + + var dup218 = setc("ec_subject","CryptoKey"); + + var dup219 = setc("ec_subject","Configuration"); + + var dup220 = setc("ec_activity","Request"); + + var dup221 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); + + var dup222 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); + + var dup223 = setc("eventcategory","1612000000"); + + var dup224 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); + + var dup225 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); + + var dup226 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); + + var dup227 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); + + var dup228 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); + + var dup229 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); + + var dup230 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); + + var dup231 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); + + var dup232 = setc("eventcategory","1201000000"); + + var dup233 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); + + var dup234 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); + + var dup235 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); + + var dup236 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); + + var dup237 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); + + var dup238 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); + + var dup239 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var dup240 = setc("eventcategory","1401000000"); + + var dup241 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); + + var dup242 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); + + var dup243 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); + + var dup244 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); + + var dup245 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); + + var dup246 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); + + var dup247 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); + + var dup248 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); + + var dup249 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); + + var dup250 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); + + var dup251 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); + + var dup252 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); + + var dup253 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); + + var dup254 = setc("eventcategory","1608000000"); + + var dup255 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); + + var dup256 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); + + var dup257 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); + + var dup258 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); + + var dup259 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); + + var dup260 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); + + var dup261 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); + + var dup262 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); + + var dup263 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); + + var dup264 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); + + var dup265 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); + + var dup266 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); + + var dup267 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); + + var dup268 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); + + var dup269 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); + + var dup270 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); + + var dup271 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); + + var dup272 = setc("eventcategory","1805010000"); + + var dup273 = setc("eventcategory","1805000000"); + + var dup274 = date_time({ + dest: "starttime", + args: ["fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup275 = call({ + dest: "nwparser.bytes", + fn: CALC, + args: [ + field("sbytes"), + constant("+"), + field("rbytes"), + ], + }); + + var dup276 = setc("action","Deny"); + + var dup277 = setc("disposition","Deny"); + + var dup278 = setc("direction","outgoing"); + + var dup279 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$IN"), + field("saddr"), + field("daddr"), + field("sport"), + field("dport"), + ], + }); + + var dup280 = setc("direction","incoming"); + + var dup281 = setc("eventcategory","1801000000"); + + var dup282 = setf("action","disposition"); + + var dup283 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); + + var dup284 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); + + var dup285 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); + + var dup286 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); + + var dup287 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); + + var dup288 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); + + var dup289 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); + + var dup290 = setc("eventcategory","1401050200"); + + var dup291 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$IN"), + field("daddr"), + field("saddr"), + ], + }); + + var dup292 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$IN"), + field("daddr"), + field("saddr"), + field("dport"), + field("sport"), + ], + }); + + var dup293 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); + + var dup294 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); + + var dup295 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); + + var dup296 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var dup297 = setc("eventcategory","1204000000"); + + var dup298 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var dup299 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); + + var dup300 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); + + var dup301 = setc("eventcategory","1801020000"); + + var dup302 = setc("disposition","failed"); + + var dup303 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); + + var dup304 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); + + var dup305 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); + + var dup306 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); + + var dup307 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); + + var dup308 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); + + var dup309 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); + + var dup310 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); + + var dup311 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); + + var dup312 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); + + var dup313 = setc("eventcategory","1803020000"); + + var dup314 = setc("eventcategory","1613030000"); + + var dup315 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); + + var dup316 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); + + var dup317 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); + + var dup318 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); + + var dup319 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); + + var dup320 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); + + var dup321 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); + + var dup322 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); + + var dup323 = setc("event_description","Cannot connect to NSM server"); + + var dup324 = setc("eventcategory","1603040000"); + + var dup325 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); + + var dup326 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); + + var dup327 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); + + var dup328 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); + + var dup329 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); + + var dup330 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); + + var dup331 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); + + var dup332 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$OUT"), + field("daddr"), + field("saddr"), + field("dport"), + field("sport"), + ], + }); + + var dup333 = linear_select([ + dup10, + dup11, + ]); + + var dup334 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var dup335 = linear_select([ + dup13, + dup14, + ]); + + var dup336 = linear_select([ + dup15, + dup16, + ]); + + var dup337 = linear_select([ + dup56, + dup57, + ]); + + var dup338 = linear_select([ + dup65, + dup66, + ]); + + var dup339 = linear_select([ + dup68, + dup69, + ]); + + var dup340 = linear_select([ + dup71, + dup72, + ]); + + var dup341 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, + ])); + + var dup342 = linear_select([ + dup74, + dup75, + ]); + + var dup343 = linear_select([ + dup81, + dup82, + ]); + + var dup344 = linear_select([ + dup24, + dup90, + ]); + + var dup345 = linear_select([ + dup94, + dup95, + ]); + + var dup346 = linear_select([ + dup98, + dup99, + ]); + + var dup347 = linear_select([ + dup100, + dup101, + dup102, + ]); + + var dup348 = linear_select([ + dup113, + dup114, + ]); + + var dup349 = linear_select([ + dup111, + dup16, + ]); + + var dup350 = linear_select([ + dup127, + dup107, + ]); + + var dup351 = linear_select([ + dup8, + dup21, + ]); + + var dup352 = linear_select([ + dup122, + dup133, + ]); + + var dup353 = linear_select([ + dup142, + dup143, + ]); + + var dup354 = linear_select([ + dup145, + dup21, + ]); + + var dup355 = linear_select([ + dup127, + dup106, + ]); + + var dup356 = linear_select([ + dup152, + dup96, + ]); + + var dup357 = linear_select([ + dup154, + dup155, + ]); + + var dup358 = linear_select([ + dup156, + dup157, + ]); + + var dup359 = linear_select([ + dup99, + dup134, + ]); + + var dup360 = linear_select([ + dup158, + dup159, + ]); + + var dup361 = linear_select([ + dup161, + dup162, + ]); + + var dup362 = linear_select([ + dup163, + dup103, + ]); + + var dup363 = linear_select([ + dup162, + dup161, + ]); + + var dup364 = linear_select([ + dup46, + dup47, + ]); + + var dup365 = linear_select([ + dup166, + dup167, + ]); + + var dup366 = linear_select([ + dup172, + dup173, + ]); + + var dup367 = linear_select([ + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + ]); + + var dup368 = linear_select([ + dup49, + dup21, + ]); + + var dup369 = linear_select([ + dup189, + dup190, + ]); + + var dup370 = linear_select([ + dup96, + dup152, + ]); + + var dup371 = linear_select([ + dup196, + dup197, + ]); + + var dup372 = linear_select([ + dup24, + dup200, + ]); + + var dup373 = linear_select([ + dup103, + dup163, + ]); + + var dup374 = linear_select([ + dup205, + dup118, + ]); + + var dup375 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var dup376 = linear_select([ + dup212, + dup213, + ]); + + var dup377 = linear_select([ + dup215, + dup216, + ]); + + var dup378 = linear_select([ + dup222, + dup215, + ]); + + var dup379 = linear_select([ + dup224, + dup225, + ]); + + var dup380 = linear_select([ + dup231, + dup124, + ]); + + var dup381 = linear_select([ + dup229, + dup230, + ]); + + var dup382 = linear_select([ + dup233, + dup234, + ]); + + var dup383 = linear_select([ + dup236, + dup237, + ]); + + var dup384 = linear_select([ + dup242, + dup243, + ]); + + var dup385 = linear_select([ + dup245, + dup246, + ]); + + var dup386 = linear_select([ + dup247, + dup248, + ]); + + var dup387 = linear_select([ + dup249, + dup250, + ]); + + var dup388 = linear_select([ + dup251, + dup252, + ]); + + var dup389 = linear_select([ + dup260, + dup261, + ]); + + var dup390 = linear_select([ + dup264, + dup265, + ]); + + var dup391 = linear_select([ + dup268, + dup269, + ]); + + var dup392 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var dup393 = linear_select([ + dup284, + dup285, + ]); + + var dup394 = linear_select([ + dup287, + dup288, + ]); + + var dup395 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup60, + ])); + + var dup396 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup4, + dup59, + dup5, + dup9, + dup2, + dup3, + dup60, + ])); + + var dup397 = linear_select([ + dup300, + dup26, + ]); + + var dup398 = linear_select([ + dup115, + dup303, + ]); + + var dup399 = linear_select([ + dup125, + dup96, + ]); + + var dup400 = linear_select([ + dup189, + dup308, + dup309, + ]); + + var dup401 = linear_select([ + dup310, + dup16, + ]); + + var dup402 = linear_select([ + dup317, + dup318, + ]); + + var dup403 = linear_select([ + dup319, + dup315, + ]); + + var dup404 = linear_select([ + dup322, + dup250, + ]); + + var dup405 = linear_select([ + dup327, + dup329, + ]); + + var dup406 = linear_select([ + dup330, + dup129, + ]); + + var dup407 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup60, + dup282, + ])); + + var dup408 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup276, + dup277, + dup60, + ])); + + var dup409 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup60, + dup282, + ])); + + var dup410 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup276, + dup277, + dup61, + ])); + + var dup411 = all_match({ + processors: [ + dup263, + dup390, + dup266, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var dup412 = all_match({ + processors: [ + dup267, + dup391, + dup270, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var dup413 = all_match({ + processors: [ + dup80, + dup343, + dup293, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var dup414 = all_match({ + processors: [ + dup296, + dup343, + dup131, + ], + on_success: processor_chain([ + dup297, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup61, + ]), + }); + + var dup415 = all_match({ + processors: [ + dup298, + dup343, + dup131, + ], + on_success: processor_chain([ + dup297, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup61, + ]), + }); + + var hdr1 = match("HEADER#0:0001", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [No Name]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0003", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [%{hvsys}]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr3 = match("HEADER#2:0004", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var hdr4 = match("HEADER#3:0002/0", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} %{p0}"); + + var part1 = match("HEADER#3:0002/1_0", "nwparser.p0", "[No Name]system%{p0}"); + + var part2 = match("HEADER#3:0002/1_1", "nwparser.p0", "[%{hvsys}]system%{p0}"); + + var part3 = match("HEADER#3:0002/1_2", "nwparser.p0", "system%{p0}"); + + var select1 = linear_select([ + part1, + part2, + part3, + ]); + + var part4 = match("HEADER#3:0002/2", "nwparser.p0", "-%{hseverity}-%{messageid}: %{payload}"); + + var all1 = all_match({ + processors: [ + hdr4, + select1, + part4, + ], + on_success: processor_chain([ + setc("header_id","0002"), + ]), + }); + + var select2 = linear_select([ + hdr1, + hdr2, + hdr3, + all1, + ]); + + var part5 = match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} with ip address %{hostip->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1 = msg("00001", part5); + + var part6 = match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface->} with domain name %{domain->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg2 = msg("00001:01", part6); + + var part7 = match("MESSAGE#2:00001:02/1_0", "nwparser.p0", "ip address %{hostip->} in zone %{p0}"); + + var select3 = linear_select([ + part7, + dup7, + ]); + + var part8 = match("MESSAGE#2:00001:02/2", "nwparser.p0", "%{zone->} has been %{disposition}"); + + var all2 = all_match({ + processors: [ + dup6, + select3, + part8, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg3 = msg("00001:02", all2); + + var part9 = match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface changed!", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg4 = msg("00001:03", part9); + + var part10 = match("MESSAGE#4:00001:04/1_0", "nwparser.p0", "IP address %{hostip->} in zone %{p0}"); + + var select4 = linear_select([ + part10, + dup7, + ]); + + var part11 = match("MESSAGE#4:00001:04/2", "nwparser.p0", "%{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} session%{p0}"); + + var part12 = match("MESSAGE#4:00001:04/3_1", "nwparser.p0", ".%{fld1}"); + + var select5 = linear_select([ + dup8, + part12, + ]); + + var all3 = all_match({ + processors: [ + dup6, + select4, + part11, + select5, + ], + on_success: processor_chain([ + dup1, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg5 = msg("00001:04", all3); + + var part13 = match("MESSAGE#5:00001:05/0", "nwparser.payload", "%{fld2}: Address %{group_object->} for ip address %{hostip->} in zone %{zone->} has been %{disposition->} from host %{saddr->} session %{p0}"); + + var all4 = all_match({ + processors: [ + part13, + dup333, + ], + on_success: processor_chain([ + dup1, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg6 = msg("00001:05", all4); + + var part14 = match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg7 = msg("00001:06", part14); + + var msg8 = msg("00001:07", dup334); + + var part15 = match("MESSAGE#8:00001:08/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{p0}"); + + var part16 = match("MESSAGE#8:00001:08/4", "nwparser.p0", "%{} %{username}via NSRP Peer session. (%{fld1})"); + + var all5 = all_match({ + processors: [ + dup12, + dup335, + part15, + dup336, + part16, + ], + on_success: processor_chain([ + dup1, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg9 = msg("00001:08", all5); + + var part17 = match("MESSAGE#9:00001:09/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} session. (%{fld1})"); + + var all6 = all_match({ + processors: [ + dup12, + dup335, + part17, + ], + on_success: processor_chain([ + dup1, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg10 = msg("00001:09", all6); + + var select6 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + ]); + + var part18 = match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg11 = msg("00002:03", part18); + + var part19 = match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg12 = msg("00002:04", part19); + + var part20 = match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg13 = msg("00002:05", part20); + + var part21 = match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with e-mail notification of event alarms has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg14 = msg("00002:06", part21); + + var part22 = match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action->} and the LCD control keys have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg15 = msg("00002:07", part22); + + var part23 = match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{fld2->} is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg16 = msg("00002:55", part23); + + var part24 = match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg17 = msg("00002:08", part24); + + var part25 = match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg18 = msg("00002:09", part25); + + var part26 = match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg19 = msg("00002:10", part26); + + var part27 = match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg20 = msg("00002:11", part27); + + var part28 = match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg21 = msg("00002:12", part28); + + var part29 = match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been %{disposition}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg22 = msg("00002:15", part29); + + var msg23 = msg("00002:17", dup334); + + var part30 = match("MESSAGE#23:00002:18/0", "nwparser.payload", "Unexpected error from e%{p0}"); + + var part31 = match("MESSAGE#23:00002:18/1_0", "nwparser.p0", "-mail %{p0}"); + + var part32 = match("MESSAGE#23:00002:18/1_1", "nwparser.p0", "mail %{p0}"); + + var select7 = linear_select([ + part31, + part32, + ]); + + var part33 = match("MESSAGE#23:00002:18/2", "nwparser.p0", "server(%{fld2}):"); + + var all7 = all_match({ + processors: [ + part30, + select7, + part33, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg24 = msg("00002:18", all7); + + var part34 = match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute->} value has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg25 = msg("00002:19", part34); + + var part35 = match("MESSAGE#25:00002:20/0", "nwparser.payload", "Root admin password restriction of minimum %{fld2->} characters has been %{disposition->} by admin %{administrator->} %{p0}"); + + var part36 = match("MESSAGE#25:00002:20/1_0", "nwparser.p0", "from Console %{}"); + + var select8 = linear_select([ + part36, + dup20, + dup21, + ]); + + var all8 = all_match({ + processors: [ + part35, + select8, + ], + on_success: processor_chain([ + dup22, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg26 = msg("00002:20", all8); + + var part37 = match("MESSAGE#26:00002:21/0_0", "nwparser.payload", "Root admin %{p0}"); + + var part38 = match("MESSAGE#26:00002:21/0_1", "nwparser.payload", "%{fld2->} admin %{p0}"); + + var select9 = linear_select([ + part37, + part38, + ]); + + var select10 = linear_select([ + dup24, + dup25, + ]); + + var part39 = match("MESSAGE#26:00002:21/3", "nwparser.p0", "has been changed by admin %{administrator}"); + + var all9 = all_match({ + processors: [ + select9, + dup23, + select10, + part39, + ], + on_success: processor_chain([ + dup22, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg27 = msg("00002:21", all9); + + var part40 = match("MESSAGE#27:00002:22/0", "nwparser.payload", "%{change_attribute->} from %{protocol->} before administrative session disconnects has been changed from %{change_old->} to %{change_new->} by admin %{p0}"); + + var part41 = match("MESSAGE#27:00002:22/1_0", "nwparser.p0", "%{administrator->} from Console"); + + var part42 = match("MESSAGE#27:00002:22/1_1", "nwparser.p0", "%{administrator->} from host %{saddr}"); + + var select11 = linear_select([ + part41, + part42, + dup26, + ]); + + var all10 = all_match({ + processors: [ + part40, + select11, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg28 = msg("00002:22", all10); + + var part43 = match("MESSAGE#28:00002:23/0", "nwparser.payload", "Root admin access restriction through console only has been %{disposition->} by admin %{administrator->} %{p0}"); + + var part44 = match("MESSAGE#28:00002:23/1_1", "nwparser.p0", "from Console%{}"); + + var select12 = linear_select([ + dup20, + part44, + dup21, + ]); + + var all11 = all_match({ + processors: [ + part43, + select12, + ], + on_success: processor_chain([ + dup22, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg29 = msg("00002:23", all11); + + var part45 = match("MESSAGE#29:00002:24/0", "nwparser.payload", "Admin access restriction of %{protocol->} administration through tunnel only has been %{disposition->} by admin %{administrator->} from %{p0}"); + + var part46 = match("MESSAGE#29:00002:24/1_0", "nwparser.p0", "host %{saddr}"); + + var part47 = match("MESSAGE#29:00002:24/1_1", "nwparser.p0", "Console%{}"); + + var select13 = linear_select([ + part46, + part47, + ]); + + var all12 = all_match({ + processors: [ + part45, + select13, + ], + on_success: processor_chain([ + dup22, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg30 = msg("00002:24", all12); + + var part48 = match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of an %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + setc("eventcategory","1402000000"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg31 = msg("00002:25", part48); + + var part49 = match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail server %{hostip}.", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg32 = msg("00002:26", part49); + + var part50 = match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg33 = msg("00002:27", part50); + + var part51 = match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not configured.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg34 = msg("00002:28", part51); + + var part52 = match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restriction for read-write administrators has been %{disposition->} by admin %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg35 = msg("00002:29", part52); + + var part53 = match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ + dup28, + dup29, + dup30, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg36 = msg("00002:30", part53); + + var part54 = match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ + dup33, + dup29, + dup34, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg37 = msg("00002:41", part54); + + var part55 = match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} %{space->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ + dup35, + dup29, + dup30, + dup31, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg38 = msg("00002:31", part55); + + var part56 = match("MESSAGE#38:00002:32/0_0", "nwparser.payload", "E-mail notification %{p0}"); + + var part57 = match("MESSAGE#38:00002:32/0_1", "nwparser.payload", "Transparent virutal %{p0}"); + + var select14 = linear_select([ + part56, + part57, + ]); + + var part58 = match("MESSAGE#38:00002:32/1", "nwparser.p0", "wire mode has been %{disposition}"); + + var all13 = all_match({ + processors: [ + select14, + part58, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg39 = msg("00002:32", all13); + + var part59 = match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has been %{disposition->} for zone %{zone}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg40 = msg("00002:35", part59); + + var part60 = match("MESSAGE#40:00002:36/0", "nwparser.payload", "Bypass%{p0}"); + + var part61 = match("MESSAGE#40:00002:36/1_0", "nwparser.p0", "-others-IPSec %{p0}"); + + var part62 = match("MESSAGE#40:00002:36/1_1", "nwparser.p0", " non-IP traffic %{p0}"); + + var select15 = linear_select([ + part61, + part62, + ]); + + var part63 = match("MESSAGE#40:00002:36/2", "nwparser.p0", "option has been %{disposition}"); + + var all14 = all_match({ + processors: [ + part60, + select15, + part63, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg41 = msg("00002:36", all14); + + var part64 = match("MESSAGE#41:00002:37/0", "nwparser.payload", "Logging of %{p0}"); + + var part65 = match("MESSAGE#41:00002:37/1_0", "nwparser.p0", "dropped %{p0}"); + + var part66 = match("MESSAGE#41:00002:37/1_1", "nwparser.p0", "IKE %{p0}"); + + var part67 = match("MESSAGE#41:00002:37/1_2", "nwparser.p0", "SNMP %{p0}"); + + var part68 = match("MESSAGE#41:00002:37/1_3", "nwparser.p0", "ICMP %{p0}"); + + var select16 = linear_select([ + part65, + part66, + part67, + part68, + ]); + + var part69 = match("MESSAGE#41:00002:37/2", "nwparser.p0", "traffic to self has been %{disposition}"); + + var all15 = all_match({ + processors: [ + part64, + select16, + part69, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg42 = msg("00002:37", all15); + + var part70 = match("MESSAGE#42:00002:38/0", "nwparser.payload", "Logging of dropped traffic to self (excluding multicast) has been %{p0}"); + + var part71 = match("MESSAGE#42:00002:38/1_0", "nwparser.p0", "%{disposition->} on %{zone}"); + + var select17 = linear_select([ + part71, + dup36, + ]); + + var all16 = all_match({ + processors: [ + part70, + select17, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg43 = msg("00002:38", all16); + + var part72 = match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg44 = msg("00002:39", part72); + + var part73 = match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{username}' by %{administrator->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ + dup37, + dup29, + setc("ec_activity","Create"), + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg45 = msg("00002:40", part73); + + var part74 = match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requested for unknown user %{username}. Possible HA syncronization problem.", processor_chain([ + dup35, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg46 = msg("00002:44", part74); + + var part75 = match("MESSAGE#46:00002:42/0", "nwparser.payload", "%{change_attribute->} for account '%{change_old}' has been %{disposition->} to '%{change_new}' %{p0}"); + + var part76 = match("MESSAGE#46:00002:42/1_0", "nwparser.p0", "by %{administrator->} via %{p0}"); + + var select18 = linear_select([ + part76, + dup40, + ]); + + var part77 = match("MESSAGE#46:00002:42/2", "nwparser.p0", "%{logon_type->} from host %{p0}"); + + var part78 = match("MESSAGE#46:00002:42/3_0", "nwparser.p0", "%{saddr->} to %{daddr}:%{dport->} (%{p0}"); + + var part79 = match("MESSAGE#46:00002:42/3_1", "nwparser.p0", "%{saddr}:%{sport->} (%{p0}"); + + var select19 = linear_select([ + part78, + part79, + ]); + + var all17 = all_match({ + processors: [ + part75, + select18, + part77, + select19, + dup41, + ], + on_success: processor_chain([ + dup42, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg47 = msg("00002:42", all17); + + var part80 = match("MESSAGE#47:00002:43/0", "nwparser.payload", "Admin account %{disposition->} for %{p0}"); + + var part81 = match("MESSAGE#47:00002:43/1_0", "nwparser.p0", "'%{username}'%{p0}"); + + var part82 = match("MESSAGE#47:00002:43/1_1", "nwparser.p0", "\"%{username}\"%{p0}"); + + var select20 = linear_select([ + part81, + part82, + ]); + + var part83 = match("MESSAGE#47:00002:43/2", "nwparser.p0", "%{}by %{administrator->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); + + var all18 = all_match({ + processors: [ + part80, + select20, + part83, + ], + on_success: processor_chain([ + dup42, + dup29, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg48 = msg("00002:43", all18); + + var part84 = match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ + dup42, + dup29, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg49 = msg("00002:50", part84); + + var part85 = match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} %{fld2->} via %{logon_type->} (%{fld1})", processor_chain([ + dup42, + dup29, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg50 = msg("00002:51", part85); + + var part86 = match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg51 = msg("00002:45", part86); + + var part87 = match("MESSAGE#51:00002:47/0_0", "nwparser.payload", "Ping of Death attack protection %{p0}"); + + var part88 = match("MESSAGE#51:00002:47/0_1", "nwparser.payload", "Src Route IP option filtering %{p0}"); + + var part89 = match("MESSAGE#51:00002:47/0_2", "nwparser.payload", "Teardrop attack protection %{p0}"); + + var part90 = match("MESSAGE#51:00002:47/0_3", "nwparser.payload", "Land attack protection %{p0}"); + + var part91 = match("MESSAGE#51:00002:47/0_4", "nwparser.payload", "SYN flood protection %{p0}"); + + var select21 = linear_select([ + part87, + part88, + part89, + part90, + part91, + ]); + + var part92 = match("MESSAGE#51:00002:47/1", "nwparser.p0", "is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})"); + + var all19 = all_match({ + processors: [ + select21, + part92, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg52 = msg("00002:47", all19); + + var part93 = match("MESSAGE#52:00002:48/0", "nwparser.payload", "Dropping pkts if not %{p0}"); + + var part94 = match("MESSAGE#52:00002:48/1_0", "nwparser.p0", "exactly same with incoming if %{p0}"); + + var part95 = match("MESSAGE#52:00002:48/1_1", "nwparser.p0", "in route table %{p0}"); + + var select22 = linear_select([ + part94, + part95, + ]); + + var part96 = match("MESSAGE#52:00002:48/2", "nwparser.p0", "(IP spoof protection) is %{disposition->} on zone %{zone->} by %{username->} via %{p0}"); + + var part97 = match("MESSAGE#52:00002:48/3_0", "nwparser.p0", "NSRP Peer. (%{p0}"); + + var select23 = linear_select([ + part97, + dup45, + ]); + + var all20 = all_match({ + processors: [ + part93, + select22, + part96, + select23, + dup41, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg53 = msg("00002:48", all20); + + var part98 = match("MESSAGE#53:00002:52/0", "nwparser.payload", "%{signame->} %{p0}"); + + var part99 = match("MESSAGE#53:00002:52/1_0", "nwparser.p0", "protection%{p0}"); + + var part100 = match("MESSAGE#53:00002:52/1_1", "nwparser.p0", "limiting%{p0}"); + + var part101 = match("MESSAGE#53:00002:52/1_2", "nwparser.p0", "detection%{p0}"); + + var part102 = match("MESSAGE#53:00002:52/1_3", "nwparser.p0", "filtering %{p0}"); + + var select24 = linear_select([ + part99, + part100, + part101, + part102, + ]); + + var part103 = match("MESSAGE#53:00002:52/2", "nwparser.p0", "%{}is %{disposition->} on zone %{zone->} by %{p0}"); + + var part104 = match("MESSAGE#53:00002:52/3_1", "nwparser.p0", "admin via %{p0}"); + + var select25 = linear_select([ + dup46, + part104, + dup47, + ]); + + var select26 = linear_select([ + dup48, + dup45, + ]); + + var all21 = all_match({ + processors: [ + part98, + select24, + part103, + select25, + select26, + dup41, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg54 = msg("00002:52", all21); + + var part105 = match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"%{username}\" has been %{disposition->} by %{administrator->} via %{logon_type->} (%{fld1})", processor_chain([ + dup42, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg55 = msg("00002:53", part105); + + var part106 = match("MESSAGE#55:00002:54/0", "nwparser.payload", "Traffic shaping clearing DSCP selector is turned O%{p0}"); + + var part107 = match("MESSAGE#55:00002:54/1_0", "nwparser.p0", "FF%{p0}"); + + var part108 = match("MESSAGE#55:00002:54/1_1", "nwparser.p0", "N%{p0}"); + + var select27 = linear_select([ + part107, + part108, + ]); + + var all22 = all_match({ + processors: [ + part106, + select27, + dup49, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + dup9, + ]), + }); + + var msg56 = msg("00002:54", all22); + + var part109 = match("MESSAGE#56:00002/0", "nwparser.payload", "%{change_attribute->} %{p0}"); + + var part110 = match("MESSAGE#56:00002/1_0", "nwparser.p0", "has been changed%{p0}"); + + var select28 = linear_select([ + part110, + dup52, + ]); + + var part111 = match("MESSAGE#56:00002/2", "nwparser.p0", "%{}from %{change_old->} to %{change_new}"); + + var all23 = all_match({ + processors: [ + part109, + select28, + part111, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg57 = msg("00002", all23); + + var part112 = match("MESSAGE#1215:00002:56", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed. (%{fld1})", processor_chain([ + dup53, + dup9, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg58 = msg("00002:56", part112); + + var select29 = linear_select([ + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, + msg58, + ]); + + var part113 = match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ + dup53, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg59 = msg("00003", part113); + + var part114 = match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failures have been detected!%{}", processor_chain([ + dup53, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg60 = msg("00003:01", part114); + + var part115 = match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has been %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg61 = msg("00003:02", part115); + + var part116 = match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed from %{change_old->} to %{change_new}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg62 = msg("00003:03", part116); + + var part117 = match("MESSAGE#61:00003:05/1_0", "nwparser.p0", "serial%{p0}"); + + var part118 = match("MESSAGE#61:00003:05/1_1", "nwparser.p0", "local%{p0}"); + + var select30 = linear_select([ + part117, + part118, + ]); + + var part119 = match("MESSAGE#61:00003:05/2", "nwparser.p0", "%{}console has been %{disposition->} by admin %{administrator}."); + + var all24 = all_match({ + processors: [ + dup55, + select30, + part119, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg63 = msg("00003:05", all24); + + var select31 = linear_select([ + msg59, + msg60, + msg61, + msg62, + msg63, + ]); + + var part120 = match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been changed", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg64 = msg("00004", part120); + + var part121 = match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg65 = msg("00004:01", part121); + + var part122 = match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg66 = msg("00004:02", part122); + + var part123 = match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg67 = msg("00004:03", part123); + + var part124 = match("MESSAGE#66:00004:04/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on %{p0}"); + + var part125 = match("MESSAGE#66:00004:04/2", "nwparser.p0", "%{} %{interface->} %{space}The attack occurred %{dclass_counter1->} times"); + + var all25 = all_match({ + processors: [ + part124, + dup337, + part125, + ], + on_success: processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup59, + dup3, + dup60, + ]), + }); + + var msg68 = msg("00004:04", all25); + + var part126 = match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol}", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup3, + dup61, + ])); + + var msg69 = msg("00004:05", part126); + + var part127 = match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been changed to start at %{fld2}:%{fld3->} with an interval of %{fld4}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg70 = msg("00004:06", part127); + + var part128 = match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have been refreshed as result of external event.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg71 = msg("00004:07", part128); + + var part129 = match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg72 = msg("00004:08", part129); + + var part130 = match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more concurrent client requests than allowed.%{}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg73 = msg("00004:09", part130); + + var part131 = match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table entries exceeded maximum limit.%{}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg74 = msg("00004:10", part131); + + var part132 = match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table added with domain %{domain}, interface %{interface}, primary-ip %{fld2}, secondary-ip %{fld3}, tertiary-ip %{fld4}, failover %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg75 = msg("00004:11", part132); + + var part133 = match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table entry %{disposition->} with domain %{domain}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg76 = msg("00004:12", part133); + + var part134 = match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} returned incorrect ip %{fld2}, local-ip should be %{fld3}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg77 = msg("00004:13", part134); + + var part135 = match("MESSAGE#76:00004:14/1_0", "nwparser.p0", "automatically refreshed %{p0}"); + + var part136 = match("MESSAGE#76:00004:14/1_1", "nwparser.p0", "refreshed by HA %{p0}"); + + var select32 = linear_select([ + part135, + part136, + ]); + + var all26 = all_match({ + processors: [ + dup63, + select32, + dup49, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg78 = msg("00004:14", all26); + + var part137 = match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshed as result of DNS server address change. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg79 = msg("00004:15", part137); + + var part138 = match("MESSAGE#78:00004:16", "nwparser.payload", "DNS entries have been manually refreshed. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg80 = msg("00004:16", part138); + + var all27 = all_match({ + processors: [ + dup64, + dup338, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup4, + dup59, + dup9, + dup5, + dup3, + dup60, + ]), + }); + + var msg81 = msg("00004:17", all27); + + var select33 = linear_select([ + msg64, + msg65, + msg66, + msg67, + msg68, + msg69, + msg70, + msg71, + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + ]); + + var part139 = match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from the same source has been changed to %{trigger_val}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg82 = msg("00005", part139); + + var part140 = match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic to self has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg83 = msg("00005:01", part140); + + var part141 = match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been changed to %{fld3}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg84 = msg("00005:02", part141); + + var part142 = match("MESSAGE#83:00005:03/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); + + var part143 = match("MESSAGE#83:00005:03/4", "nwparser.p0", "%{fld99}interface %{interface->} %{p0}"); + + var part144 = match("MESSAGE#83:00005:03/5_0", "nwparser.p0", "in zone %{zone}. %{p0}"); + + var select34 = linear_select([ + part144, + dup73, + ]); + + var part145 = match("MESSAGE#83:00005:03/6", "nwparser.p0", "%{space}The attack occurred %{dclass_counter1->} times"); + + var all28 = all_match({ + processors: [ + part142, + dup339, + dup70, + dup340, + part143, + select34, + part145, + ], + on_success: processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup61, + ]), + }); + + var msg85 = msg("00005:03", all28); + + var msg86 = msg("00005:04", dup341); + + var part146 = match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2->} mode when receiving unknown dst mac has been %{disposition->} on %{zone}.", processor_chain([ + setc("eventcategory","1001020100"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg87 = msg("00005:05", part146); + + var part147 = match("MESSAGE#86:00005:06/1", "nwparser.p0", "flood timeout has been set to %{trigger_val->} on %{zone}."); + + var all29 = all_match({ + processors: [ + dup342, + part147, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg88 = msg("00005:06", all29); + + var part148 = match("MESSAGE#87:00005:07/0", "nwparser.payload", "SYN flood %{p0}"); + + var part149 = match("MESSAGE#87:00005:07/1_0", "nwparser.p0", "alarm threshold %{p0}"); + + var part150 = match("MESSAGE#87:00005:07/1_1", "nwparser.p0", "packet queue size %{p0}"); + + var part151 = match("MESSAGE#87:00005:07/1_3", "nwparser.p0", "attack threshold %{p0}"); + + var part152 = match("MESSAGE#87:00005:07/1_4", "nwparser.p0", "same source IP threshold %{p0}"); + + var select35 = linear_select([ + part149, + part150, + dup76, + part151, + part152, + ]); + + var part153 = match("MESSAGE#87:00005:07/2", "nwparser.p0", "is set to %{trigger_val}."); + + var all30 = all_match({ + processors: [ + part148, + select35, + part153, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg89 = msg("00005:07", all30); + + var part154 = match("MESSAGE#88:00005:08/1", "nwparser.p0", "flood same %{p0}"); + + var select36 = linear_select([ + dup77, + dup78, + ]); + + var part155 = match("MESSAGE#88:00005:08/3", "nwparser.p0", "ip threshold has been set to %{trigger_val->} on %{zone}."); + + var all31 = all_match({ + processors: [ + dup342, + part154, + select36, + part155, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg90 = msg("00005:08", all31); + + var part156 = match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is %{disposition->} on interface %{interface}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg91 = msg("00005:09", part156); + + var part157 = match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is %{disposition->} on %{zone}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg92 = msg("00005:10", part157); + + var part158 = match("MESSAGE#91:00005:11/0", "nwparser.payload", "The SYN flood %{p0}"); + + var part159 = match("MESSAGE#91:00005:11/1_0", "nwparser.p0", "alarm threshold%{}"); + + var part160 = match("MESSAGE#91:00005:11/1_1", "nwparser.p0", "packet queue size%{}"); + + var part161 = match("MESSAGE#91:00005:11/1_2", "nwparser.p0", "timeout value%{}"); + + var part162 = match("MESSAGE#91:00005:11/1_3", "nwparser.p0", "attack threshold%{}"); + + var part163 = match("MESSAGE#91:00005:11/1_4", "nwparser.p0", "same source IP%{}"); + + var select37 = linear_select([ + part159, + part160, + part161, + part162, + part163, + ]); + + var all32 = all_match({ + processors: [ + part158, + select37, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg93 = msg("00005:11", all32); + + var part164 = match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshold value has been set to %{trigger_val->} on %{interface}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg94 = msg("00005:12", part164); + + var part165 = match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg95 = msg("00005:13", part165); + + var part166 = match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unknown mac!%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg96 = msg("00005:14", part166); + + var part167 = match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold has been changed to %{trigger_val}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg97 = msg("00005:15", part167); + + var part168 = match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg98 = msg("00005:16", part168); + + var part169 = match("MESSAGE#97:00005:17/1_0", "nwparser.p0", "destination-based %{p0}"); + + var part170 = match("MESSAGE#97:00005:17/1_1", "nwparser.p0", "source-based %{p0}"); + + var select38 = linear_select([ + part169, + part170, + ]); + + var part171 = match("MESSAGE#97:00005:17/2", "nwparser.p0", "session-limit threshold has been set at %{trigger_val->} in zone %{zone}."); + + var all33 = all_match({ + processors: [ + dup79, + select38, + part171, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg99 = msg("00005:17", all33); + + var all34 = all_match({ + processors: [ + dup80, + dup343, + dup83, + ], + on_success: processor_chain([ + dup84, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg100 = msg("00005:18", all34); + + var part172 = match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup84, + dup2, + dup3, + dup4, + dup5, + dup59, + dup61, + ])); + + var msg101 = msg("00005:19", part172); + + var part173 = match("MESSAGE#100:00005:20", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} int %{interface}).%{space->} Occurred %{fld2->} times. (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ + dup84, + dup9, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg102 = msg("00005:20", part173); + + var select39 = linear_select([ + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, + msg89, + msg90, + msg91, + msg92, + msg93, + msg94, + msg95, + msg96, + msg97, + msg98, + msg99, + msg100, + msg101, + msg102, + ]); + + var part174 = match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup85, + dup2, + dup3, + dup4, + dup59, + dup5, + dup61, + ])); + + var msg103 = msg("00006", part174); + + var part175 = match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname}\"", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg104 = msg("00006:01", part175); + + var part176 = match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg105 = msg("00006:02", part176); + + var part177 = match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg106 = msg("00006:03", part177); + + var part178 = match("MESSAGE#105:00006:04/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); + + var all35 = all_match({ + processors: [ + part178, + dup338, + dup67, + ], + on_success: processor_chain([ + dup84, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg107 = msg("00006:04", all35); + + var all36 = all_match({ + processors: [ + dup64, + dup338, + dup67, + ], + on_success: processor_chain([ + dup84, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + dup60, + ]), + }); + + var msg108 = msg("00006:05", all36); + + var select40 = linear_select([ + msg103, + msg104, + msg105, + msg106, + msg107, + msg108, + ]); + + var part179 = match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg109 = msg("00007", part179); + + var part180 = match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the local NetScreen device has changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg110 = msg("00007:01", part180); + + var part181 = match("MESSAGE#109:00007:02/0", "nwparser.payload", "HA state of the local device has changed to backup because a device with a %{p0}"); + + var part182 = match("MESSAGE#109:00007:02/1_0", "nwparser.p0", "higher priority has been detected%{}"); + + var part183 = match("MESSAGE#109:00007:02/1_1", "nwparser.p0", "lower MAC value has been detected%{}"); + + var select41 = linear_select([ + part182, + part183, + ]); + + var all37 = all_match({ + processors: [ + part181, + select41, + ], + on_success: processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg111 = msg("00007:02", all37); + + var part184 = match("MESSAGE#110:00007:03", "nwparser.payload", "HA state of the local device has changed to init because IP tracking has failed%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg112 = msg("00007:03", part184); + + var select42 = linear_select([ + dup88, + dup89, + ]); + + var part185 = match("MESSAGE#111:00007:04/4", "nwparser.p0", "has been changed%{}"); + + var all38 = all_match({ + processors: [ + dup87, + select42, + dup23, + dup344, + part185, + ], + on_success: processor_chain([ + dup91, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg113 = msg("00007:04", all38); + + var part186 = match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device has been elected backup because a master already exists%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg114 = msg("00007:05", part186); + + var part187 = match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg115 = msg("00007:06", part187); + + var part188 = match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg116 = msg("00007:07", part188); + + var part189 = match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been elected master because no other master exists%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg117 = msg("00007:08", part189); + + var part190 = match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg118 = msg("00007:09", part190); + + var part191 = match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promoted the local NetScreen device to master%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg119 = msg("00007:10", part191); + + var part192 = match("MESSAGE#118:00007:11/0", "nwparser.payload", "IP tracking device failover threshold has been %{p0}"); + + var select43 = linear_select([ + dup92, + dup93, + ]); + + var all39 = all_match({ + processors: [ + part192, + select43, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg120 = msg("00007:11", all39); + + var part193 = match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg121 = msg("00007:12", part193); + + var part194 = match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} with interval %{fld2->} threshold %{trigger_val->} weight %{fld4->} interface %{interface->} method %{fld5->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg122 = msg("00007:13", part194); + + var part195 = match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup85, + dup2, + dup3, + dup4, + dup59, + dup5, + dup60, + ])); + + var msg123 = msg("00007:14", part195); + + var part196 = match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been changed to %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg124 = msg("00007:15", part196); + + var part197 = match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration and status changes to NetScreen-Global Manager has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg125 = msg("00007:16", part197); + + var part198 = match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg126 = msg("00007:17", part198); + + var part199 = match("MESSAGE#125:00007:18/0", "nwparser.payload", "Tracked IP %{hostip->} options have been changed from int %{fld2->} thr %{fld3->} wgt %{fld4->} inf %{fld5->} %{p0}"); + + var part200 = match("MESSAGE#125:00007:18/1_0", "nwparser.p0", "ping %{p0}"); + + var part201 = match("MESSAGE#125:00007:18/1_1", "nwparser.p0", "ARP %{p0}"); + + var select44 = linear_select([ + part200, + part201, + ]); + + var part202 = match("MESSAGE#125:00007:18/2", "nwparser.p0", "to %{fld6->} %{p0}"); + + var part203 = match("MESSAGE#125:00007:18/3_0", "nwparser.p0", "ping%{}"); + + var part204 = match("MESSAGE#125:00007:18/3_1", "nwparser.p0", "ARP%{}"); + + var select45 = linear_select([ + part203, + part204, + ]); + + var all40 = all_match({ + processors: [ + part199, + select44, + part202, + select45, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg127 = msg("00007:18", all40); + + var part205 = match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} path from %{change_old->} to %{change_new}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg128 = msg("00007:20", part205); + + var part206 = match("MESSAGE#127:00007:21/0", "nwparser.payload", "HA Slave is %{p0}"); + + var all41 = all_match({ + processors: [ + part206, + dup345, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg129 = msg("00007:21", all41); + + var part207 = match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{groupid}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg130 = msg("00007:22", part207); + + var part208 = match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg131 = msg("00007:23", part208); + + var part209 = match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg132 = msg("00007:24", part209); + + var part210 = match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial state.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg133 = msg("00007:25", part210); + + var part211 = match("MESSAGE#132:00007:26/0", "nwparser.payload", "HA: Change state to slave for %{p0}"); + + var part212 = match("MESSAGE#132:00007:26/1_0", "nwparser.p0", "tracking ip failed%{}"); + + var part213 = match("MESSAGE#132:00007:26/1_1", "nwparser.p0", "linkdown%{}"); + + var select46 = linear_select([ + part212, + part213, + ]); + + var all42 = all_match({ + processors: [ + part211, + select46, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg134 = msg("00007:26", all42); + + var part214 = match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command issued from original master to change state%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg135 = msg("00007:27", part214); + + var part215 = match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other master%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg136 = msg("00007:28", part215); + + var part216 = match("MESSAGE#135:00007:29/0", "nwparser.payload", "HA: Elected slave %{p0}"); + + var part217 = match("MESSAGE#135:00007:29/1_0", "nwparser.p0", "lower priority%{}"); + + var part218 = match("MESSAGE#135:00007:29/1_1", "nwparser.p0", "MAC value is larger%{}"); + + var part219 = match("MESSAGE#135:00007:29/1_2", "nwparser.p0", "master already exists%{}"); + + var part220 = match("MESSAGE#135:00007:29/1_3", "nwparser.p0", "detect new master with higher priority%{}"); + + var part221 = match("MESSAGE#135:00007:29/1_4", "nwparser.p0", "detect new master with smaller MAC value%{}"); + + var select47 = linear_select([ + part217, + part218, + part219, + part220, + part221, + ]); + + var all43 = all_match({ + processors: [ + part216, + select47, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg137 = msg("00007:29", all43); + + var part222 = match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command issued from original master to change state%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg138 = msg("00007:30", part222); + + var part223 = match("MESSAGE#137:00007:31/0", "nwparser.payload", "HA: ha link %{p0}"); + + var all44 = all_match({ + processors: [ + part223, + dup345, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg139 = msg("00007:31", all44); + + var part224 = match("MESSAGE#138:00007:32/0", "nwparser.payload", "NSRP %{fld2->} %{p0}"); + + var select48 = linear_select([ + dup89, + dup88, + ]); + + var part225 = match("MESSAGE#138:00007:32/4", "nwparser.p0", "changed.%{}"); + + var all45 = all_match({ + processors: [ + part224, + select48, + dup23, + dup344, + part225, + ], + on_success: processor_chain([ + dup91, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg140 = msg("00007:32", all45); + + var part226 = match("MESSAGE#139:00007:33/0_0", "nwparser.payload", "NSRP: VSD %{p0}"); + + var part227 = match("MESSAGE#139:00007:33/0_1", "nwparser.payload", "Virtual Security Device group %{p0}"); + + var select49 = linear_select([ + part226, + part227, + ]); + + var part228 = match("MESSAGE#139:00007:33/1", "nwparser.p0", "%{fld2->} change%{p0}"); + + var part229 = match("MESSAGE#139:00007:33/2_0", "nwparser.p0", "d %{p0}"); + + var select50 = linear_select([ + part229, + dup96, + ]); + + var part230 = match("MESSAGE#139:00007:33/3", "nwparser.p0", "to %{fld3->} mode."); + + var all46 = all_match({ + processors: [ + select49, + part228, + select50, + part230, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg141 = msg("00007:33", all46); + + var part231 = match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropped: invalid encryption password.", processor_chain([ + dup97, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg142 = msg("00007:34", part231); + + var part232 = match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change to %{interface}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg143 = msg("00007:35", part232); + + var part233 = match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} local unit=%{fld3->} duplicate from unit=%{fld4}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg144 = msg("00007:36", part233); + + var part234 = match("MESSAGE#143:00007:37/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} is %{p0}"); + + var all47 = all_match({ + processors: [ + part234, + dup346, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg145 = msg("00007:37", all47); + + var part235 = match("MESSAGE#144:00007:38/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} peer=%{fld3->} from %{p0}"); + + var part236 = match("MESSAGE#144:00007:38/4", "nwparser.p0", "state %{p0}"); + + var part237 = match("MESSAGE#144:00007:38/5_0", "nwparser.p0", "missed heartbeat%{}"); + + var part238 = match("MESSAGE#144:00007:38/5_1", "nwparser.p0", "group detached%{}"); + + var select51 = linear_select([ + part237, + part238, + ]); + + var all48 = all_match({ + processors: [ + part235, + dup347, + dup103, + dup347, + part236, + select51, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg146 = msg("00007:38", all48); + + var part239 = match("MESSAGE#145:00007:39/0", "nwparser.payload", "RTO mirror group id=%{groupid->} is %{p0}"); + + var all49 = all_match({ + processors: [ + part239, + dup346, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg147 = msg("00007:39", all49); + + var part240 = match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (ifnum=%{fld3}) as secondary HA path", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg148 = msg("00007:40", part240); + + var part241 = match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg149 = msg("00007:41", part241); + + var part242 = match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fld2->} (ifnum=%{fld3})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg150 = msg("00007:42", part242); + + var part243 = match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg151 = msg("00007:43", part243); + + var part244 = match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is %{disposition->} total number=%{fld3}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg152 = msg("00007:44", part244); + + var part245 = match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local unit %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg153 = msg("00007:45", part245); + + var part246 = match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup85, + dup2, + dup3, + dup4, + dup59, + dup5, + dup60, + ])); + + var msg154 = msg("00007:46", part246); + + var part247 = match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to interface %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg155 = msg("00007:47", part247); + + var part248 = match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped because it contained an invalid encryption password.", processor_chain([ + dup97, + dup2, + dup3, + dup4, + setc("disposition","dropped"), + setc("result","Invalid encryption Password"), + ])); + + var msg156 = msg("00007:48", part248); + + var part249 = match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of all Virtual Security Device groups changed from %{change_old->} to %{change_new}", processor_chain([ + setc("eventcategory","1604000000"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg157 = msg("00007:49", part249); + + var part250 = match("MESSAGE#156:00007:50/0", "nwparser.payload", "Device %{fld2->} %{p0}"); + + var part251 = match("MESSAGE#156:00007:50/1_0", "nwparser.p0", "has joined %{p0}"); + + var part252 = match("MESSAGE#156:00007:50/1_1", "nwparser.p0", "quit current %{p0}"); + + var select52 = linear_select([ + part251, + part252, + ]); + + var part253 = match("MESSAGE#156:00007:50/2", "nwparser.p0", "NSRP cluster %{fld3}"); + + var all50 = all_match({ + processors: [ + part250, + select52, + part253, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg158 = msg("00007:50", all50); + + var part254 = match("MESSAGE#157:00007:51/0", "nwparser.payload", "Virtual Security Device group %{group->} was %{p0}"); + + var part255 = match("MESSAGE#157:00007:51/1_1", "nwparser.p0", "deleted %{p0}"); + + var select53 = linear_select([ + dup104, + part255, + ]); + + var select54 = linear_select([ + dup105, + dup73, + ]); + + var part256 = match("MESSAGE#157:00007:51/4", "nwparser.p0", "The total number of members in the group %{p0}"); + + var select55 = linear_select([ + dup106, + dup107, + ]); + + var all51 = all_match({ + processors: [ + part254, + select53, + dup23, + select54, + part256, + select55, + dup108, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg159 = msg("00007:51", all51); + + var part257 = match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group %{group->} %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg160 = msg("00007:52", part257); + + var part258 = match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the devices was set to interface %{interface->} with ifnum %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg161 = msg("00007:53", part258); + + var part259 = match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of the devices changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg162 = msg("00007:54", part259); + + var part260 = match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} with ifnum %{fld2->} was removed from the secondary HA path of the devices.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg163 = msg("00007:55", part260); + + var part261 = match("MESSAGE#162:00007:56", "nwparser.payload", "The probe that detects the status of High Availability link %{fld2->} was %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg164 = msg("00007:56", part261); + + var select56 = linear_select([ + dup109, + dup110, + ]); + + var select57 = linear_select([ + dup111, + dup112, + ]); + + var part262 = match("MESSAGE#163:00007:57/4", "nwparser.p0", "the probe detecting the status of High Availability link %{fld2->} was set to %{fld3}"); + + var all52 = all_match({ + processors: [ + dup55, + select56, + dup23, + select57, + part262, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg165 = msg("00007:57", all52); + + var part263 = match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} for session synchronization(s) was accepted.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg166 = msg("00007:58", part263); + + var part264 = match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchronization by device %{fld2->} completed.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg167 = msg("00007:59", part264); + + var part265 = match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group %{group->} direction was set to %{direction}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg168 = msg("00007:60", part265); + + var part266 = match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group %{group->} was set.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg169 = msg("00007:61", part266); + + var part267 = match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group %{group->} with direction %{direction->} was unset.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg170 = msg("00007:62", part267); + + var part268 = match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} was unset.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg171 = msg("00007:63", part268); + + var part269 = match("MESSAGE#170:00007:64/1", "nwparser.p0", "%{fld2->} was removed from the monitoring list %{p0}"); + + var part270 = match("MESSAGE#170:00007:64/3", "nwparser.p0", "%{fld3}"); + + var all53 = all_match({ + processors: [ + dup348, + part269, + dup349, + part270, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg172 = msg("00007:64", all53); + + var part271 = match("MESSAGE#171:00007:65/1", "nwparser.p0", "%{fld2->} with weight %{fld3->} was added%{p0}"); + + var part272 = match("MESSAGE#171:00007:65/2_0", "nwparser.p0", " to or updated on %{p0}"); + + var part273 = match("MESSAGE#171:00007:65/2_1", "nwparser.p0", "/updated to %{p0}"); + + var select58 = linear_select([ + part272, + part273, + ]); + + var part274 = match("MESSAGE#171:00007:65/3", "nwparser.p0", "the monitoring list %{p0}"); + + var part275 = match("MESSAGE#171:00007:65/5", "nwparser.p0", "%{fld4}"); + + var all54 = all_match({ + processors: [ + dup348, + part271, + select58, + part274, + dup349, + part275, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg173 = msg("00007:65", all54); + + var part276 = match("MESSAGE#172:00007:66/0_0", "nwparser.payload", "The monitoring %{p0}"); + + var part277 = match("MESSAGE#172:00007:66/0_1", "nwparser.payload", "Monitoring %{p0}"); + + var select59 = linear_select([ + part276, + part277, + ]); + + var part278 = match("MESSAGE#172:00007:66/1", "nwparser.p0", "threshold was modified to %{trigger_val->} o%{p0}"); + + var part279 = match("MESSAGE#172:00007:66/2_0", "nwparser.p0", "f %{p0}"); + + var select60 = linear_select([ + part279, + dup115, + ]); + + var all55 = all_match({ + processors: [ + select59, + part278, + select60, + dup108, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg174 = msg("00007:66", all55); + + var part280 = match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg175 = msg("00007:67", part280); + + var part281 = match("MESSAGE#174:00007:68/0", "nwparser.payload", "NSRP b%{p0}"); + + var part282 = match("MESSAGE#174:00007:68/1_0", "nwparser.p0", "lack %{p0}"); + + var part283 = match("MESSAGE#174:00007:68/1_1", "nwparser.p0", "ack %{p0}"); + + var select61 = linear_select([ + part282, + part283, + ]); + + var part284 = match("MESSAGE#174:00007:68/2", "nwparser.p0", "hole prevention %{disposition}. Master(s) of Virtual Security Device groups %{p0}"); + + var part285 = match("MESSAGE#174:00007:68/3_0", "nwparser.p0", "may not exist %{p0}"); + + var part286 = match("MESSAGE#174:00007:68/3_1", "nwparser.p0", "always exists %{p0}"); + + var select62 = linear_select([ + part285, + part286, + ]); + + var all56 = all_match({ + processors: [ + part281, + select61, + part284, + select62, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg176 = msg("00007:68", all56); + + var part287 = match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchronization between devices was %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg177 = msg("00007:69", part287); + + var part288 = match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was changed.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg178 = msg("00007:70", part288); + + var part289 = match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Active mode was %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg179 = msg("00007:71", part289); + + var part290 = match("MESSAGE#178:00007:72", "nwparser.payload", "NSRP: nsrp link probe enable on %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg180 = msg("00007:72", part290); + + var select63 = linear_select([ + msg109, + msg110, + msg111, + msg112, + msg113, + msg114, + msg115, + msg116, + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, + msg123, + msg124, + msg125, + msg126, + msg127, + msg128, + msg129, + msg130, + msg131, + msg132, + msg133, + msg134, + msg135, + msg136, + msg137, + msg138, + msg139, + msg140, + msg141, + msg142, + msg143, + msg144, + msg145, + msg146, + msg147, + msg148, + msg149, + msg150, + msg151, + msg152, + msg153, + msg154, + msg155, + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, + msg175, + msg176, + msg177, + msg178, + msg179, + msg180, + ]); + + var part291 = match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup59, + dup5, + dup61, + ])); + + var msg181 = msg("00008", part291); + + var msg182 = msg("00008:01", dup341); + + var part292 = match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg183 = msg("00008:02", part292); + + var part293 = match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been updated through NTP%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg184 = msg("00008:03", part293); + + var part294 = match("MESSAGE#183:00008:04/0", "nwparser.payload", "System clock %{p0}"); + + var part295 = match("MESSAGE#183:00008:04/1_0", "nwparser.p0", "configurations have been%{p0}"); + + var part296 = match("MESSAGE#183:00008:04/1_1", "nwparser.p0", "was%{p0}"); + + var part297 = match("MESSAGE#183:00008:04/1_2", "nwparser.p0", "is%{p0}"); + + var select64 = linear_select([ + part295, + part296, + part297, + ]); + + var part298 = match("MESSAGE#183:00008:04/2", "nwparser.p0", "%{}changed%{p0}"); + + var part299 = match("MESSAGE#183:00008:04/3_0", "nwparser.p0", " by admin %{administrator}"); + + var part300 = match("MESSAGE#183:00008:04/3_1", "nwparser.p0", " by %{username->} (%{fld1})"); + + var part301 = match("MESSAGE#183:00008:04/3_2", "nwparser.p0", " by %{username}"); + + var part302 = match("MESSAGE#183:00008:04/3_3", "nwparser.p0", " manually.%{}"); + + var part303 = match("MESSAGE#183:00008:04/3_4", "nwparser.p0", " manually%{}"); + + var select65 = linear_select([ + part299, + part300, + part301, + part302, + part303, + dup21, + ]); + + var all57 = all_match({ + processors: [ + part294, + select64, + part298, + select65, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup9, + ]), + }); + + var msg185 = msg("00008:04", all57); + + var part304 = match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg186 = msg("00008:05", part304); + + var part305 = match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup61, + ])); + + var msg187 = msg("00008:06", part305); + + var part306 = match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup60, + ])); + + var msg188 = msg("00008:07", part306); + + var part307 = match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup60, + ])); + + var msg189 = msg("00008:08", part307); + + var part308 = match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manually%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg190 = msg("00008:09", part308); + + var part309 = match("MESSAGE#189:00008:10/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol}(zone %{p0}"); + + var all58 = all_match({ + processors: [ + part309, + dup338, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup60, + ]), + }); + + var msg191 = msg("00008:10", all58); + + var select66 = linear_select([ + msg181, + msg182, + msg183, + msg184, + msg185, + msg186, + msg187, + msg188, + msg189, + msg190, + msg191, + ]); + + var part310 = match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the interface %{interface->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg192 = msg("00009", part310); + + var part311 = match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg193 = msg("00009:01", part311); + + var part312 = match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{interface->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg194 = msg("00009:02", part312); + + var part313 = match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for interface %{interface->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg195 = msg("00009:03", part313); + + var part314 = match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg196 = msg("00009:05", part314); + + var part315 = match("MESSAGE#195:00009:06/0_0", "nwparser.payload", "%{fld2}: The 802.1Q tag %{p0}"); + + var part316 = match("MESSAGE#195:00009:06/0_1", "nwparser.payload", "The 802.1Q tag %{p0}"); + + var select67 = linear_select([ + part315, + part316, + ]); + + var select68 = linear_select([ + dup119, + dup16, + ]); + + var part317 = match("MESSAGE#195:00009:06/3", "nwparser.p0", "interface %{interface->} has been %{p0}"); + + var part318 = match("MESSAGE#195:00009:06/4_1", "nwparser.p0", "changed to %{p0}"); + + var select69 = linear_select([ + dup120, + part318, + ]); + + var part319 = match("MESSAGE#195:00009:06/6_0", "nwparser.p0", "%{info->} from host %{saddr}"); + + var part320 = match_copy("MESSAGE#195:00009:06/6_1", "nwparser.p0", "info"); + + var select70 = linear_select([ + part319, + part320, + ]); + + var all59 = all_match({ + processors: [ + select67, + dup118, + select68, + part317, + select69, + dup23, + select70, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg197 = msg("00009:06", all59); + + var part321 = match("MESSAGE#196:00009:07/0", "nwparser.payload", "Maximum bandwidth %{fld2->} on %{p0}"); + + var part322 = match("MESSAGE#196:00009:07/2", "nwparser.p0", "%{} %{interface->} is less than t%{p0}"); + + var part323 = match("MESSAGE#196:00009:07/3_0", "nwparser.p0", "he total %{p0}"); + + var part324 = match("MESSAGE#196:00009:07/3_1", "nwparser.p0", "otal %{p0}"); + + var select71 = linear_select([ + part323, + part324, + ]); + + var part325 = match("MESSAGE#196:00009:07/4", "nwparser.p0", "guaranteed bandwidth %{fld3}"); + + var all60 = all_match({ + processors: [ + part321, + dup337, + part322, + select71, + part325, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg198 = msg("00009:07", all60); + + var part326 = match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth setting on the interface %{interface->} has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg199 = msg("00009:09", part326); + + var part327 = match("MESSAGE#198:00009:10/0", "nwparser.payload", "The operational mode for the interface %{interface->} has been changed to %{p0}"); + + var part328 = match("MESSAGE#198:00009:10/1_0", "nwparser.p0", "Route%{}"); + + var part329 = match("MESSAGE#198:00009:10/1_1", "nwparser.p0", "NAT%{}"); + + var select72 = linear_select([ + part328, + part329, + ]); + + var all61 = all_match({ + processors: [ + part327, + select72, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg200 = msg("00009:10", all61); + + var part330 = match("MESSAGE#199:00009:11/0_0", "nwparser.payload", "%{fld1}: VLAN %{p0}"); + + var part331 = match("MESSAGE#199:00009:11/0_1", "nwparser.payload", "VLAN %{p0}"); + + var select73 = linear_select([ + part330, + part331, + ]); + + var part332 = match("MESSAGE#199:00009:11/1", "nwparser.p0", "tag %{fld2->} has been %{disposition}"); + + var all62 = all_match({ + processors: [ + select73, + part332, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg201 = msg("00009:11", all62); + + var part333 = match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{disposition->} on interface %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg202 = msg("00009:12", part333); + + var part334 = match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on %{interface->} have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg203 = msg("00009:13", part334); + + var part335 = match("MESSAGE#202:00009:14/0_0", "nwparser.payload", "Global-PRO has been %{p0}"); + + var part336 = match("MESSAGE#202:00009:14/0_1", "nwparser.payload", "Global PRO has been %{p0}"); + + var part337 = match("MESSAGE#202:00009:14/0_2", "nwparser.payload", "DNS proxy was %{p0}"); + + var select74 = linear_select([ + part335, + part336, + part337, + ]); + + var part338 = match("MESSAGE#202:00009:14/1", "nwparser.p0", "%{disposition->} on %{p0}"); + + var select75 = linear_select([ + dup122, + dup123, + ]); + + var part339 = match("MESSAGE#202:00009:14/4_0", "nwparser.p0", "%{interface->} (%{fld2})"); + + var select76 = linear_select([ + part339, + dup124, + ]); + + var all63 = all_match({ + processors: [ + select74, + part338, + select75, + dup23, + select76, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg204 = msg("00009:14", all63); + + var part340 = match("MESSAGE#203:00009:15/0", "nwparser.payload", "Route between secondary IP%{p0}"); + + var part341 = match("MESSAGE#203:00009:15/1_0", "nwparser.p0", " addresses %{p0}"); + + var select77 = linear_select([ + part341, + dup125, + ]); + + var all64 = all_match({ + processors: [ + part340, + select77, + dup126, + dup350, + dup128, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg205 = msg("00009:15", all64); + + var part342 = match("MESSAGE#204:00009:16/0", "nwparser.payload", "Secondary IP address %{hostip}/%{mask->} %{p0}"); + + var part343 = match("MESSAGE#204:00009:16/3_2", "nwparser.p0", "deleted from %{p0}"); + + var select78 = linear_select([ + dup129, + dup130, + part343, + ]); + + var part344 = match("MESSAGE#204:00009:16/4", "nwparser.p0", "interface %{interface}."); + + var all65 = all_match({ + processors: [ + part342, + dup350, + dup23, + select78, + part344, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg206 = msg("00009:16", all65); + + var part345 = match("MESSAGE#205:00009:17/0", "nwparser.payload", "Secondary IP address %{p0}"); + + var part346 = match("MESSAGE#205:00009:17/1_0", "nwparser.p0", "%{hostip}/%{mask->} was added to interface %{p0}"); + + var part347 = match("MESSAGE#205:00009:17/1_1", "nwparser.p0", "%{hostip->} was added to interface %{p0}"); + + var select79 = linear_select([ + part346, + part347, + ]); + + var part348 = match("MESSAGE#205:00009:17/2", "nwparser.p0", "%{interface}."); + + var all66 = all_match({ + processors: [ + part345, + select79, + part348, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg207 = msg("00009:17", all66); + + var part349 = match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on the interface %{interface->} has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg208 = msg("00009:18", part349); + + var part350 = match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg209 = msg("00009:19", part350); + + var part351 = match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg210 = msg("00009:27", part351); + + var part352 = match("MESSAGE#209:00009:20/0_0", "nwparser.payload", "%{fld2}: %{service->} has been %{p0}"); + + var part353 = match("MESSAGE#209:00009:20/0_1", "nwparser.payload", "%{service->} has been %{p0}"); + + var select80 = linear_select([ + part352, + part353, + ]); + + var part354 = match("MESSAGE#209:00009:20/1", "nwparser.p0", "%{disposition->} on interface %{interface->} %{p0}"); + + var part355 = match("MESSAGE#209:00009:20/2_0", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}"); + + var part356 = match("MESSAGE#209:00009:20/2_1", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}:%{sport}"); + + var part357 = match("MESSAGE#209:00009:20/2_2", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}"); + + var part358 = match("MESSAGE#209:00009:20/2_3", "nwparser.p0", "from host %{saddr->} (%{fld1})"); + + var select81 = linear_select([ + part355, + part356, + part357, + part358, + ]); + + var all67 = all_match({ + processors: [ + select80, + part354, + select81, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg211 = msg("00009:20", all67); + + var part359 = match("MESSAGE#210:00009:21/0", "nwparser.payload", "Source Route IP option! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var all68 = all_match({ + processors: [ + part359, + dup343, + dup131, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup60, + ]), + }); + + var msg212 = msg("00009:21", all68); + + var part360 = match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface->} has been changed to %{fld2->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg213 = msg("00009:22", part360); + + var part361 = match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip->} has been added to interface %{interface->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup9, + dup3, + dup4, + dup5, + ])); + + var msg214 = msg("00009:23", part361); + + var part362 = match("MESSAGE#213:00009:24/0", "nwparser.payload", "Web has been enabled on interface %{interface->} by admin %{administrator->} via %{p0}"); + + var part363 = match("MESSAGE#213:00009:24/1_0", "nwparser.p0", "%{logon_type->} %{space}(%{p0}"); + + var part364 = match("MESSAGE#213:00009:24/1_1", "nwparser.p0", "%{logon_type}. (%{p0}"); + + var select82 = linear_select([ + part363, + part364, + ]); + + var part365 = match("MESSAGE#213:00009:24/2", "nwparser.p0", ")%{fld1}"); + + var all69 = all_match({ + processors: [ + part362, + select82, + part365, + ], + on_success: processor_chain([ + dup1, + dup2, + dup9, + dup3, + dup4, + dup5, + ]), + }); + + var msg215 = msg("00009:24", all69); + + var part366 = match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on interface %{interface->} by %{username->} via %{logon_type}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup9, + dup3, + dup4, + dup5, + ])); + + var msg216 = msg("00009:25", part366); + + var part367 = match("MESSAGE#215:00009:26/0", "nwparser.payload", "%{protocol->} has been %{disposition->} on interface %{interface->} by %{username->} via NSRP Peer . %{p0}"); + + var all70 = all_match({ + processors: [ + part367, + dup333, + ], + on_success: processor_chain([ + dup1, + dup2, + dup9, + dup3, + dup4, + dup5, + ]), + }); + + var msg217 = msg("00009:26", all70); + + var select83 = linear_select([ + msg192, + msg193, + msg194, + msg195, + msg196, + msg197, + msg198, + msg199, + msg200, + msg201, + msg202, + msg203, + msg204, + msg205, + msg206, + msg207, + msg208, + msg209, + msg210, + msg211, + msg212, + msg213, + msg214, + msg215, + msg216, + msg217, + ]); + + var part368 = match("MESSAGE#216:00010/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} %{p0}"); + + var part369 = match("MESSAGE#216:00010/1_0", "nwparser.p0", "using protocol %{p0}"); + + var part370 = match("MESSAGE#216:00010/1_1", "nwparser.p0", "proto %{p0}"); + + var select84 = linear_select([ + part369, + part370, + ]); + + var part371 = match("MESSAGE#216:00010/2", "nwparser.p0", "%{protocol->} %{p0}"); + + var part372 = match("MESSAGE#216:00010/3_0", "nwparser.p0", "( zone %{zone}, int %{interface}) %{p0}"); + + var part373 = match("MESSAGE#216:00010/3_1", "nwparser.p0", "zone %{zone->} int %{interface}) %{p0}"); + + var select85 = linear_select([ + part372, + part373, + dup126, + ]); + + var part374 = match("MESSAGE#216:00010/4", "nwparser.p0", ".%{space}The attack occurred %{dclass_counter1->} times%{p0}"); + + var all71 = all_match({ + processors: [ + part368, + select84, + part371, + select85, + part374, + dup351, + ], + on_success: processor_chain([ + dup58, + dup2, + dup4, + dup59, + dup5, + dup9, + dup3, + dup61, + ]), + }); + + var msg218 = msg("00010", all71); + + var part375 = match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg219 = msg("00010:01", part375); + + var part376 = match("MESSAGE#218:00010:02", "nwparser.payload", "Mapped IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg220 = msg("00010:02", part376); + + var all72 = all_match({ + processors: [ + dup132, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup9, + dup3, + dup60, + ]), + }); + + var msg221 = msg("00010:03", all72); + + var select86 = linear_select([ + msg218, + msg219, + msg220, + msg221, + ]); + + var part377 = match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg222 = msg("00011", part377); + + var part378 = match("MESSAGE#221:00011:01/0", "nwparser.payload", "Route to %{daddr}/%{fld2->} [ %{p0}"); + + var select87 = linear_select([ + dup57, + dup56, + ]); + + var part379 = match("MESSAGE#221:00011:01/2", "nwparser.p0", "%{} %{interface->} gateway %{fld3->} ] has been %{disposition}"); + + var all73 = all_match({ + processors: [ + part378, + select87, + part379, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg223 = msg("00011:01", all73); + + var part380 = match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} to %{daddr->} protocol %{protocol->} (%{fld2})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg224 = msg("00011:02", part380); + + var part381 = match("MESSAGE#223:00011:03/0", "nwparser.payload", "An %{p0}"); + + var part382 = match("MESSAGE#223:00011:03/1_0", "nwparser.p0", "import %{p0}"); + + var part383 = match("MESSAGE#223:00011:03/1_1", "nwparser.p0", "export %{p0}"); + + var select88 = linear_select([ + part382, + part383, + ]); + + var part384 = match("MESSAGE#223:00011:03/2", "nwparser.p0", "rule in virtual router %{node->} to virtual router %{fld4->} with %{p0}"); + + var part385 = match("MESSAGE#223:00011:03/3_0", "nwparser.p0", "route-map %{fld3->} and protocol %{protocol->} has been %{p0}"); + + var part386 = match("MESSAGE#223:00011:03/3_1", "nwparser.p0", "IP-prefix %{hostip}/%{interface->} has been %{p0}"); + + var select89 = linear_select([ + part385, + part386, + ]); + + var all74 = all_match({ + processors: [ + part381, + select88, + part384, + select89, + dup36, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg225 = msg("00011:03", all74); + + var part387 = match("MESSAGE#224:00011:04/0", "nwparser.payload", "A route in virtual router %{node->} that has IP address %{hostip}/%{fld2->} through %{p0}"); + + var part388 = match("MESSAGE#224:00011:04/2", "nwparser.p0", "%{interface->} and gateway %{fld3->} with metric %{fld4->} has been %{disposition}"); + + var all75 = all_match({ + processors: [ + part387, + dup352, + part388, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg226 = msg("00011:04", all75); + + var part389 = match("MESSAGE#225:00011:05/1_0", "nwparser.p0", "sharable virtual router using name%{p0}"); + + var part390 = match("MESSAGE#225:00011:05/1_1", "nwparser.p0", "virtual router with name%{p0}"); + + var select90 = linear_select([ + part389, + part390, + ]); + + var part391 = match("MESSAGE#225:00011:05/2", "nwparser.p0", "%{} %{node->} and id %{fld2->} has been %{disposition}"); + + var all76 = all_match({ + processors: [ + dup79, + select90, + part391, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg227 = msg("00011:05", all76); + + var part392 = match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup59, + dup3, + dup60, + ])); + + var msg228 = msg("00011:07", part392); + + var part393 = match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{node->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg229 = msg("00011:08", part393); + + var part394 = match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature in virtual router %{node->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg230 = msg("00011:09", part394); + + var part395 = match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes that can be created in virtual router %{node->} is %{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg231 = msg("00011:10", part395); + + var part396 = match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in virtual router %{node->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg232 = msg("00011:11", part396); + + var part397 = match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual router %{node->} used by OSPF BGP routing instances id has been uninitialized", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg233 = msg("00011:12", part397); + + var part398 = match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be used by OSPF BGP routing instances in virtual router %{node->} has been set to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg234 = msg("00011:13", part398); + + var part399 = match("MESSAGE#233:00011:14/0", "nwparser.payload", "The routing preference for protocol %{protocol->} in virtual router %{node->} has been %{p0}"); + + var part400 = match("MESSAGE#233:00011:14/1_1", "nwparser.p0", "reset%{}"); + + var select91 = linear_select([ + dup134, + part400, + ]); + + var all77 = all_match({ + processors: [ + part399, + select91, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg235 = msg("00011:14", all77); + + var part401 = match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in virtual router %{node->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg236 = msg("00011:15", part401); + + var part402 = match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route through virtual router %{node->} has been added in virtual router %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg237 = msg("00011:16", part402); + + var part403 = match("MESSAGE#236:00011:17/0", "nwparser.payload", "The virtual router %{node->} has been made %{p0}"); + + var part404 = match("MESSAGE#236:00011:17/1_0", "nwparser.p0", "sharable%{}"); + + var part405 = match("MESSAGE#236:00011:17/1_1", "nwparser.p0", "unsharable%{}"); + + var part406 = match("MESSAGE#236:00011:17/1_2", "nwparser.p0", "default virtual router for virtual system %{fld2}"); + + var select92 = linear_select([ + part404, + part405, + part406, + ]); + + var all78 = all_match({ + processors: [ + part403, + select92, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg238 = msg("00011:17", all78); + + var part407 = match("MESSAGE#237:00011:18/0_0", "nwparser.payload", "Source route(s) %{p0}"); + + var part408 = match("MESSAGE#237:00011:18/0_1", "nwparser.payload", "A source route %{p0}"); + + var select93 = linear_select([ + part407, + part408, + ]); + + var part409 = match("MESSAGE#237:00011:18/1", "nwparser.p0", "in virtual router %{node->} %{p0}"); + + var part410 = match("MESSAGE#237:00011:18/2_0", "nwparser.p0", "with route addresses of %{p0}"); + + var part411 = match("MESSAGE#237:00011:18/2_1", "nwparser.p0", "that has IP address %{p0}"); + + var select94 = linear_select([ + part410, + part411, + ]); + + var part412 = match("MESSAGE#237:00011:18/3", "nwparser.p0", "%{hostip}/%{fld2->} through interface %{interface->} and %{p0}"); + + var part413 = match("MESSAGE#237:00011:18/4_0", "nwparser.p0", "a default gateway address %{p0}"); + + var select95 = linear_select([ + part413, + dup135, + ]); + + var part414 = match("MESSAGE#237:00011:18/5", "nwparser.p0", "%{fld3->} with metric %{fld4->} %{p0}"); + + var all79 = all_match({ + processors: [ + select93, + part409, + select94, + part412, + select95, + part414, + dup350, + dup128, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg239 = msg("00011:18", all79); + + var part415 = match("MESSAGE#238:00011:19/0", "nwparser.payload", "Source Route(s) in virtual router %{node->} with %{p0}"); + + var part416 = match("MESSAGE#238:00011:19/1_0", "nwparser.p0", "route addresses of %{p0}"); + + var part417 = match("MESSAGE#238:00011:19/1_1", "nwparser.p0", "an IP address %{p0}"); + + var select96 = linear_select([ + part416, + part417, + ]); + + var part418 = match("MESSAGE#238:00011:19/2", "nwparser.p0", "%{hostip}/%{fld3->} and %{p0}"); + + var part419 = match("MESSAGE#238:00011:19/3_0", "nwparser.p0", "a default gateway address of %{p0}"); + + var select97 = linear_select([ + part419, + dup135, + ]); + + var part420 = match("MESSAGE#238:00011:19/4", "nwparser.p0", "%{fld4->} %{p0}"); + + var part421 = match("MESSAGE#238:00011:19/5_1", "nwparser.p0", "has been%{p0}"); + + var select98 = linear_select([ + dup107, + part421, + ]); + + var all80 = all_match({ + processors: [ + part415, + select96, + part418, + select97, + part420, + select98, + dup136, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg240 = msg("00011:19", all80); + + var part422 = match("MESSAGE#239:00011:20/0_0", "nwparser.payload", "%{fld2}: A %{p0}"); + + var select99 = linear_select([ + part422, + dup79, + ]); + + var part423 = match("MESSAGE#239:00011:20/1", "nwparser.p0", "route has been created in virtual router \"%{node}\"%{space}with an IP address %{hostip->} and next-hop as virtual router \"%{fld3}\""); + + var all81 = all_match({ + processors: [ + select99, + part423, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg241 = msg("00011:20", all81); + + var part424 = match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual router %{node->} for interface %{interface->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg242 = msg("00011:21", part424); + + var part425 = match("MESSAGE#241:00011:22", "nwparser.payload", "SIBR route in virtual router %{node->} for interface %{interface->} that has IP address %{hostip->} through interface %{fld3->} and gateway %{fld4->} with metric %{fld5->} was %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg243 = msg("00011:22", part425); + + var all82 = all_match({ + processors: [ + dup132, + dup343, + dup131, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$IN"), + field("saddr"), + field("daddr"), + ], + }), + ]), + }); + + var msg244 = msg("00011:23", all82); + + var part426 = match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{node}\" that has IP address %{hostip->} through interface %{interface->} and gateway %{fld2->} with metric %{fld3->} %{disposition}. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg245 = msg("00011:24", part426); + + var part427 = match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \"%{node}\" with an IP address %{hostip}/%{fld2->} and gateway %{fld3->} %{disposition}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg246 = msg("00011:25", part427); + + var part428 = match("MESSAGE#245:00011:26", "nwparser.payload", "Route in virtual router \"%{node}\" with IP address %{hostip}/%{fld2->} and next-hop as virtual router \"%{fld3}\" created. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg247 = msg("00011:26", part428); + + var select100 = linear_select([ + msg222, + msg223, + msg224, + msg225, + msg226, + msg227, + msg228, + msg229, + msg230, + msg231, + msg232, + msg233, + msg234, + msg235, + msg236, + msg237, + msg238, + msg239, + msg240, + msg241, + msg242, + msg243, + msg244, + msg245, + msg246, + msg247, + ]); + + var part429 = match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comments have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg248 = msg("00012:02", part429); + + var part430 = match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} %{change_attribute->} has been changed to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg249 = msg("00012:03", part430); + + var part431 = match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{group->} has %{disposition->} member %{username->} from host %{saddr}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg250 = msg("00012:04", part431); + + var part432 = match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2}) (%{fld3})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg251 = msg("00012:05", part432); + + var part433 = match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup61, + ])); + + var msg252 = msg("00012:06", part433); + + var part434 = match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, + dup59, + ])); + + var msg253 = msg("00012:07", part434); + + var part435 = match("MESSAGE#252:00012:08", "nwparser.payload", "%{fld2}: Service %{service->} has been %{disposition->} from host %{saddr->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg254 = msg("00012:08", part435); + + var all83 = all_match({ + processors: [ + dup80, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg255 = msg("00012:09", all83); + + var all84 = all_match({ + processors: [ + dup132, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + dup60, + ]), + }); + + var msg256 = msg("00012:10", all84); + + var part436 = match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup59, + dup5, + dup9, + dup61, + ])); + + var msg257 = msg("00012:11", part436); + + var part437 = match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{zone}) %{info->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg258 = msg("00012:12", part437); + + var part438 = match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg259 = msg("00012", part438); + + var part439 = match("MESSAGE#258:00012:01", "nwparser.payload", "Service %{service->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg260 = msg("00012:01", part439); + + var select101 = linear_select([ + msg248, + msg249, + msg250, + msg251, + msg252, + msg253, + msg254, + msg255, + msg256, + msg257, + msg258, + msg259, + msg260, + ]); + + var part440 = match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding bytes has been detected%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg261 = msg("00013", part440); + + var part441 = match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to connect to the NetScreen-Global Manager port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + setc("signame","An Attempt to connect to NetScreen-Global Manager Port."), + ])); + + var msg262 = msg("00013:01", part441); + + var part442 = match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has been changed to %{fld3}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg263 = msg("00013:02", part442); + + var part443 = match("MESSAGE#262:00013:03", "nwparser.payload", "Web Filtering has been %{disposition->} (%{fld1})", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg264 = msg("00013:03", part443); + + var select102 = linear_select([ + msg261, + msg262, + msg263, + msg264, + ]); + + var part444 = match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes has changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg265 = msg("00014", part444); + + var part445 = match("MESSAGE#264:00014:01/0", "nwparser.payload", "The group member %{username->} has been %{disposition->} %{p0}"); + + var part446 = match("MESSAGE#264:00014:01/1_0", "nwparser.p0", "to a group%{}"); + + var part447 = match("MESSAGE#264:00014:01/1_1", "nwparser.p0", "from a group%{}"); + + var select103 = linear_select([ + part446, + part447, + ]); + + var all85 = all_match({ + processors: [ + part445, + select103, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg266 = msg("00014:01", all85); + + var part448 = match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has been %{disposition->} by %{username}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg267 = msg("00014:02", part448); + + var part449 = match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has been %{disposition->} by %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg268 = msg("00014:03", part449); + + var part450 = match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{hostname->} server { %{hostip->} }: SrvErr (%{fld2}), SockErr (%{fld3}), Valid (%{fld4}),Connected (%{fld5})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg269 = msg("00014:04", part450); + + var part451 = match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations have been %{disposition->} by admin %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg270 = msg("00014:05", part451); + + var part452 = match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition->} manually.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg271 = msg("00014:06", part452); + + var part453 = match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{disposition->} by %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg272 = msg("00014:07", part453); + + var part454 = match("MESSAGE#271:00014:08", "nwparser.payload", "Communication error with %{hostname->} server[%{hostip}]: SrvErr(%{fld2}),SockErr(%{fld3}),Valid(%{fld4}),Connected(%{fld5}) (%{fld1})", processor_chain([ + dup27, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg273 = msg("00014:08", part454); + + var select104 = linear_select([ + msg265, + msg266, + msg267, + msg268, + msg269, + msg270, + msg271, + msg272, + msg273, + ]); + + var part455 = match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been changed to %{authmethod}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg274 = msg("00015", part455); + + var part456 = match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has %{disposition}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg275 = msg("00015:01", part456); + + var part457 = match("MESSAGE#274:00015:02/0", "nwparser.payload", "LDAP %{p0}"); + + var part458 = match("MESSAGE#274:00015:02/1_0", "nwparser.p0", "server name %{p0}"); + + var part459 = match("MESSAGE#274:00015:02/1_2", "nwparser.p0", "distinguished name %{p0}"); + + var part460 = match("MESSAGE#274:00015:02/1_3", "nwparser.p0", "common name %{p0}"); + + var select105 = linear_select([ + part458, + dup137, + part459, + part460, + ]); + + var all86 = all_match({ + processors: [ + part457, + select105, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg276 = msg("00015:02", all86); + + var part461 = match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg277 = msg("00015:03", part461); + + var part462 = match("MESSAGE#276:00015:04/0", "nwparser.payload", "RADIUS server %{p0}"); + + var part463 = match("MESSAGE#276:00015:04/1_2", "nwparser.p0", "secret %{p0}"); + + var select106 = linear_select([ + dup139, + dup140, + part463, + ]); + + var all87 = all_match({ + processors: [ + part462, + select106, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg278 = msg("00015:04", all87); + + var part464 = match("MESSAGE#277:00015:05/0", "nwparser.payload", "SecurID %{p0}"); + + var part465 = match("MESSAGE#277:00015:05/1_0", "nwparser.p0", "authentication port %{p0}"); + + var part466 = match("MESSAGE#277:00015:05/1_1", "nwparser.p0", "duress mode %{p0}"); + + var part467 = match("MESSAGE#277:00015:05/1_3", "nwparser.p0", "number of retries value %{p0}"); + + var select107 = linear_select([ + part465, + part466, + dup76, + part467, + ]); + + var all88 = all_match({ + processors: [ + part464, + select107, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg279 = msg("00015:05", all88); + + var part468 = match("MESSAGE#278:00015:06/0_0", "nwparser.payload", "Master %{p0}"); + + var part469 = match("MESSAGE#278:00015:06/0_1", "nwparser.payload", "Backup %{p0}"); + + var select108 = linear_select([ + part468, + part469, + ]); + + var part470 = match("MESSAGE#278:00015:06/1", "nwparser.p0", "SecurID server IP address has been %{disposition}"); + + var all89 = all_match({ + processors: [ + select108, + part470, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg280 = msg("00015:06", all89); + + var part471 = match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to master%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg281 = msg("00015:07", part471); + + var part472 = match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration between master and slave%{}", processor_chain([ + dup141, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg282 = msg("00015:08", part472); + + var part473 = match("MESSAGE#281:00015:09/0_0", "nwparser.payload", "configuration %{p0}"); + + var part474 = match("MESSAGE#281:00015:09/0_1", "nwparser.payload", "Configuration %{p0}"); + + var select109 = linear_select([ + part473, + part474, + ]); + + var part475 = match("MESSAGE#281:00015:09/1", "nwparser.p0", "out of sync between local unit and remote unit%{}"); + + var all90 = all_match({ + processors: [ + select109, + part475, + ], + on_success: processor_chain([ + dup141, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg283 = msg("00015:09", all90); + + var part476 = match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg284 = msg("00015:10", part476); + + var part477 = match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg285 = msg("00015:11", part477); + + var part478 = match("MESSAGE#284:00015:12/1_0", "nwparser.p0", "control %{p0}"); + + var part479 = match("MESSAGE#284:00015:12/1_1", "nwparser.p0", "data %{p0}"); + + var select110 = linear_select([ + part478, + part479, + ]); + + var part480 = match("MESSAGE#284:00015:12/2", "nwparser.p0", "channel moved from link %{p0}"); + + var part481 = match("MESSAGE#284:00015:12/6", "nwparser.p0", "(%{interface})"); + + var all91 = all_match({ + processors: [ + dup87, + select110, + part480, + dup353, + dup103, + dup353, + part481, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg286 = msg("00015:12", all91); + + var part482 = match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg287 = msg("00015:13", part482); + + var part483 = match("MESSAGE#286:00015:14/0", "nwparser.payload", "NSRP link %{p0}"); + + var all92 = all_match({ + processors: [ + part483, + dup353, + dup116, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg288 = msg("00015:14", all92); + + var part484 = match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel available (%{fld3->} used by other channel)", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg289 = msg("00015:15", part484); + + var part485 = match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out of synchronization between the local device and the peer device.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg290 = msg("00015:16", part485); + + var part486 = match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{change_old->} changed to link channel %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg291 = msg("00015:17", part486); + + var part487 = match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on peer device %{fld2->} changed from %{fld3->} to %{fld4->} state.", processor_chain([ + dup121, + dup2, + dup3, + dup4, + dup5, + setc("change_attribute","RTO mirror group"), + ])); + + var msg292 = msg("00015:18", part487); + + var part488 = match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on local device %{fld2}, detected a duplicate direction on the peer device %{fld3}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg293 = msg("00015:19", part488); + + var part489 = match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} changed on the local device from %{fld2->} to up state, it had peer device %{fld3}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg294 = msg("00015:20", part489); + + var part490 = match("MESSAGE#293:00015:21/0", "nwparser.payload", "Peer device %{fld2->} %{p0}"); + + var part491 = match("MESSAGE#293:00015:21/1_0", "nwparser.p0", "disappeared %{p0}"); + + var part492 = match("MESSAGE#293:00015:21/1_1", "nwparser.p0", "was discovered %{p0}"); + + var select111 = linear_select([ + part491, + part492, + ]); + + var all93 = all_match({ + processors: [ + part490, + select111, + dup116, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg295 = msg("00015:21", all93); + + var part493 = match("MESSAGE#294:00015:22/0_0", "nwparser.payload", "The local %{p0}"); + + var part494 = match("MESSAGE#294:00015:22/0_1", "nwparser.payload", "The peer %{p0}"); + + var part495 = match("MESSAGE#294:00015:22/0_2", "nwparser.payload", "Peer %{p0}"); + + var select112 = linear_select([ + part493, + part494, + part495, + ]); + + var part496 = match("MESSAGE#294:00015:22/1", "nwparser.p0", "device %{fld2->} in the Virtual Security Device group %{group->} changed %{change_attribute->} from %{change_old->} to %{change_new->} %{p0}"); + + var all94 = all_match({ + processors: [ + select112, + part496, + dup354, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg296 = msg("00015:22", all94); + + var part497 = match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg297 = msg("00015:23", part497); + + var part498 = match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authentication server has been changed to %{hostname}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg298 = msg("00015:24", part498); + + var part499 = match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification was successful", processor_chain([ + setc("eventcategory","1613050100"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg299 = msg("00015:25", part499); + + var part500 = match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification failed", processor_chain([ + dup97, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg300 = msg("00015:29", part500); + + var part501 = match("MESSAGE#299:00015:26/0", "nwparser.payload", "unit %{fld2->} just dis%{p0}"); + + var part502 = match("MESSAGE#299:00015:26/1_0", "nwparser.p0", "appeared%{}"); + + var part503 = match("MESSAGE#299:00015:26/1_1", "nwparser.p0", "covered%{}"); + + var select113 = linear_select([ + part502, + part503, + ]); + + var all95 = all_match({ + processors: [ + part501, + select113, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg301 = msg("00015:26", all95); + + var part504 = match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change to %{interface}. (%{fld2})", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + dup146, + ])); + + var msg302 = msg("00015:33", part504); + + var part505 = match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg303 = msg("00015:27", part505); + + var part506 = match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RADIUS retry timeout has been set to default of %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg304 = msg("00015:28", part506); + + var part507 = match("MESSAGE#303:00015:30/0", "nwparser.payload", "Number of RADIUS retries for auth server %{hostname->} %{p0}"); + + var part508 = match("MESSAGE#303:00015:30/2", "nwparser.p0", "set to %{fld2->} (%{fld1})"); + + var all96 = all_match({ + processors: [ + part507, + dup355, + part508, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg305 = msg("00015:30", all96); + + var part509 = match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth server %{hostname->} is unset to its default value, %{info->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg306 = msg("00015:31", part509); + + var part510 = match("MESSAGE#305:00015:32", "nwparser.payload", "Accounting port of server RADIUS is set to %{network_port}. (%{fld1})", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg307 = msg("00015:32", part510); + + var select114 = linear_select([ + msg274, + msg275, + msg276, + msg277, + msg278, + msg279, + msg280, + msg281, + msg282, + msg283, + msg284, + msg285, + msg286, + msg287, + msg288, + msg289, + msg290, + msg291, + msg292, + msg293, + msg294, + msg295, + msg296, + msg297, + msg298, + msg299, + msg300, + msg301, + msg302, + msg303, + msg304, + msg305, + msg306, + msg307, + ]); + + var part511 = match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg308 = msg("00016", part511); + + var part512 = match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{fld3->} has been %{disposition}.", processor_chain([ + dup1, + dup148, + dup149, + dup150, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg309 = msg("00016:01", part512); + + var part513 = match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disposition}", processor_chain([ + dup1, + dup148, + dup149, + dup150, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg310 = msg("00016:02", part513); + + var part514 = match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2})", processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg311 = msg("00016:03", part514); + + var part515 = match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg312 = msg("00016:05", part515); + + var part516 = match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg313 = msg("00016:06", part516); + + var part517 = match("MESSAGE#312:00016:07/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} ( zone %{p0}"); + + var all97 = all_match({ + processors: [ + part517, + dup338, + dup67, + ], + on_success: processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg314 = msg("00016:07", all97); + + var part518 = match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) Modify by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + setc("eventcategory","1001020305"), + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg315 = msg("00016:08", part518); + + var part519 = match("MESSAGE#314:00016:09", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) New by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + setc("eventcategory","1001030305"), + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg316 = msg("00016:09", part519); + + var select115 = linear_select([ + msg308, + msg309, + msg310, + msg311, + msg312, + msg313, + msg314, + msg315, + msg316, + ]); + + var part520 = match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup151, + dup2, + dup3, + dup59, + dup4, + dup5, + ])); + + var msg317 = msg("00017", part520); + + var part521 = match("MESSAGE#316:00017:23/0", "nwparser.payload", "Gateway %{fld2->} at %{fld3->} in %{fld5->} mode with ID %{p0}"); + + var part522 = match("MESSAGE#316:00017:23/1_0", "nwparser.p0", "[%{fld4}] %{p0}"); + + var part523 = match("MESSAGE#316:00017:23/1_1", "nwparser.p0", "%{fld4->} %{p0}"); + + var select116 = linear_select([ + part522, + part523, + ]); + + var part524 = match("MESSAGE#316:00017:23/2", "nwparser.p0", "has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} %{fld}"); + + var all98 = all_match({ + processors: [ + part521, + select116, + part524, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg318 = msg("00017:23", all98); + + var part525 = match("MESSAGE#317:00017:01/0_0", "nwparser.payload", "%{fld1}: Gateway %{p0}"); + + var part526 = match("MESSAGE#317:00017:01/0_1", "nwparser.payload", "Gateway %{p0}"); + + var select117 = linear_select([ + part525, + part526, + ]); + + var part527 = match("MESSAGE#317:00017:01/1", "nwparser.p0", "%{fld2->} at %{fld3->} in %{fld5->} mode with ID%{p0}"); + + var part528 = match("MESSAGE#317:00017:01/3", "nwparser.p0", "%{fld4->} has been %{disposition}"); + + var all99 = all_match({ + processors: [ + select117, + part527, + dup356, + part528, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg319 = msg("00017:01", all99); + + var part529 = match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settings have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg320 = msg("00017:02", part529); + + var part530 = match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg321 = msg("00017:03", part530); + + var part531 = match("MESSAGE#320:00017:04/2", "nwparser.p0", "%{group_object->} with range %{fld2->} has been %{disposition}"); + + var all100 = all_match({ + processors: [ + dup153, + dup357, + part531, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg322 = msg("00017:04", all100); + + var part532 = match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg323 = msg("00017:05", part532); + + var part533 = match("MESSAGE#322:00017:06/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been set to %{p0}"); + + var part534 = match("MESSAGE#322:00017:06/1_0", "nwparser.p0", "clear %{p0}"); + + var part535 = match("MESSAGE#322:00017:06/1_2", "nwparser.p0", "copy %{p0}"); + + var select118 = linear_select([ + part534, + dup101, + part535, + ]); + + var all101 = all_match({ + processors: [ + part533, + select118, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg324 = msg("00017:06", all101); + + var part536 = match("MESSAGE#323:00017:07/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been %{p0}"); + + var part537 = match("MESSAGE#323:00017:07/1_0", "nwparser.p0", "clear%{}"); + + var part538 = match("MESSAGE#323:00017:07/1_1", "nwparser.p0", "cleared%{}"); + + var part539 = match("MESSAGE#323:00017:07/1_3", "nwparser.p0", "copy%{}"); + + var part540 = match("MESSAGE#323:00017:07/1_4", "nwparser.p0", "copied%{}"); + + var select119 = linear_select([ + part537, + part538, + dup98, + part539, + part540, + ]); + + var all102 = all_match({ + processors: [ + part536, + select119, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg325 = msg("00017:07", all102); + + var part541 = match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and SPI %{fld3}/%{fld4->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg326 = msg("00017:08", part541); + + var part542 = match("MESSAGE#325:00017:09/0_0", "nwparser.payload", "%{fld1}: VPN %{p0}"); + + var part543 = match("MESSAGE#325:00017:09/0_1", "nwparser.payload", "VPN %{p0}"); + + var select120 = linear_select([ + part542, + part543, + ]); + + var part544 = match("MESSAGE#325:00017:09/1", "nwparser.p0", "%{group->} with gateway %{fld2->} %{p0}"); + + var part545 = match("MESSAGE#325:00017:09/2_0", "nwparser.p0", "no-rekey %{p0}"); + + var part546 = match("MESSAGE#325:00017:09/2_1", "nwparser.p0", "rekey, %{p0}"); + + var part547 = match("MESSAGE#325:00017:09/2_2", "nwparser.p0", "rekey %{p0}"); + + var select121 = linear_select([ + part545, + part546, + part547, + ]); + + var part548 = match("MESSAGE#325:00017:09/3", "nwparser.p0", "and p2-proposal %{fld3->} has been %{p0}"); + + var part549 = match("MESSAGE#325:00017:09/4_0", "nwparser.p0", "%{disposition->} from peer unit"); + + var part550 = match("MESSAGE#325:00017:09/4_1", "nwparser.p0", "%{disposition->} from host %{saddr}"); + + var select122 = linear_select([ + part549, + part550, + dup36, + ]); + + var all103 = all_match({ + processors: [ + select120, + part544, + select121, + part548, + select122, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg327 = msg("00017:09", all103); + + var part551 = match("MESSAGE#326:00017:10/0", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}. Src IF %{sinterface->} dst IP %{daddr->} with rekeying %{p0}"); + + var all104 = all_match({ + processors: [ + part551, + dup358, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg328 = msg("00017:10", all104); + + var part552 = match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg329 = msg("00017:11", part552); + + var part553 = match("MESSAGE#328:00017:12/0", "nwparser.payload", "VPN monitoring %{p0}"); + + var part554 = match("MESSAGE#328:00017:12/1_2", "nwparser.p0", "frequency %{p0}"); + + var select123 = linear_select([ + dup109, + dup110, + part554, + ]); + + var all105 = all_match({ + processors: [ + part553, + select123, + dup127, + dup359, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg330 = msg("00017:12", all105); + + var part555 = match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been added by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg331 = msg("00017:26", part555); + + var part556 = match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. You cannot allocate an IP address.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg332 = msg("00017:13", part556); + + var part557 = match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail}, DH group %{group}, ESP %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup9, + dup5, + ])); + + var msg333 = msg("00017:14", part557); + + var part558 = match("MESSAGE#332:00017:15/0", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group->} %{p0}"); + + var part559 = match("MESSAGE#332:00017:15/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime (%{fld3}) (%{fld4}) has been %{disposition}."); + + var all106 = all_match({ + processors: [ + part558, + dup360, + part559, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg334 = msg("00017:15", all106); + + var part560 = match("MESSAGE#333:00017:31/0", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail->} DH group %{group->} %{p0}"); + + var part561 = match("MESSAGE#333:00017:31/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime %{fld3->} has been %{disposition}."); + + var all107 = all_match({ + processors: [ + part560, + dup360, + part561, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg335 = msg("00017:31", all107); + + var part562 = match("MESSAGE#334:00017:16/0", "nwparser.payload", "vpnmonitor interval is %{p0}"); + + var all108 = all_match({ + processors: [ + part562, + dup359, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg336 = msg("00017:16", all108); + + var part563 = match("MESSAGE#335:00017:17/0", "nwparser.payload", "vpnmonitor threshold is %{p0}"); + + var select124 = linear_select([ + dup99, + dup93, + ]); + + var all109 = all_match({ + processors: [ + part563, + select124, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg337 = msg("00017:17", all109); + + var part564 = match("MESSAGE#336:00017:18/2", "nwparser.p0", "%{group_object->} with range %{fld2->} was %{disposition}"); + + var all110 = all_match({ + processors: [ + dup153, + dup357, + part564, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg338 = msg("00017:18", all110); + + var part565 = match("MESSAGE#337:00017:19/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at %{p0}"); + + var part566 = match("MESSAGE#337:00017:19/2", "nwparser.p0", "%{} %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times"); + + var all111 = all_match({ + processors: [ + part565, + dup337, + part566, + ], + on_success: processor_chain([ + dup151, + dup2, + dup3, + dup59, + dup4, + dup5, + ]), + }); + + var msg339 = msg("00017:19", all111); + + var all112 = all_match({ + processors: [ + dup64, + dup338, + dup67, + ], + on_success: processor_chain([ + dup151, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + ]), + }); + + var msg340 = msg("00017:20", all112); + + var part567 = match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup151, + dup2, + dup3, + dup59, + dup4, + dup5, + ])); + + var msg341 = msg("00017:21", part567); + + var part568 = match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg342 = msg("00017:22", part568); + + var part569 = match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bound to tunnel interface %{interface}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg343 = msg("00017:24", part569); + + var part570 = match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal standard has been added by admin %{administrator->} via NSRP Peer (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg344 = msg("00017:25", part570); + + var part571 = match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group}, ESP, enc %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg345 = msg("00017:28", part571); + + var part572 = match("MESSAGE#344:00017:29", "nwparser.payload", "L2TP \"%{fld2}\", all-L2TP-users secret \"%{fld3}\" keepalive %{fld4->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg346 = msg("00017:29", part572); + + var select125 = linear_select([ + msg317, + msg318, + msg319, + msg320, + msg321, + msg322, + msg323, + msg324, + msg325, + msg326, + msg327, + msg328, + msg329, + msg330, + msg331, + msg332, + msg333, + msg334, + msg335, + msg336, + msg337, + msg338, + msg339, + msg340, + msg341, + msg342, + msg343, + msg344, + msg345, + msg346, + ]); + + var part573 = match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} and %{fld3->} have been exchanged", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg347 = msg("00018", part573); + + var part574 = match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", processor_chain([ + setc("eventcategory","1502010000"), + dup2, + dup4, + dup5, + dup3, + ])); + + var msg348 = msg("00018:01", part574); + + var part575 = match("MESSAGE#347:00018:02", "nwparser.payload", "Device%{quote}s %{change_attribute->} has been changed from %{change_old->} to %{change_new->} by admin %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg349 = msg("00018:02", part575); + + var part576 = match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg350 = msg("00018:04", part576); + + var part577 = match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} by admin %{administrator->} via NSRP Peer", processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg351 = msg("00018:16", part577); + + var part578 = match("MESSAGE#350:00018:06/0", "nwparser.payload", "%{fld2->} Policy %{policy_id->} has been moved %{p0}"); + + var part579 = match("MESSAGE#350:00018:06/1_0", "nwparser.p0", "before %{p0}"); + + var part580 = match("MESSAGE#350:00018:06/1_1", "nwparser.p0", "after %{p0}"); + + var select126 = linear_select([ + part579, + part580, + ]); + + var part581 = match("MESSAGE#350:00018:06/2", "nwparser.p0", "%{fld3->} by admin %{administrator}"); + + var all113 = all_match({ + processors: [ + part578, + select126, + part581, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg352 = msg("00018:06", all113); + + var part582 = match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} application was modified to %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg353 = msg("00018:08", part582); + + var part583 = match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup3, + dup2, + dup9, + dup4, + dup5, + ])); + + var msg354 = msg("00018:09", part583); + + var part584 = match("MESSAGE#353:00018:10/0", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{p0}"); + + var part585 = match("MESSAGE#353:00018:10/1_0", "nwparser.p0", "%{disposition->} from peer unit by %{p0}"); + + var part586 = match("MESSAGE#353:00018:10/1_1", "nwparser.p0", "%{disposition->} by %{p0}"); + + var select127 = linear_select([ + part585, + part586, + ]); + + var part587 = match("MESSAGE#353:00018:10/2", "nwparser.p0", "%{username->} via %{interface->} from host %{saddr->} (%{fld1})"); + + var all114 = all_match({ + processors: [ + part584, + select127, + part587, + ], + on_success: processor_chain([ + dup17, + dup3, + dup2, + dup9, + dup4, + dup5, + ]), + }); + + var msg355 = msg("00018:10", all114); + + var part588 = match("MESSAGE#354:00018:11/1_0", "nwparser.p0", "Service %{service->} was %{p0}"); + + var part589 = match("MESSAGE#354:00018:11/1_1", "nwparser.p0", "Attack group %{signame->} was %{p0}"); + + var select128 = linear_select([ + part588, + part589, + ]); + + var part590 = match("MESSAGE#354:00018:11/2", "nwparser.p0", "%{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} %{p0}"); + + var part591 = match("MESSAGE#354:00018:11/3_0", "nwparser.p0", "to %{daddr}:%{dport}. %{p0}"); + + var select129 = linear_select([ + part591, + dup16, + ]); + + var all115 = all_match({ + processors: [ + dup160, + select128, + part590, + select129, + dup10, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg356 = msg("00018:11", all115); + + var part592 = match("MESSAGE#355:00018:12/0", "nwparser.payload", "In policy %{policy_id}, the %{p0}"); + + var part593 = match("MESSAGE#355:00018:12/1_0", "nwparser.p0", "application %{p0}"); + + var part594 = match("MESSAGE#355:00018:12/1_1", "nwparser.p0", "attack severity %{p0}"); + + var part595 = match("MESSAGE#355:00018:12/1_2", "nwparser.p0", "DI attack component %{p0}"); + + var select130 = linear_select([ + part593, + part594, + part595, + ]); + + var part596 = match("MESSAGE#355:00018:12/2", "nwparser.p0", "was modified by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); + + var all116 = all_match({ + processors: [ + part592, + select130, + part596, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg357 = msg("00018:12", all116); + + var part597 = match("MESSAGE#356:00018:32/1", "nwparser.p0", "%{}address %{dhost}(%{daddr}) was %{disposition->} %{p0}"); + + var all117 = all_match({ + processors: [ + dup361, + part597, + dup362, + dup164, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg358 = msg("00018:32", all117); + + var part598 = match("MESSAGE#357:00018:22/1", "nwparser.p0", "%{}address %{dhost->} was %{disposition->} %{p0}"); + + var all118 = all_match({ + processors: [ + dup361, + part598, + dup362, + dup164, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg359 = msg("00018:22", all118); + + var part599 = match("MESSAGE#358:00018:15/0", "nwparser.payload", "%{agent->} was %{disposition->} from policy %{policy_id->} %{p0}"); + + var select131 = linear_select([ + dup78, + dup77, + ]); + + var part600 = match("MESSAGE#358:00018:15/2", "nwparser.p0", "address by admin %{administrator->} via NSRP Peer"); + + var all119 = all_match({ + processors: [ + part599, + select131, + part600, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg360 = msg("00018:15", all119); + + var part601 = match("MESSAGE#359:00018:14/0", "nwparser.payload", "%{agent->} was %{disposition->} %{p0}"); + + var part602 = match("MESSAGE#359:00018:14/1_0", "nwparser.p0", "to%{p0}"); + + var part603 = match("MESSAGE#359:00018:14/1_1", "nwparser.p0", "from%{p0}"); + + var select132 = linear_select([ + part602, + part603, + ]); + + var part604 = match("MESSAGE#359:00018:14/2", "nwparser.p0", "%{}policy %{policy_id->} %{p0}"); + + var part605 = match("MESSAGE#359:00018:14/3_0", "nwparser.p0", "service %{p0}"); + + var part606 = match("MESSAGE#359:00018:14/3_1", "nwparser.p0", "source address %{p0}"); + + var part607 = match("MESSAGE#359:00018:14/3_2", "nwparser.p0", "destination address %{p0}"); + + var select133 = linear_select([ + part605, + part606, + part607, + ]); + + var part608 = match("MESSAGE#359:00018:14/4", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); + + var all120 = all_match({ + processors: [ + part601, + select132, + part604, + select133, + part608, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg361 = msg("00018:14", all120); + + var part609 = match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg362 = msg("00018:29", part609); + + var part610 = match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to policy %{policy_id->} %{rule_group->} by admin %{administrator->} via NSRP Peer %{space->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg363 = msg("00018:07", part610); + + var part611 = match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg364 = msg("00018:18", part611); + + var part612 = match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{disposition->} from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg365 = msg("00018:17", part612); + + var part613 = match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg366 = msg("00018:19", part613); + + var part614 = match("MESSAGE#365:00018:23/0_0", "nwparser.payload", "Destination %{p0}"); + + var part615 = match("MESSAGE#365:00018:23/0_1", "nwparser.payload", "Source %{p0}"); + + var select134 = linear_select([ + part614, + part615, + ]); + + var part616 = match("MESSAGE#365:00018:23/1", "nwparser.p0", "address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} %{p0}"); + + var part617 = match("MESSAGE#365:00018:23/2_0", "nwparser.p0", "from host %{p0}"); + + var select135 = linear_select([ + part617, + dup103, + ]); + + var part618 = match("MESSAGE#365:00018:23/4_0", "nwparser.p0", "%{saddr->} to %{daddr->} %{p0}"); + + var part619 = match("MESSAGE#365:00018:23/4_1", "nwparser.p0", "%{daddr->} %{p0}"); + + var select136 = linear_select([ + part618, + part619, + ]); + + var part620 = match("MESSAGE#365:00018:23/5", "nwparser.p0", "%{dport}:(%{fld1})"); + + var all121 = all_match({ + processors: [ + select134, + part616, + select135, + dup23, + select136, + part620, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg367 = msg("00018:23", all121); + + var part621 = match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg368 = msg("00018:21", part621); + + var part622 = match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{disposition->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg369 = msg("00018:24", part622); + + var part623 = match("MESSAGE#368:00018:25/1", "nwparser.p0", "%{}address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); + + var all122 = all_match({ + processors: [ + dup363, + part623, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg370 = msg("00018:25", all122); + + var part624 = match("MESSAGE#369:00018:30/1", "nwparser.p0", "%{}address %{info->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); + + var all123 = all_match({ + processors: [ + dup363, + part624, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg371 = msg("00018:30", all123); + + var part625 = match("MESSAGE#370:00018:26/0", "nwparser.payload", "In policy %{policy_id}, the application was modified to %{disposition->} by %{p0}"); + + var part626 = match("MESSAGE#370:00018:26/2_1", "nwparser.p0", "%{logon_type->} from host %{saddr}. (%{p0}"); + + var select137 = linear_select([ + dup48, + part626, + ]); + + var all124 = all_match({ + processors: [ + part625, + dup364, + select137, + dup41, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg372 = msg("00018:26", all124); + + var part627 = match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the DI attack component was modified by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg373 = msg("00018:27", part627); + + var part628 = match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the DI attack component was modified by admin %{administrator->} via %{logon_type}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup4, + dup5, + dup9, + setc("info","the DI attack component was modified"), + ])); + + var msg374 = msg("00018:28", part628); + + var part629 = match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition}", processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg375 = msg("00018:03", part629); + + var part630 = match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the option %{fld2->} was %{disposition}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg376 = msg("00018:31", part630); + + var select138 = linear_select([ + msg347, + msg348, + msg349, + msg350, + msg351, + msg352, + msg353, + msg354, + msg355, + msg356, + msg357, + msg358, + msg359, + msg360, + msg361, + msg362, + msg363, + msg364, + msg365, + msg366, + msg367, + msg368, + msg369, + msg370, + msg371, + msg372, + msg373, + msg374, + msg375, + msg376, + ]); + + var part631 = match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has %{disposition->} because WebTrends settings have not yet been configured", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg377 = msg("00019", part631); + + var part632 = match("MESSAGE#375:00019:01/2", "nwparser.p0", "has %{disposition->} because syslog settings have not yet been configured"); + + var all125 = all_match({ + processors: [ + dup165, + dup365, + part632, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg378 = msg("00019:01", all125); + + var part633 = match("MESSAGE#376:00019:02/0", "nwparser.payload", "Socket cannot be assigned for %{p0}"); + + var part634 = match("MESSAGE#376:00019:02/1_0", "nwparser.p0", "WebTrends%{}"); + + var part635 = match("MESSAGE#376:00019:02/1_1", "nwparser.p0", "syslog%{}"); + + var select139 = linear_select([ + part634, + part635, + ]); + + var all126 = all_match({ + processors: [ + part633, + select139, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg379 = msg("00019:02", all126); + + var part636 = match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has been %{disposition}", processor_chain([ + dup91, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg380 = msg("00019:03", part636); + + var select140 = linear_select([ + dup169, + dup78, + ]); + + var select141 = linear_select([ + dup139, + dup170, + dup137, + dup122, + ]); + + var all127 = all_match({ + processors: [ + dup168, + select140, + dup23, + select141, + dup171, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg381 = msg("00019:04", all127); + + var part637 = match("MESSAGE#379:00019:05/0", "nwparser.payload", "Syslog message level has been changed to %{p0}"); + + var part638 = match("MESSAGE#379:00019:05/1_0", "nwparser.p0", "debug%{}"); + + var part639 = match("MESSAGE#379:00019:05/1_1", "nwparser.p0", "information%{}"); + + var part640 = match("MESSAGE#379:00019:05/1_2", "nwparser.p0", "notification%{}"); + + var part641 = match("MESSAGE#379:00019:05/1_3", "nwparser.p0", "warning%{}"); + + var part642 = match("MESSAGE#379:00019:05/1_4", "nwparser.p0", "error%{}"); + + var part643 = match("MESSAGE#379:00019:05/1_5", "nwparser.p0", "critical%{}"); + + var part644 = match("MESSAGE#379:00019:05/1_6", "nwparser.p0", "alert%{}"); + + var part645 = match("MESSAGE#379:00019:05/1_7", "nwparser.p0", "emergency%{}"); + + var select142 = linear_select([ + part638, + part639, + part640, + part641, + part642, + part643, + part644, + part645, + ]); + + var all128 = all_match({ + processors: [ + part637, + select142, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg382 = msg("00019:05", all128); + + var part646 = match("MESSAGE#380:00019:06/2", "nwparser.p0", "has been changed to %{p0}"); + + var all129 = all_match({ + processors: [ + dup168, + dup366, + part646, + dup367, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg383 = msg("00019:06", all129); + + var part647 = match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has been %{disposition}", processor_chain([ + dup91, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg384 = msg("00019:07", part647); + + var part648 = match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg385 = msg("00019:08", part648); + + var part649 = match("MESSAGE#383:00019:09/0", "nwparser.payload", "WebTrends host %{p0}"); + + var select143 = linear_select([ + dup139, + dup170, + dup137, + ]); + + var all130 = all_match({ + processors: [ + part649, + select143, + dup171, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg386 = msg("00019:09", all130); + + var part650 = match("MESSAGE#384:00019:10/1_0", "nwparser.p0", "Traffic logging via syslog %{p0}"); + + var part651 = match("MESSAGE#384:00019:10/1_1", "nwparser.p0", "Syslog %{p0}"); + + var select144 = linear_select([ + part650, + part651, + ]); + + var all131 = all_match({ + processors: [ + dup183, + select144, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg387 = msg("00019:10", all131); + + var part652 = match("MESSAGE#385:00019:11/2", "nwparser.p0", "has %{disposition->} because there is no syslog server defined"); + + var all132 = all_match({ + processors: [ + dup165, + dup365, + part652, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg388 = msg("00019:11", all132); + + var part653 = match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg389 = msg("00019:12", part653); + + var part654 = match("MESSAGE#387:00019:13/0", "nwparser.payload", "Syslog server %{hostip->} %{p0}"); + + var select145 = linear_select([ + dup107, + dup106, + ]); + + var part655 = match("MESSAGE#387:00019:13/2", "nwparser.p0", "%{disposition}"); + + var all133 = all_match({ + processors: [ + part654, + select145, + part655, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg390 = msg("00019:13", all133); + + var part656 = match("MESSAGE#388:00019:14/2", "nwparser.p0", "for %{hostip->} has been changed to %{p0}"); + + var all134 = all_match({ + processors: [ + dup168, + dup366, + part656, + dup367, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg391 = msg("00019:14", all134); + + var part657 = match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the TCP server %{hostip}; the connection is closed.", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg392 = msg("00019:15", part657); + + var part658 = match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were removed.%{}", processor_chain([ + setc("eventcategory","1701030000"), + setc("ec_activity","Delete"), + dup51, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg393 = msg("00019:16", part658); + + var part659 = match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} host port number has been changed to %{network_port->} %{fld5}", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg394 = msg("00019:17", part659); + + var part660 = match("MESSAGE#392:00019:18/0", "nwparser.payload", "Traffic logging %{p0}"); + + var part661 = match("MESSAGE#392:00019:18/1_0", "nwparser.p0", "via syslog %{p0}"); + + var part662 = match("MESSAGE#392:00019:18/1_1", "nwparser.p0", "for syslog server %{hostip->} %{p0}"); + + var select146 = linear_select([ + part661, + part662, + ]); + + var all135 = all_match({ + processors: [ + part660, + select146, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg395 = msg("00019:18", all135); + + var part663 = match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog server %{hostip->} was changed to udp", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg396 = msg("00019:19", part663); + + var part664 = match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is enabled on backup device by netscreen via web from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg397 = msg("00019:20", part664); + + var select147 = linear_select([ + msg377, + msg378, + msg379, + msg380, + msg381, + msg382, + msg383, + msg384, + msg385, + msg386, + msg387, + msg388, + msg389, + msg390, + msg391, + msg392, + msg393, + msg394, + msg395, + msg396, + msg397, + ]); + + var part665 = match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg398 = msg("00020", part665); + + var part666 = match("MESSAGE#396:00020:01/0", "nwparser.payload", "System memory is low %{p0}"); + + var part667 = match("MESSAGE#396:00020:01/1_1", "nwparser.p0", "( %{p0}"); + + var select148 = linear_select([ + dup152, + part667, + ]); + + var part668 = match("MESSAGE#396:00020:01/2", "nwparser.p0", "%{fld2->} bytes allocated out of %{p0}"); + + var part669 = match("MESSAGE#396:00020:01/3_0", "nwparser.p0", "total %{fld3->} bytes"); + + var part670 = match("MESSAGE#396:00020:01/3_1", "nwparser.p0", "%{fld4->} bytes total"); + + var select149 = linear_select([ + part669, + part670, + ]); + + var all136 = all_match({ + processors: [ + part666, + select148, + part668, + select149, + ], + on_success: processor_chain([ + dup184, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg399 = msg("00020:01", all136); + + var part671 = match("MESSAGE#397:00020:02", "nwparser.payload", "System memory is low (%{fld2->} allocated out of %{fld3->} ) %{fld4->} times in %{fld5}", processor_chain([ + dup184, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg400 = msg("00020:02", part671); + + var select150 = linear_select([ + msg398, + msg399, + msg400, + ]); + + var part672 = match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg401 = msg("00021", part672); + + var part673 = match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range %{info->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg402 = msg("00021:01", part673); + + var part674 = match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg403 = msg("00021:02", part674); + + var part675 = match("MESSAGE#401:00021:03", "nwparser.payload", "Connection refused by the DNS server%{}", processor_chain([ + dup185, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg404 = msg("00021:03", part675); + + var part676 = match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg405 = msg("00021:04", part676); + + var part677 = match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg406 = msg("00021:05", part677); + + var part678 = match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, + setc("info","DIP port-translation stickiness was modified"), + ])); + + var msg407 = msg("00021:06", part678); + + var select151 = linear_select([ + msg401, + msg402, + msg403, + msg404, + msg405, + msg406, + msg407, + ]); + + var part679 = match("MESSAGE#405:00022/1_0", "nwparser.p0", "power supplies %{p0}"); + + var part680 = match("MESSAGE#405:00022/1_1", "nwparser.p0", "fans %{p0}"); + + var select152 = linear_select([ + part679, + part680, + ]); + + var part681 = match("MESSAGE#405:00022/2", "nwparser.p0", "are %{fld2->} functioning properly"); + + var all137 = all_match({ + processors: [ + dup186, + select152, + part681, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg408 = msg("00022", all137); + + var part682 = match("MESSAGE#406:00022:01/0_0", "nwparser.payload", "At least one power supply %{p0}"); + + var part683 = match("MESSAGE#406:00022:01/0_1", "nwparser.payload", "The power supply %{fld2->} %{p0}"); + + var part684 = match("MESSAGE#406:00022:01/0_2", "nwparser.payload", "At least one fan %{p0}"); + + var select153 = linear_select([ + part682, + part683, + part684, + ]); + + var part685 = match("MESSAGE#406:00022:01/1", "nwparser.p0", "is not functioning properly%{p0}"); + + var all138 = all_match({ + processors: [ + select153, + part685, + dup368, + ], + on_success: processor_chain([ + dup187, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg409 = msg("00022:01", all138); + + var part686 = match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management tunnel has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg410 = msg("00022:02", part686); + + var part687 = match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name has been defined as %{domain}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg411 = msg("00022:03", part687); + + var part688 = match("MESSAGE#409:00022:04/0", "nwparser.payload", "Reporting of the %{p0}"); + + var part689 = match("MESSAGE#409:00022:04/1_0", "nwparser.p0", "network activities %{p0}"); + + var part690 = match("MESSAGE#409:00022:04/1_1", "nwparser.p0", "device resources %{p0}"); + + var part691 = match("MESSAGE#409:00022:04/1_2", "nwparser.p0", "event logs %{p0}"); + + var part692 = match("MESSAGE#409:00022:04/1_3", "nwparser.p0", "summary logs %{p0}"); + + var select154 = linear_select([ + part689, + part690, + part691, + part692, + ]); + + var part693 = match("MESSAGE#409:00022:04/2", "nwparser.p0", "to Global Manager has been %{disposition}"); + + var all139 = all_match({ + processors: [ + part688, + select154, + part693, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg412 = msg("00022:04", all139); + + var part694 = match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg413 = msg("00022:05", part694); + + var part695 = match("MESSAGE#411:00022:06/0", "nwparser.payload", "Global Manager %{p0}"); + + var part696 = match("MESSAGE#411:00022:06/1_0", "nwparser.p0", "report %{p0}"); + + var part697 = match("MESSAGE#411:00022:06/1_1", "nwparser.p0", "listen %{p0}"); + + var select155 = linear_select([ + part696, + part697, + ]); + + var part698 = match("MESSAGE#411:00022:06/2", "nwparser.p0", "port has been set to %{interface}"); + + var all140 = all_match({ + processors: [ + part695, + select155, + part698, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg414 = msg("00022:06", all140); + + var part699 = match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive value has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg415 = msg("00022:07", part699); + + var part700 = match("MESSAGE#413:00022:08/0_0", "nwparser.payload", "System temperature %{p0}"); + + var part701 = match("MESSAGE#413:00022:08/0_1", "nwparser.payload", "System's temperature: %{p0}"); + + var part702 = match("MESSAGE#413:00022:08/0_2", "nwparser.payload", "The system temperature %{p0}"); + + var select156 = linear_select([ + part700, + part701, + part702, + ]); + + var part703 = match("MESSAGE#413:00022:08/1", "nwparser.p0", "(%{fld2->} C%{p0}"); + + var part704 = match("MESSAGE#413:00022:08/2_0", "nwparser.p0", "entigrade, %{p0}"); + + var select157 = linear_select([ + part704, + dup96, + ]); + + var part705 = match("MESSAGE#413:00022:08/3", "nwparser.p0", "%{fld3->} F%{p0}"); + + var part706 = match("MESSAGE#413:00022:08/4_0", "nwparser.p0", "ahrenheit %{p0}"); + + var select158 = linear_select([ + part706, + dup96, + ]); + + var part707 = match("MESSAGE#413:00022:08/5", "nwparser.p0", ") is too high%{}"); + + var all141 = all_match({ + processors: [ + select156, + part703, + select157, + part705, + select158, + part707, + ], + on_success: processor_chain([ + dup188, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg416 = msg("00022:08", all141); + + var part708 = match("MESSAGE#414:00022:09/2", "nwparser.p0", "power supply is no%{p0}"); + + var select159 = linear_select([ + dup191, + dup192, + ]); + + var part709 = match("MESSAGE#414:00022:09/4", "nwparser.p0", "functioning properly%{}"); + + var all142 = all_match({ + processors: [ + dup55, + dup369, + part708, + select159, + part709, + ], + on_success: processor_chain([ + dup188, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg417 = msg("00022:09", all142); + + var part710 = match("MESSAGE#415:00022:10/0", "nwparser.payload", "The NetScreen device was unable to upgrade the file system%{p0}"); + + var part711 = match("MESSAGE#415:00022:10/1_0", "nwparser.p0", " due to an internal conflict%{}"); + + var part712 = match("MESSAGE#415:00022:10/1_1", "nwparser.p0", ", but the old file system is intact%{}"); + + var select160 = linear_select([ + part711, + part712, + ]); + + var all143 = all_match({ + processors: [ + part710, + select160, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg418 = msg("00022:10", all143); + + var part713 = match("MESSAGE#416:00022:11/0", "nwparser.payload", "The NetScreen device was unable to upgrade %{p0}"); + + var part714 = match("MESSAGE#416:00022:11/1_0", "nwparser.p0", "due to an internal conflict%{}"); + + var part715 = match("MESSAGE#416:00022:11/1_1", "nwparser.p0", "the loader, but the loader is intact%{}"); + + var select161 = linear_select([ + part714, + part715, + ]); + + var all144 = all_match({ + processors: [ + part713, + select161, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg419 = msg("00022:11", all144); + + var part716 = match("MESSAGE#417:00022:12/0", "nwparser.payload", "Battery is no%{p0}"); + + var select162 = linear_select([ + dup192, + dup191, + ]); + + var part717 = match("MESSAGE#417:00022:12/2", "nwparser.p0", "functioning properly.%{}"); + + var all145 = all_match({ + processors: [ + part716, + select162, + part717, + ], + on_success: processor_chain([ + dup188, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg420 = msg("00022:12", all145); + + var part718 = match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2->} Centigrade, %{fld3->} Fahrenheit) is OK now.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg421 = msg("00022:13", part718); + + var part719 = match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is functioning properly. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg422 = msg("00022:14", part719); + + var select163 = linear_select([ + msg408, + msg409, + msg410, + msg411, + msg412, + msg413, + msg414, + msg415, + msg416, + msg417, + msg418, + msg419, + msg420, + msg421, + msg422, + ]); + + var part720 = match("MESSAGE#420:00023", "nwparser.payload", "VIP server %{hostip->} is not responding", processor_chain([ + dup187, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg423 = msg("00023", part720); + + var part721 = match("MESSAGE#421:00023:01", "nwparser.payload", "VIP/load balance server %{hostip->} cannot be contacted", processor_chain([ + dup187, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg424 = msg("00023:01", part721); + + var part722 = match("MESSAGE#422:00023:02", "nwparser.payload", "VIP server %{hostip->} cannot be contacted", processor_chain([ + dup187, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg425 = msg("00023:02", part722); + + var select164 = linear_select([ + msg423, + msg424, + msg425, + ]); + + var part723 = match("MESSAGE#423:00024/0_0", "nwparser.payload", "The DHCP %{p0}"); + + var part724 = match("MESSAGE#423:00024/0_1", "nwparser.payload", " DHCP %{p0}"); + + var select165 = linear_select([ + part723, + part724, + ]); + + var part725 = match("MESSAGE#423:00024/2_0", "nwparser.p0", "IP address pool has %{p0}"); + + var part726 = match("MESSAGE#423:00024/2_1", "nwparser.p0", "options have been %{p0}"); + + var select166 = linear_select([ + part725, + part726, + ]); + + var all146 = all_match({ + processors: [ + select165, + dup193, + select166, + dup52, + dup368, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg426 = msg("00024", all146); + + var part727 = match("MESSAGE#424:00024:01/0_0", "nwparser.payload", "Traffic log %{p0}"); + + var part728 = match("MESSAGE#424:00024:01/0_1", "nwparser.payload", "Alarm log %{p0}"); + + var part729 = match("MESSAGE#424:00024:01/0_2", "nwparser.payload", "Event log %{p0}"); + + var part730 = match("MESSAGE#424:00024:01/0_3", "nwparser.payload", "Self log %{p0}"); + + var part731 = match("MESSAGE#424:00024:01/0_4", "nwparser.payload", "Asset Recovery log %{p0}"); + + var select167 = linear_select([ + part727, + part728, + part729, + part730, + part731, + ]); + + var part732 = match("MESSAGE#424:00024:01/1", "nwparser.p0", "has overflowed%{}"); + + var all147 = all_match({ + processors: [ + select167, + part732, + ], + on_success: processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg427 = msg("00024:01", all147); + + var part733 = match("MESSAGE#425:00024:02/0", "nwparser.payload", "DHCP relay agent settings on %{fld2->} %{p0}"); + + var part734 = match("MESSAGE#425:00024:02/1_0", "nwparser.p0", "are %{p0}"); + + var part735 = match("MESSAGE#425:00024:02/1_1", "nwparser.p0", "have been %{p0}"); + + var select168 = linear_select([ + part734, + part735, + ]); + + var part736 = match("MESSAGE#425:00024:02/2", "nwparser.p0", "%{disposition->} (%{fld1})"); + + var all148 = all_match({ + processors: [ + part733, + select168, + part736, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg428 = msg("00024:02", all148); + + var part737 = match("MESSAGE#426:00024:03/0", "nwparser.payload", "DHCP server IP address pool %{p0}"); + + var select169 = linear_select([ + dup194, + dup106, + ]); + + var part738 = match("MESSAGE#426:00024:03/2", "nwparser.p0", "changed. (%{fld1})"); + + var all149 = all_match({ + processors: [ + part737, + select169, + part738, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg429 = msg("00024:03", all149); + + var select170 = linear_select([ + msg426, + msg427, + msg428, + msg429, + ]); + + var part739 = match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool has changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg430 = msg("00025", part739); + + var part740 = match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{disposition->} to save the certificate authority configuration.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg431 = msg("00025:01", part740); + + var part741 = match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the X509 request file via e-mail", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg432 = msg("00025:02", part741); + + var part742 = match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the CA configuration", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg433 = msg("00025:03", part742); + + var part743 = match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certificates. The %{result}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg434 = msg("00025:04", part743); + + var select171 = linear_select([ + msg430, + msg431, + msg432, + msg433, + msg434, + ]); + + var part744 = match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg435 = msg("00026", part744); + + var part745 = match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on interface %{interface}", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg436 = msg("00026:13", part745); + + var part746 = match("MESSAGE#434:00026:01/2", "nwparser.p0", "PKA key has been %{p0}"); + + var part747 = match("MESSAGE#434:00026:01/4", "nwparser.p0", "admin user %{administrator}. (Key ID = %{fld2})"); + + var all150 = all_match({ + processors: [ + dup195, + dup370, + part746, + dup371, + part747, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg437 = msg("00026:01", all150); + + var part748 = match("MESSAGE#435:00026:02/1_0", "nwparser.p0", ": SCS %{p0}"); + + var select172 = linear_select([ + part748, + dup96, + ]); + + var part749 = match("MESSAGE#435:00026:02/2", "nwparser.p0", "has been %{disposition->} for %{p0}"); + + var part750 = match("MESSAGE#435:00026:02/3_0", "nwparser.p0", "root system %{p0}"); + + var part751 = match("MESSAGE#435:00026:02/3_1", "nwparser.p0", "%{interface->} %{p0}"); + + var select173 = linear_select([ + part750, + part751, + ]); + + var all151 = all_match({ + processors: [ + dup195, + select172, + part749, + select173, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg438 = msg("00026:02", all151); + + var part752 = match("MESSAGE#436:00026:03/2", "nwparser.p0", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}"); + + var all152 = all_match({ + processors: [ + dup195, + dup370, + part752, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg439 = msg("00026:03", all152); + + var part753 = match("MESSAGE#437:00026:04", "nwparser.payload", "SCS: Connection has been terminated for admin user %{administrator->} at %{hostip}:%{network_port}", processor_chain([ + dup198, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg440 = msg("00026:04", part753); + + var part754 = match("MESSAGE#438:00026:05", "nwparser.payload", "SCS: Host client has requested NO cipher from %{interface}", processor_chain([ + dup198, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg441 = msg("00026:05", part754); + + var part755 = match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using PKA RSA from %{saddr}:%{sport}. (key-ID=%{fld2}", processor_chain([ + dup199, + dup29, + dup30, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg442 = msg("00026:06", part755); + + var part756 = match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using password from %{saddr}:%{sport}.", processor_chain([ + dup199, + dup29, + dup30, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg443 = msg("00026:07", part756); + + var part757 = match("MESSAGE#441:00026:08/0", "nwparser.payload", "SSH user %{username->} has been authenticated using %{p0}"); + + var part758 = match("MESSAGE#441:00026:08/2", "nwparser.p0", "from %{saddr}:%{sport->} [ with key ID %{fld2->} ]"); + + var all153 = all_match({ + processors: [ + part757, + dup372, + part758, + ], + on_success: processor_chain([ + dup199, + dup29, + dup30, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg444 = msg("00026:08", all153); + + var part759 = match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interface->} with tunnel ID %{fld2->} received a packet with a bad SPI.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg445 = msg("00026:09", part759); + + var part760 = match("MESSAGE#443:00026:10/0", "nwparser.payload", "SSH: %{p0}"); + + var part761 = match("MESSAGE#443:00026:10/1_0", "nwparser.p0", "Failed %{p0}"); + + var part762 = match("MESSAGE#443:00026:10/1_1", "nwparser.p0", "Attempt %{p0}"); + + var select174 = linear_select([ + part761, + part762, + ]); + + var part763 = match("MESSAGE#443:00026:10/3_0", "nwparser.p0", "bind duplicate %{p0}"); + + var select175 = linear_select([ + part763, + dup201, + ]); + + var part764 = match("MESSAGE#443:00026:10/6", "nwparser.p0", "admin user '%{administrator}' (Key ID %{fld2})"); + + var all154 = all_match({ + processors: [ + part760, + select174, + dup103, + select175, + dup202, + dup373, + part764, + ], + on_success: processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg446 = msg("00026:10", all154); + + var part765 = match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA keys (%{fld2}) has been bound to user '%{username}' Key not bound. (Key ID %{fld3})", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg447 = msg("00026:11", part765); + + var part766 = match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg448 = msg("00026:12", part766); + + var select176 = linear_select([ + msg435, + msg436, + msg437, + msg438, + msg439, + msg440, + msg441, + msg442, + msg443, + msg444, + msg445, + msg446, + msg447, + msg448, + ]); + + var part767 = match("MESSAGE#446:00027/2", "nwparser.p0", "user %{username->} from %{p0}"); + + var part768 = match("MESSAGE#446:00027/3_0", "nwparser.p0", "IP address %{saddr}:%{sport}"); + + var part769 = match("MESSAGE#446:00027/3_1", "nwparser.p0", "%{saddr}:%{sport}"); + + var part770 = match("MESSAGE#446:00027/3_2", "nwparser.p0", "console%{}"); + + var select177 = linear_select([ + part768, + part769, + part770, + ]); + + var all155 = all_match({ + processors: [ + dup204, + dup374, + part767, + select177, + ], + on_success: processor_chain([ + dup206, + dup30, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg449 = msg("00027", all155); + + var part771 = match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg450 = msg("00027:01", part771); + + var part772 = match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to %{change_new}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg451 = msg("00027:02", part772); + + var part773 = match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg452 = msg("00027:03", part773); + + var part774 = match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg453 = msg("00027:04", part774); + + var part775 = match("MESSAGE#451:00027:05/0", "nwparser.payload", "ScreenOS %{version->} %{p0}"); + + var part776 = match("MESSAGE#451:00027:05/1_0", "nwparser.p0", "Serial %{p0}"); + + var part777 = match("MESSAGE#451:00027:05/1_1", "nwparser.p0", "serial %{p0}"); + + var select178 = linear_select([ + part776, + part777, + ]); + + var part778 = match("MESSAGE#451:00027:05/2", "nwparser.p0", "# %{fld2}: Asset recovery %{p0}"); + + var part779 = match("MESSAGE#451:00027:05/3_0", "nwparser.p0", "performed %{p0}"); + + var select179 = linear_select([ + part779, + dup127, + ]); + + var select180 = linear_select([ + dup207, + dup208, + ]); + + var all156 = all_match({ + processors: [ + part775, + select178, + part778, + select179, + dup23, + select180, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg454 = msg("00027:05", all156); + + var part780 = match("MESSAGE#452:00027:06/0", "nwparser.payload", "Device Reset (Asset Recovery) has been %{p0}"); + + var select181 = linear_select([ + dup208, + dup207, + ]); + + var all157 = all_match({ + processors: [ + part780, + select181, + ], + on_success: processor_chain([ + setc("eventcategory","1606000000"), + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg455 = msg("00027:06", all157); + + var part781 = match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg456 = msg("00027:07", part781); + + var part782 = match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been erased%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg457 = msg("00027:08", part782); + + var part783 = match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due to expire in %{fld3}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg458 = msg("00027:09", part783); + + var part784 = match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has expired.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg459 = msg("00027:10", part784); + + var part785 = match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired after 30-day grace period.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg460 = msg("00027:11", part785); + + var part786 = match("MESSAGE#458:00027:12/0", "nwparser.payload", "Request to retrieve license key failed to reach %{p0}"); + + var part787 = match("MESSAGE#458:00027:12/1_0", "nwparser.p0", "the server %{p0}"); + + var select182 = linear_select([ + part787, + dup193, + ]); + + var part788 = match("MESSAGE#458:00027:12/2", "nwparser.p0", "by %{fld2}. Server url: %{url}"); + + var all158 = all_match({ + processors: [ + part786, + select182, + part788, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg461 = msg("00027:12", all158); + + var part789 = match("MESSAGE#459:00027:13/2", "nwparser.p0", "user %{username}"); + + var all159 = all_match({ + processors: [ + dup204, + dup374, + part789, + ], + on_success: processor_chain([ + dup206, + dup30, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg462 = msg("00027:13", all159); + + var part790 = match("MESSAGE#460:00027:14/0", "nwparser.payload", "Configuration Erasure Process %{p0}"); + + var part791 = match("MESSAGE#460:00027:14/1_0", "nwparser.p0", "has been initiated %{p0}"); + + var part792 = match("MESSAGE#460:00027:14/1_1", "nwparser.p0", "aborted %{p0}"); + + var select183 = linear_select([ + part791, + part792, + ]); + + var part793 = match("MESSAGE#460:00027:14/2", "nwparser.p0", ".%{space}(%{fld1})"); + + var all160 = all_match({ + processors: [ + part790, + select183, + part793, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg463 = msg("00027:14", all160); + + var part794 = match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg464 = msg("00027:15", part794); + + var part795 = match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{policy_id->} name \"%{fld2->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg465 = msg("00027:16", part795); + + var part796 = match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locked and will be unlocked after %{duration->} minutes (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg466 = msg("00027:17", part796); + + var part797 = match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{username->} from %{saddr->} is refused as this account is locked (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg467 = msg("00027:18", part797); + + var part798 = match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg468 = msg("00027:19", part798); + + var select184 = linear_select([ + msg449, + msg450, + msg451, + msg452, + msg453, + msg454, + msg455, + msg456, + msg457, + msg458, + msg459, + msg460, + msg461, + msg462, + msg463, + msg464, + msg465, + msg466, + msg467, + msg468, + ]); + + var part799 = match("MESSAGE#462:00028/0_0", "nwparser.payload", "An Intruder%{p0}"); + + var part800 = match("MESSAGE#462:00028/0_1", "nwparser.payload", "Intruder%{p0}"); + + var part801 = match("MESSAGE#462:00028/0_2", "nwparser.payload", "An intruter%{p0}"); + + var select185 = linear_select([ + part799, + part800, + part801, + ]); + + var part802 = match("MESSAGE#462:00028/1", "nwparser.p0", "%{}has attempted to connect to the NetScreen-Global PRO port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); + + var all161 = all_match({ + processors: [ + select185, + part802, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + setc("signame","Attempt to Connect to the NetScreen-Global Port"), + ]), + }); + + var msg469 = msg("00028", all161); + + var part803 = match("MESSAGE#463:00029", "nwparser.payload", "DNS has been refreshed%{}", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg470 = msg("00029", part803); + + var part804 = match("MESSAGE#464:00029:01", "nwparser.payload", "DHCP file write: out of memory.%{}", processor_chain([ + dup184, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg471 = msg("00029:01", part804); + + var part805 = match("MESSAGE#465:00029:02/0", "nwparser.payload", "The DHCP process cannot open file %{fld2->} to %{p0}"); + + var part806 = match("MESSAGE#465:00029:02/1_0", "nwparser.p0", "read %{p0}"); + + var part807 = match("MESSAGE#465:00029:02/1_1", "nwparser.p0", "write %{p0}"); + + var select186 = linear_select([ + part806, + part807, + ]); + + var part808 = match("MESSAGE#465:00029:02/2", "nwparser.p0", "data.%{}"); + + var all162 = all_match({ + processors: [ + part805, + select186, + part808, + ], + on_success: processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg472 = msg("00029:02", all162); + + var part809 = match("MESSAGE#466:00029:03/2", "nwparser.p0", "%{} %{interface->} is full. Unable to %{p0}"); + + var part810 = match("MESSAGE#466:00029:03/3_0", "nwparser.p0", "commit %{p0}"); + + var part811 = match("MESSAGE#466:00029:03/3_1", "nwparser.p0", "offer %{p0}"); + + var select187 = linear_select([ + part810, + part811, + ]); + + var part812 = match("MESSAGE#466:00029:03/4", "nwparser.p0", "IP address to client at %{fld2}"); + + var all163 = all_match({ + processors: [ + dup210, + dup337, + part809, + select187, + part812, + ], + on_success: processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg473 = msg("00029:03", all163); + + var part813 = match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{interface->} (another server found on %{hostip}).", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg474 = msg("00029:04", part813); + + var select188 = linear_select([ + msg470, + msg471, + msg472, + msg473, + msg474, + ]); + + var part814 = match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg475 = msg("00030", part814); + + var part815 = match("MESSAGE#469:00030:01/0", "nwparser.payload", "DSS checking of CRLs has been changed from %{p0}"); + + var part816 = match("MESSAGE#469:00030:01/1_0", "nwparser.p0", "0 to 1%{}"); + + var part817 = match("MESSAGE#469:00030:01/1_1", "nwparser.p0", "1 to 0%{}"); + + var select189 = linear_select([ + part816, + part817, + ]); + + var all164 = all_match({ + processors: [ + part815, + select189, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg476 = msg("00030:01", all164); + + var part818 = match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg477 = msg("00030:05", part818); + + var part819 = match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate request the %{fld2->} field has been changed from %{fld3}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg478 = msg("00030:06", part819); + + var part820 = match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be loaded%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg479 = msg("00030:07", part820); + + var part821 = match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate cannot be generated%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg480 = msg("00030:10", part821); + + var part822 = match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS image has successfully been updated%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg481 = msg("00030:12", part822); + + var part823 = match("MESSAGE#475:00030:13/0", "nwparser.payload", "The public key used for ScreenOS image authentication cannot be %{p0}"); + + var part824 = match("MESSAGE#475:00030:13/1_0", "nwparser.p0", "decoded%{}"); + + var part825 = match("MESSAGE#475:00030:13/1_1", "nwparser.p0", "loaded%{}"); + + var select190 = linear_select([ + part824, + part825, + ]); + + var all165 = all_match({ + processors: [ + part823, + select190, + ], + on_success: processor_chain([ + dup35, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg482 = msg("00030:13", all165); + + var part826 = match("MESSAGE#476:00030:14/1_0", "nwparser.p0", "CA IDENT %{p0}"); + + var part827 = match("MESSAGE#476:00030:14/1_1", "nwparser.p0", "Challenge password %{p0}"); + + var part828 = match("MESSAGE#476:00030:14/1_2", "nwparser.p0", "CA CGI URL %{p0}"); + + var part829 = match("MESSAGE#476:00030:14/1_3", "nwparser.p0", "RA CGI URL %{p0}"); + + var select191 = linear_select([ + part826, + part827, + part828, + part829, + ]); + + var part830 = match("MESSAGE#476:00030:14/2", "nwparser.p0", "for SCEP %{p0}"); + + var part831 = match("MESSAGE#476:00030:14/3_0", "nwparser.p0", "requests %{p0}"); + + var select192 = linear_select([ + part831, + dup16, + ]); + + var part832 = match("MESSAGE#476:00030:14/4", "nwparser.p0", "has been changed from %{change_old->} to %{change_new}"); + + var all166 = all_match({ + processors: [ + dup55, + select191, + part830, + select192, + part832, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg483 = msg("00030:14", all166); + + var msg484 = msg("00030:02", dup375); + + var part833 = match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS image authentication is invalid%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg485 = msg("00030:15", part833); + + var part834 = match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been deleted%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg486 = msg("00030:16", part834); + + var part835 = match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accept per config DN %{interface}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg487 = msg("00030:18", part835); + + var part836 = match("MESSAGE#481:00030:19/0", "nwparser.payload", "PKI: A configurable item %{change_attribute->} %{p0}"); + + var part837 = match("MESSAGE#481:00030:19/1_0", "nwparser.p0", "mode %{p0}"); + + var part838 = match("MESSAGE#481:00030:19/1_1", "nwparser.p0", "field%{p0}"); + + var select193 = linear_select([ + part837, + part838, + ]); + + var part839 = match("MESSAGE#481:00030:19/2", "nwparser.p0", "%{}has changed from %{change_old->} to %{change_new}"); + + var all167 = all_match({ + processors: [ + part836, + select193, + part839, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg488 = msg("00030:19", all167); + + var part840 = match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for total of %{fld2->} items.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg489 = msg("00030:30", part840); + + var part841 = match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} out of order expect %{fld3->} of %{fld4}.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg490 = msg("00030:31", part841); + + var part842 = match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} without first item.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg491 = msg("00030:32", part842); + + var part843 = match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received normal item during cold sync.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg492 = msg("00030:33", part843); + + var part844 = match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} is deleted.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg493 = msg("00030:34", part844); + + var part845 = match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availability synchronization %{fld2->} failed.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg494 = msg("00030:35", part845); + + var part846 = match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute->} has changed from %{change_old->} to %{change_new}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg495 = msg("00030:36", part846); + + var part847 = match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate for the ScreenOS image authentication is invalid.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg496 = msg("00030:37", part847); + + var part848 = match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certificate cannot be sync to vsd member.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg497 = msg("00030:38", part848); + + var part849 = match("MESSAGE#491:00030:39/0", "nwparser.payload", "PKI: The X.509 certificate %{p0}"); + + var part850 = match("MESSAGE#491:00030:39/1_0", "nwparser.p0", "revocation list %{p0}"); + + var select194 = linear_select([ + part850, + dup16, + ]); + + var part851 = match("MESSAGE#491:00030:39/2", "nwparser.p0", "cannot be loaded during NSRP synchronization.%{}"); + + var all168 = all_match({ + processors: [ + part849, + select194, + part851, + ], + on_success: processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg498 = msg("00030:39", all168); + + var part852 = match("MESSAGE#492:00030:17/0", "nwparser.payload", "X509 %{p0}"); + + var part853 = match("MESSAGE#492:00030:17/2", "nwparser.p0", "cannot be loaded%{}"); + + var all169 = all_match({ + processors: [ + part852, + dup376, + part853, + ], + on_success: processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg499 = msg("00030:17", all169); + + var part854 = match("MESSAGE#493:00030:40/0", "nwparser.payload", "PKI: The certificate %{fld2->} will expire %{p0}"); + + var part855 = match("MESSAGE#493:00030:40/1_1", "nwparser.p0", "please %{p0}"); + + var select195 = linear_select([ + dup214, + part855, + ]); + + var part856 = match("MESSAGE#493:00030:40/2", "nwparser.p0", "renew.%{}"); + + var all170 = all_match({ + processors: [ + part854, + select195, + part856, + ], + on_success: processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg500 = msg("00030:40", all170); + + var part857 = match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocation list has expired issued by certificate authority %{fld2}.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg501 = msg("00030:41", part857); + + var part858 = match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration content of certificate authority %{fld2->} is not valid.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg502 = msg("00030:42", part858); + + var part859 = match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot allocate this object id number %{fld2}.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg503 = msg("00030:43", part859); + + var part860 = match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg504 = msg("00030:44", part860); + + var part861 = match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find the PKI object %{fld2->} during cold sync.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg505 = msg("00030:45", part861); + + var part862 = match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X.509 certificate onto the device certificate %{fld2}.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg506 = msg("00030:46", part862); + + var part863 = match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a certificate pending SCEP completion.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg507 = msg("00030:47", part863); + + var part864 = match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load an X.509 certificate revocation list (CRL).%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg508 = msg("00030:48", part864); + + var part865 = match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load the CA certificate received through SCEP.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg509 = msg("00030:49", part865); + + var part866 = match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg510 = msg("00030:50", part866); + + var part867 = match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load the X.509 local certificate received through SCEP.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg511 = msg("00030:51", part867); + + var part868 = match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load the X.509 %{product->} during boot.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg512 = msg("00030:52", part868); + + var part869 = match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load the X.509 certificate file.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg513 = msg("00030:53", part869); + + var part870 = match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the coldsync of the PKI object at %{fld2->} attempt.", processor_chain([ + dup44, + dup211, + dup31, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg514 = msg("00030:54", part870); + + var part871 = match("MESSAGE#508:00030:55/0", "nwparser.payload", "PKI: The device could not generate %{p0}"); + + var all171 = all_match({ + processors: [ + part871, + dup377, + dup217, + ], + on_success: processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg515 = msg("00030:55", all171); + + var part872 = match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an invalid RSA key.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg516 = msg("00030:56", part872); + + var part873 = match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an invalid digital signature algorithm (DSA) key.%{}", processor_chain([ + dup35, + dup218, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg517 = msg("00030:57", part873); + + var part874 = match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to coldsync the PKI object at %{fld2->} attempt.", processor_chain([ + dup86, + dup218, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg518 = msg("00030:58", part874); + + var part875 = match("MESSAGE#512:00030:59", "nwparser.payload", "PKI: The device failed to decode the public key of the image%{quote}s signer certificate.", processor_chain([ + dup35, + dup218, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg519 = msg("00030:59", part875); + + var part876 = match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to install the RSA key.%{}", processor_chain([ + dup35, + dup218, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg520 = msg("00030:60", part876); + + var part877 = match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to retrieve the pending certificate %{fld2}.", processor_chain([ + dup35, + dup211, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg521 = msg("00030:61", part877); + + var part878 = match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to save the certificate authority related configuration.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg522 = msg("00030:62", part878); + + var part879 = match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to store the authority configuration.%{}", processor_chain([ + dup18, + dup219, + dup51, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg523 = msg("00030:63", part879); + + var part880 = match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.%{}", processor_chain([ + dup18, + dup218, + dup51, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg524 = msg("00030:64", part880); + + var part881 = match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.%{}", processor_chain([ + dup18, + dup218, + dup51, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg525 = msg("00030:65", part881); + + var part882 = match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected an invalid X.509 object attribute %{fld2}.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg526 = msg("00030:66", part882); + + var part883 = match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected invalid X.509 object content.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg527 = msg("00030:67", part883); + + var part884 = match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to load an invalid X.509 object.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg528 = msg("00030:68", part884); + + var part885 = match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading the version 0 PKI data.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg529 = msg("00030:69", part885); + + var part886 = match("MESSAGE#523:00030:70/0", "nwparser.payload", "PKI: The device successfully generated a new %{p0}"); + + var all172 = all_match({ + processors: [ + part886, + dup377, + dup217, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg530 = msg("00030:70", all172); + + var part887 = match("MESSAGE#524:00030:71", "nwparser.payload", "PKI: The public key of image%{quote}s signer has been loaded successfully, for future image authentication.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg531 = msg("00030:71", part887); + + var part888 = match("MESSAGE#525:00030:72", "nwparser.payload", "PKI: The signature of the image%{quote}s signer certificate cannot be verified.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg532 = msg("00030:72", part888); + + var part889 = match("MESSAGE#526:00030:73/0", "nwparser.payload", "PKI: The %{p0}"); + + var part890 = match("MESSAGE#526:00030:73/1_0", "nwparser.p0", "file name %{p0}"); + + var part891 = match("MESSAGE#526:00030:73/1_1", "nwparser.p0", "friendly name of a certificate %{p0}"); + + var part892 = match("MESSAGE#526:00030:73/1_2", "nwparser.p0", "vsys name %{p0}"); + + var select196 = linear_select([ + part890, + part891, + part892, + ]); + + var part893 = match("MESSAGE#526:00030:73/2", "nwparser.p0", "is too long %{fld2->} to do NSRP synchronization allowed %{fld3}."); + + var all173 = all_match({ + processors: [ + part889, + select196, + part893, + ], + on_success: processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg533 = msg("00030:73", all173); + + var part894 = match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier version save to file.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg534 = msg("00030:74", part894); + + var part895 = match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has been deleted distinguished name %{username}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg535 = msg("00030:75", part895); + + var part896 = match("MESSAGE#529:00030:76/0", "nwparser.payload", "PKI: X.509 %{p0}"); + + var part897 = match("MESSAGE#529:00030:76/2", "nwparser.p0", "file has been loaded successfully filename %{fld2}."); + + var all174 = all_match({ + processors: [ + part896, + dup376, + part897, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg536 = msg("00030:76", all174); + + var part898 = match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA key.%{}", processor_chain([ + dup18, + dup218, + dup51, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg537 = msg("00030:77", part898); + + var part899 = match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when requesting certificate.%{}", processor_chain([ + dup35, + dup211, + dup220, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg538 = msg("00030:78", part899); + + var part900 = match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check per config DN %{username}.", processor_chain([ + dup35, + dup211, + dup220, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg539 = msg("00030:79", part900); + + var part901 = match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 objects.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg540 = msg("00030:80", part901); + + var part902 = match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject name %{fld2->} is deleted.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg541 = msg("00030:81", part902); + + var part903 = match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg542 = msg("00030:82", part903); + + var part904 = match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire authcfg for this CA cert %{fld2}.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg543 = msg("00030:83", part904); + + var part905 = match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg from global.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg544 = msg("00030:84", part905); + + var part906 = match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is high (%{fld2->} alarm threshold: %{trigger_val}) %{info}", processor_chain([ + setc("eventcategory","1603080000"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg545 = msg("00030:85", part906); + + var part907 = match("MESSAGE#539:00030:86/2", "nwparser.p0", "Pair-wise invoked by started after key generation. (%{fld1})"); + + var all175 = all_match({ + processors: [ + dup221, + dup378, + part907, + ], + on_success: processor_chain([ + dup223, + dup2, + dup4, + dup5, + dup9, + ]), + }); + + var msg546 = msg("00030:86", all175); + + var part908 = match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is high (%{fld2->} > %{fld3->} ) %{fld4->} times in %{fld5->} minute (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + dup9, + ])); + + var msg547 = msg("00030:87", part908); + + var part909 = match("MESSAGE#1217:00030:88/2", "nwparser.p0", "Pair-wise invoked by passed. (%{fld1})\u003c\u003c%{fld6}>"); + + var all176 = all_match({ + processors: [ + dup221, + dup378, + part909, + ], + on_success: processor_chain([ + dup223, + dup2, + dup4, + dup5, + dup9, + ]), + }); + + var msg548 = msg("00030:88", all176); + + var select197 = linear_select([ + msg475, + msg476, + msg477, + msg478, + msg479, + msg480, + msg481, + msg482, + msg483, + msg484, + msg485, + msg486, + msg487, + msg488, + msg489, + msg490, + msg491, + msg492, + msg493, + msg494, + msg495, + msg496, + msg497, + msg498, + msg499, + msg500, + msg501, + msg502, + msg503, + msg504, + msg505, + msg506, + msg507, + msg508, + msg509, + msg510, + msg511, + msg512, + msg513, + msg514, + msg515, + msg516, + msg517, + msg518, + msg519, + msg520, + msg521, + msg522, + msg523, + msg524, + msg525, + msg526, + msg527, + msg528, + msg529, + msg530, + msg531, + msg532, + msg533, + msg534, + msg535, + msg536, + msg537, + msg538, + msg539, + msg540, + msg541, + msg542, + msg543, + msg544, + msg545, + msg546, + msg547, + msg548, + ]); + + var part910 = match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP address %{hostip->} changed from %{sinterface->} to interface %{dinterface->} (%{fld1})", processor_chain([ + dup121, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg549 = msg("00031:13", part910); + + var part911 = match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg550 = msg("00031", part911); + + var part912 = match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg551 = msg("00031:01", part912); + + var part913 = match("MESSAGE#543:00031:02/0", "nwparser.payload", "SNMP community %{fld2->} attributes-write access %{p0}"); + + var part914 = match("MESSAGE#543:00031:02/2", "nwparser.p0", "; receive traps %{p0}"); + + var part915 = match("MESSAGE#543:00031:02/4", "nwparser.p0", "; receive traffic alarms %{p0}"); + + var part916 = match("MESSAGE#543:00031:02/6", "nwparser.p0", "-have been modified%{}"); + + var all177 = all_match({ + processors: [ + part913, + dup379, + part914, + dup379, + part915, + dup379, + part916, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg552 = msg("00031:02", all177); + + var part917 = match("MESSAGE#544:00031:03/0", "nwparser.payload", "%{fld2->} SNMP host %{hostip->} has been %{p0}"); + + var select198 = linear_select([ + dup130, + dup129, + ]); + + var part918 = match("MESSAGE#544:00031:03/2", "nwparser.p0", "SNMP community %{fld3}"); + + var all178 = all_match({ + processors: [ + part917, + select198, + part918, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg553 = msg("00031:03", all178); + + var part919 = match("MESSAGE#545:00031:04/0", "nwparser.payload", "SNMP %{p0}"); + + var part920 = match("MESSAGE#545:00031:04/1_0", "nwparser.p0", "contact %{p0}"); + + var select199 = linear_select([ + part920, + dup226, + ]); + + var part921 = match("MESSAGE#545:00031:04/2", "nwparser.p0", "description has been modified%{}"); + + var all179 = all_match({ + processors: [ + part919, + select199, + part921, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg554 = msg("00031:04", all179); + + var part922 = match("MESSAGE#546:00031:11/0", "nwparser.payload", "SNMP system %{p0}"); + + var select200 = linear_select([ + dup226, + dup25, + ]); + + var part923 = match("MESSAGE#546:00031:11/2", "nwparser.p0", "has been changed to %{fld2}. (%{fld1})"); + + var all180 = all_match({ + processors: [ + part922, + select200, + part923, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg555 = msg("00031:11", all180); + + var part924 = match("MESSAGE#547:00031:08/0", "nwparser.payload", "%{fld2}: SNMP community name \"%{fld3}\" %{p0}"); + + var part925 = match("MESSAGE#547:00031:08/1_0", "nwparser.p0", "attributes -- %{p0}"); + + var part926 = match("MESSAGE#547:00031:08/1_1", "nwparser.p0", "-- %{p0}"); + + var select201 = linear_select([ + part925, + part926, + ]); + + var part927 = match("MESSAGE#547:00031:08/2", "nwparser.p0", "write access, %{p0}"); + + var part928 = match("MESSAGE#547:00031:08/4", "nwparser.p0", "; receive traps, %{p0}"); + + var part929 = match("MESSAGE#547:00031:08/6", "nwparser.p0", "; receive traffic alarms, %{p0}"); + + var part930 = match("MESSAGE#547:00031:08/8", "nwparser.p0", "-%{p0}"); + + var part931 = match("MESSAGE#547:00031:08/9_0", "nwparser.p0", "- %{p0}"); + + var select202 = linear_select([ + part931, + dup96, + ]); + + var part932 = match("MESSAGE#547:00031:08/10", "nwparser.p0", "have been modified%{}"); + + var all181 = all_match({ + processors: [ + part924, + select201, + part927, + dup379, + part928, + dup379, + part929, + dup379, + part930, + select202, + part932, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg556 = msg("00031:08", all181); + + var part933 = match("MESSAGE#548:00031:05/0", "nwparser.payload", "Detect IP conflict (%{fld2}) on %{p0}"); + + var all182 = all_match({ + processors: [ + part933, + dup337, + dup227, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg557 = msg("00031:05", all182); + + var part934 = match("MESSAGE#549:00031:06/1_0", "nwparser.p0", "q, %{p0}"); + + var select203 = linear_select([ + part934, + dup229, + dup230, + ]); + + var part935 = match("MESSAGE#549:00031:06/2", "nwparser.p0", "detect IP conflict ( %{hostip->} )%{p0}"); + + var select204 = linear_select([ + dup105, + dup96, + ]); + + var part936 = match("MESSAGE#549:00031:06/4", "nwparser.p0", "mac%{p0}"); + + var part937 = match("MESSAGE#549:00031:06/6", "nwparser.p0", "%{macaddr->} on %{p0}"); + + var all183 = all_match({ + processors: [ + dup228, + select203, + part935, + select204, + part936, + dup356, + part937, + dup352, + dup23, + dup380, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg558 = msg("00031:06", all183); + + var part938 = match("MESSAGE#550:00031:07/2", "nwparser.p0", "detects a duplicate virtual security device group master IP address %{hostip}, MAC address %{macaddr->} on %{p0}"); + + var all184 = all_match({ + processors: [ + dup228, + dup381, + part938, + dup337, + dup227, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg559 = msg("00031:07", all184); + + var part939 = match("MESSAGE#551:00031:09/2", "nwparser.p0", "detected an IP conflict (IP %{hostip}, MAC %{macaddr}) on interface %{p0}"); + + var all185 = all_match({ + processors: [ + dup228, + dup381, + part939, + dup380, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg560 = msg("00031:09", all185); + + var part940 = match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{fld3}\" has been moved. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg561 = msg("00031:10", part940); + + var part941 = match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has been changed to %{fld3}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg562 = msg("00031:12", part941); + + var select205 = linear_select([ + msg549, + msg550, + msg551, + msg552, + msg553, + msg554, + msg555, + msg556, + msg557, + msg558, + msg559, + msg560, + msg561, + msg562, + ]); + + var part942 = match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup232, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg563 = msg("00032", part942); + + var part943 = match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ + dup232, + dup2, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg564 = msg("00032:01", part943); + + var part944 = match("MESSAGE#556:00032:03/0", "nwparser.payload", "Vsys %{fld2->} has been %{p0}"); + + var part945 = match("MESSAGE#556:00032:03/1_0", "nwparser.p0", "changed to %{fld3}"); + + var part946 = match("MESSAGE#556:00032:03/1_1", "nwparser.p0", "created%{}"); + + var part947 = match("MESSAGE#556:00032:03/1_2", "nwparser.p0", "deleted%{}"); + + var part948 = match("MESSAGE#556:00032:03/1_3", "nwparser.p0", "removed%{}"); + + var select206 = linear_select([ + part945, + part946, + part947, + part948, + ]); + + var all186 = all_match({ + processors: [ + part944, + select206, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg565 = msg("00032:03", all186); + + var part949 = match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup232, + dup2, + dup3, + dup4, + dup59, + dup5, + dup61, + ])); + + var msg566 = msg("00032:04", part949); + + var part950 = match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsys %{fld2->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg567 = msg("00032:05", part950); + + var msg568 = msg("00032:02", dup375); + + var select207 = linear_select([ + msg563, + msg564, + msg565, + msg566, + msg567, + msg568, + ]); + + var part951 = match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("agent","NSM"), + ])); + + var msg569 = msg("00033:25", part951); + + var part952 = match("MESSAGE#561:00033/1", "nwparser.p0", "timeout value has been %{p0}"); + + var part953 = match("MESSAGE#561:00033/2_1", "nwparser.p0", "returned%{p0}"); + + var select208 = linear_select([ + dup52, + part953, + ]); + + var part954 = match("MESSAGE#561:00033/3", "nwparser.p0", "%{}to %{fld2}"); + + var all187 = all_match({ + processors: [ + dup382, + part952, + select208, + part954, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg570 = msg("00033", all187); + + var part955 = match("MESSAGE#562:00033:03/1_0", "nwparser.p0", "Global PRO %{p0}"); + + var part956 = match("MESSAGE#562:00033:03/1_1", "nwparser.p0", "%{fld3->} %{p0}"); + + var select209 = linear_select([ + part955, + part956, + ]); + + var part957 = match("MESSAGE#562:00033:03/4", "nwparser.p0", "host has been set to %{fld4}"); + + var all188 = all_match({ + processors: [ + dup160, + select209, + dup23, + dup369, + part957, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg571 = msg("00033:03", all188); + + var part958 = match("MESSAGE#563:00033:02/3", "nwparser.p0", "host has been %{disposition}"); + + var all189 = all_match({ + processors: [ + dup382, + dup23, + dup369, + part958, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg572 = msg("00033:02", all189); + + var part959 = match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{fld3->} has been %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg573 = msg("00033:04", part959); + + var part960 = match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg574 = msg("00033:05", part960); + + var part961 = match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The attack occurred %{dclass_counter1->} times", processor_chain([ + dup27, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg575 = msg("00033:06", part961); + + var part962 = match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The threshold was exceeded %{dclass_counter1->} times", processor_chain([ + dup27, + dup2, + dup3, + setc("dclass_counter1_string","Number of times the threshold was exceeded"), + dup4, + dup5, + dup61, + ])); + + var msg576 = msg("00033:01", part962); + + var part963 = match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{service->} has been %{disposition->} from %{fld2->} distribution", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg577 = msg("00033:07", part963); + + var part964 = match("MESSAGE#569:00033:08/2", "nwparser.p0", "?s CA certificate field has not been specified.%{}"); + + var all190 = all_match({ + processors: [ + dup235, + dup383, + part964, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg578 = msg("00033:08", all190); + + var part965 = match("MESSAGE#570:00033:09/2", "nwparser.p0", "?s Cert-Subject field has not been specified.%{}"); + + var all191 = all_match({ + processors: [ + dup235, + dup383, + part965, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg579 = msg("00033:09", all191); + + var part966 = match("MESSAGE#571:00033:10/2", "nwparser.p0", "?s host field has been %{p0}"); + + var part967 = match("MESSAGE#571:00033:10/3_0", "nwparser.p0", "set to %{fld2->} %{p0}"); + + var select210 = linear_select([ + part967, + dup238, + ]); + + var all192 = all_match({ + processors: [ + dup235, + dup383, + part966, + select210, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg580 = msg("00033:10", all192); + + var part968 = match("MESSAGE#572:00033:11/2", "nwparser.p0", "?s outgoing interface used to report NACN to Policy Manager %{p0}"); + + var part969 = match("MESSAGE#572:00033:11/4", "nwparser.p0", "has not been specified.%{}"); + + var all193 = all_match({ + processors: [ + dup235, + dup383, + part968, + dup383, + part969, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg581 = msg("00033:11", all193); + + var part970 = match("MESSAGE#573:00033:12/2", "nwparser.p0", "?s password field has been %{p0}"); + + var select211 = linear_select([ + dup101, + dup238, + ]); + + var all194 = all_match({ + processors: [ + dup235, + dup383, + part970, + select211, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg582 = msg("00033:12", all194); + + var part971 = match("MESSAGE#574:00033:13/2", "nwparser.p0", "?s policy-domain field has been %{p0}"); + + var part972 = match("MESSAGE#574:00033:13/3_0", "nwparser.p0", "unset .%{}"); + + var part973 = match("MESSAGE#574:00033:13/3_1", "nwparser.p0", "set to %{domain}."); + + var select212 = linear_select([ + part972, + part973, + ]); + + var all195 = all_match({ + processors: [ + dup235, + dup383, + part971, + select212, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg583 = msg("00033:13", all195); + + var part974 = match("MESSAGE#575:00033:14/2", "nwparser.p0", "?s CA certificate field has been set to %{fld2}."); + + var all196 = all_match({ + processors: [ + dup235, + dup383, + part974, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg584 = msg("00033:14", all196); + + var part975 = match("MESSAGE#576:00033:15/2", "nwparser.p0", "?s Cert-Subject field has been set to %{fld2}."); + + var all197 = all_match({ + processors: [ + dup235, + dup383, + part975, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg585 = msg("00033:15", all197); + + var part976 = match("MESSAGE#577:00033:16/2", "nwparser.p0", "?s outgoing-interface field has been set to %{interface}."); + + var all198 = all_match({ + processors: [ + dup235, + dup383, + part976, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg586 = msg("00033:16", all198); + + var part977 = match("MESSAGE#578:00033:17/2", "nwparser.p0", "?s port field has been %{p0}"); + + var part978 = match("MESSAGE#578:00033:17/3_0", "nwparser.p0", "set to %{network_port->} %{p0}"); + + var part979 = match("MESSAGE#578:00033:17/3_1", "nwparser.p0", "reset to the default value %{p0}"); + + var select213 = linear_select([ + part978, + part979, + ]); + + var all199 = all_match({ + processors: [ + dup235, + dup383, + part977, + select213, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg587 = msg("00033:17", all199); + + var part980 = match("MESSAGE#579:00033:19/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); + + var part981 = match("MESSAGE#579:00033:19/4", "nwparser.p0", "%{fld99}arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time."); + + var all200 = all_match({ + processors: [ + part980, + dup339, + dup70, + dup340, + part981, + ], + on_success: processor_chain([ + dup27, + dup2, + dup4, + dup5, + dup3, + dup59, + dup61, + ]), + }); + + var msg588 = msg("00033:19", all200); + + var part982 = match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.", processor_chain([ + dup27, + dup2, + dup4, + dup5, + dup3, + dup59, + dup60, + ])); + + var msg589 = msg("00033:20", part982); + + var all201 = all_match({ + processors: [ + dup239, + dup343, + dup83, + ], + on_success: processor_chain([ + dup27, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg590 = msg("00033:21", all201); + + var part983 = match("MESSAGE#582:00033:22/0", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var all202 = all_match({ + processors: [ + part983, + dup343, + dup83, + ], + on_success: processor_chain([ + dup27, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + dup60, + ]), + }); + + var msg591 = msg("00033:22", all202); + + var part984 = match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name %{hostname->} was set: addr %{hostip}, port %{network_port}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg592 = msg("00033:23", part984); + + var part985 = match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{info}. (%{fld1})", processor_chain([ + setc("eventcategory","1001030500"), + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg593 = msg("00033:24", part985); + + var select214 = linear_select([ + msg569, + msg570, + msg571, + msg572, + msg573, + msg574, + msg575, + msg576, + msg577, + msg578, + msg579, + msg580, + msg581, + msg582, + msg583, + msg584, + msg585, + msg586, + msg587, + msg588, + msg589, + msg590, + msg591, + msg592, + msg593, + ]); + + var part986 = match("MESSAGE#585:00034/0_0", "nwparser.payload", "SCS: Failed %{p0}"); + + var part987 = match("MESSAGE#585:00034/0_1", "nwparser.payload", "Failed %{p0}"); + + var select215 = linear_select([ + part986, + part987, + ]); + + var part988 = match("MESSAGE#585:00034/2_0", "nwparser.p0", "bind %{p0}"); + + var part989 = match("MESSAGE#585:00034/2_2", "nwparser.p0", "retrieve %{p0}"); + + var select216 = linear_select([ + part988, + dup201, + part989, + ]); + + var select217 = linear_select([ + dup196, + dup103, + dup163, + ]); + + var part990 = match("MESSAGE#585:00034/5", "nwparser.p0", "SSH user %{username}. (Key ID=%{fld2})"); + + var all203 = all_match({ + processors: [ + select215, + dup103, + select216, + dup202, + select217, + part990, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg594 = msg("00034", all203); + + var part991 = match("MESSAGE#586:00034:01/0_0", "nwparser.payload", "SCS: Incompatible %{p0}"); + + var part992 = match("MESSAGE#586:00034:01/0_1", "nwparser.payload", "Incompatible %{p0}"); + + var select218 = linear_select([ + part991, + part992, + ]); + + var part993 = match("MESSAGE#586:00034:01/1", "nwparser.p0", "SSH version %{version->} has been received from %{p0}"); + + var part994 = match("MESSAGE#586:00034:01/2_0", "nwparser.p0", "the SSH %{p0}"); + + var select219 = linear_select([ + part994, + dup241, + ]); + + var part995 = match("MESSAGE#586:00034:01/3", "nwparser.p0", "client at %{saddr}:%{sport}"); + + var all204 = all_match({ + processors: [ + select218, + part993, + select219, + part995, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg595 = msg("00034:01", all204); + + var part996 = match("MESSAGE#587:00034:02", "nwparser.payload", "Maximum number of SCS sessions %{fld2->} has been reached. Connection request from SSH user %{username->} at %{saddr}:%{sport->} has been %{disposition}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg596 = msg("00034:02", part996); + + var part997 = match("MESSAGE#588:00034:03/1", "nwparser.p0", "device failed to authenticate the SSH client at %{saddr}:%{sport}"); + + var all205 = all_match({ + processors: [ + dup384, + part997, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg597 = msg("00034:03", all205); + + var part998 = match("MESSAGE#589:00034:04", "nwparser.payload", "SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user %{username->} at %{saddr}:%{sport}. (Key ID=%{fld2})", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg598 = msg("00034:04", part998); + + var part999 = match("MESSAGE#590:00034:05", "nwparser.payload", "NetScreen device failed to generate a PKA RSA challenge for SSH user %{username}. (Key ID=%{fld2})", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg599 = msg("00034:05", part999); + + var part1000 = match("MESSAGE#591:00034:06/1", "nwparser.p0", "device failed to %{p0}"); + + var part1001 = match("MESSAGE#591:00034:06/2_0", "nwparser.p0", "identify itself %{p0}"); + + var part1002 = match("MESSAGE#591:00034:06/2_1", "nwparser.p0", "send the identification string %{p0}"); + + var select220 = linear_select([ + part1001, + part1002, + ]); + + var part1003 = match("MESSAGE#591:00034:06/3", "nwparser.p0", "to the SSH client at %{saddr}:%{sport}"); + + var all206 = all_match({ + processors: [ + dup384, + part1000, + select220, + part1003, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg600 = msg("00034:06", all206); + + var part1004 = match("MESSAGE#592:00034:07", "nwparser.payload", "SCS connection has been terminated for admin user %{username->} at %{saddr}:%{sport}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg601 = msg("00034:07", part1004); + + var part1005 = match("MESSAGE#593:00034:08", "nwparser.payload", "SCS: SCS has been %{disposition->} for %{username->} with %{fld2->} existing PKA keys already bound to %{fld3->} SSH users.", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg602 = msg("00034:08", part1005); + + var part1006 = match("MESSAGE#594:00034:09", "nwparser.payload", "SCS has been %{disposition->} for %{username->} with %{fld2->} PKA keys already bound to %{fld3->} SSH users", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg603 = msg("00034:09", part1006); + + var part1007 = match("MESSAGE#595:00034:10/2", "nwparser.p0", "%{}client at %{saddr->} has attempted to make an SCS connection to %{p0}"); + + var part1008 = match("MESSAGE#595:00034:10/4", "nwparser.p0", "%{interface->} %{p0}"); + + var part1009 = match("MESSAGE#595:00034:10/5_0", "nwparser.p0", "with%{p0}"); + + var part1010 = match("MESSAGE#595:00034:10/5_1", "nwparser.p0", "at%{p0}"); + + var select221 = linear_select([ + part1009, + part1010, + ]); + + var part1011 = match("MESSAGE#595:00034:10/6", "nwparser.p0", "%{}IP %{hostip->} but %{disposition->} because %{result}"); + + var all207 = all_match({ + processors: [ + dup244, + dup385, + part1007, + dup352, + part1008, + select221, + part1011, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg604 = msg("00034:10", all207); + + var part1012 = match("MESSAGE#596:00034:12/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has attempted to make an SCS connection to %{p0}"); + + var part1013 = match("MESSAGE#596:00034:12/4", "nwparser.p0", "but %{disposition->} because %{result}"); + + var all208 = all_match({ + processors: [ + dup244, + dup385, + part1012, + dup386, + part1013, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg605 = msg("00034:12", all208); + + var part1014 = match("MESSAGE#597:00034:11/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to %{p0}"); + + var part1015 = match("MESSAGE#597:00034:11/4", "nwparser.p0", "because %{result}"); + + var all209 = all_match({ + processors: [ + dup244, + dup385, + part1014, + dup386, + part1015, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg606 = msg("00034:11", all209); + + var part1016 = match("MESSAGE#598:00034:15", "nwparser.payload", "SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection because %{result}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg607 = msg("00034:15", part1016); + + var part1017 = match("MESSAGE#599:00034:18/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} cannot log in via SCS to %{service->} using the shared %{interface->} interface because %{result}"); + + var all210 = all_match({ + processors: [ + dup244, + dup387, + part1017, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg608 = msg("00034:18", all210); + + var part1018 = match("MESSAGE#600:00034:20/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has %{disposition->} the PKA RSA challenge"); + + var all211 = all_match({ + processors: [ + dup244, + dup387, + part1018, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg609 = msg("00034:20", all211); + + var part1019 = match("MESSAGE#601:00034:21/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has requested %{p0}"); + + var part1020 = match("MESSAGE#601:00034:21/4", "nwparser.p0", "authentication which is not %{p0}"); + + var part1021 = match("MESSAGE#601:00034:21/5_0", "nwparser.p0", "supported %{p0}"); + + var select222 = linear_select([ + part1021, + dup156, + ]); + + var part1022 = match("MESSAGE#601:00034:21/6", "nwparser.p0", "for that %{p0}"); + + var part1023 = match("MESSAGE#601:00034:21/7_0", "nwparser.p0", "client%{}"); + + var part1024 = match("MESSAGE#601:00034:21/7_1", "nwparser.p0", "user%{}"); + + var select223 = linear_select([ + part1023, + part1024, + ]); + + var all212 = all_match({ + processors: [ + dup244, + dup387, + part1019, + dup372, + part1020, + select222, + part1022, + select223, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg610 = msg("00034:21", all212); + + var part1025 = match("MESSAGE#602:00034:22", "nwparser.payload", "SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to vsys %{fld2->} using the shared untrusted interface", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg611 = msg("00034:22", part1025); + + var part1026 = match("MESSAGE#603:00034:23/1_0", "nwparser.p0", "SCS: Unable %{p0}"); + + var part1027 = match("MESSAGE#603:00034:23/1_1", "nwparser.p0", "Unable %{p0}"); + + var select224 = linear_select([ + part1026, + part1027, + ]); + + var part1028 = match("MESSAGE#603:00034:23/2", "nwparser.p0", "to validate cookie from the SSH client at %{saddr}:%{sport}"); + + var all213 = all_match({ + processors: [ + dup160, + select224, + part1028, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg612 = msg("00034:23", all213); + + var part1029 = match("MESSAGE#604:00034:24", "nwparser.payload", "AC %{username->} is advertising URL %{fld2}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg613 = msg("00034:24", part1029); + + var part1030 = match("MESSAGE#605:00034:25", "nwparser.payload", "Message from AC %{username}: %{fld2}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg614 = msg("00034:25", part1030); + + var part1031 = match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg615 = msg("00034:26", part1031); + + var part1032 = match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on %{interface->} interface", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg616 = msg("00034:27", part1032); + + var part1033 = match("MESSAGE#608:00034:28", "nwparser.payload", "PPPoE%{quote}s session closed by AC", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg617 = msg("00034:28", part1033); + + var part1034 = match("MESSAGE#609:00034:29", "nwparser.payload", "SCS: Disabled for %{username}. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg618 = msg("00034:29", part1034); + + var part1035 = match("MESSAGE#610:00034:30", "nwparser.payload", "SCS: %{disposition->} to remove PKA key removed.", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg619 = msg("00034:30", part1035); + + var part1036 = match("MESSAGE#611:00034:31", "nwparser.payload", "SCS: %{disposition->} to retrieve host key", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg620 = msg("00034:31", part1036); + + var part1037 = match("MESSAGE#612:00034:32", "nwparser.payload", "SCS: %{disposition->} to send identification string to client host at %{saddr}:%{sport}.", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg621 = msg("00034:32", part1037); + + var part1038 = match("MESSAGE#613:00034:33", "nwparser.payload", "SCS: Max %{fld2->} sessions reached unabel to accept connection : %{saddr}:%{sport}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg622 = msg("00034:33", part1038); + + var part1039 = match("MESSAGE#614:00034:34", "nwparser.payload", "SCS: Maximum number for SCS sessions %{fld2->} has been reached. Connection request from SSH user at %{saddr}:%{sport->} has been %{disposition}.", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg623 = msg("00034:34", part1039); + + var part1040 = match("MESSAGE#615:00034:35", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to %{service->} using the shared untrusted interface because SCS is disabled on that interface.", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg624 = msg("00034:35", part1040); + + var part1041 = match("MESSAGE#616:00034:36", "nwparser.payload", "SCS: Unsupported cipher type %{fld2->} requested from: %{saddr}:%{sport}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg625 = msg("00034:36", part1041); + + var part1042 = match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg626 = msg("00034:37", part1042); + + var part1043 = match("MESSAGE#618:00034:38", "nwparser.payload", "SSH: %{disposition->} to retreive PKA key bound to SSH user %{username->} (Key ID %{fld2})", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg627 = msg("00034:38", part1043); + + var part1044 = match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet from host %{saddr->} (Code %{fld2})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg628 = msg("00034:39", part1044); + + var part1045 = match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send initialization string to client at %{saddr}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg629 = msg("00034:40", part1045); + + var part1046 = match("MESSAGE#621:00034:41/0", "nwparser.payload", "SCP: Admin user '%{administrator}' attempted to transfer file %{p0}"); + + var part1047 = match("MESSAGE#621:00034:41/2", "nwparser.p0", "the device with insufficient privilege.%{}"); + + var all214 = all_match({ + processors: [ + part1046, + dup373, + part1047, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg630 = msg("00034:41", all214); + + var part1048 = match("MESSAGE#622:00034:42", "nwparser.payload", "SSH: Maximum number of SSH sessions (%{fld2}) exceeded. Connection request from SSH user %{username->} at %{saddr->} denied.", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg631 = msg("00034:42", part1048); + + var part1049 = match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx bd (port %{network_port})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg632 = msg("00034:43", part1049); + + var part1050 = match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack detected on SSH connection initiated from %{saddr}:%{sport->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg633 = msg("00034:44", part1050); + + var select225 = linear_select([ + msg594, + msg595, + msg596, + msg597, + msg598, + msg599, + msg600, + msg601, + msg602, + msg603, + msg604, + msg605, + msg606, + msg607, + msg608, + msg609, + msg610, + msg611, + msg612, + msg613, + msg614, + msg615, + msg616, + msg617, + msg618, + msg619, + msg620, + msg621, + msg622, + msg623, + msg624, + msg625, + msg626, + msg627, + msg628, + msg629, + msg630, + msg631, + msg632, + msg633, + ]); + + var part1051 = match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}:%{result}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg634 = msg("00035", part1051); + + var part1052 = match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in incoming mail - %{fld2}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg635 = msg("00035:01", part1052); + + var part1053 = match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} is not allowed in export or firewall only system", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg636 = msg("00035:02", part1053); + + var part1054 = match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg637 = msg("00035:03", part1054); + + var part1055 = match("MESSAGE#628:00035:04/0", "nwparser.payload", "SSL Error when retrieve local c%{p0}"); + + var part1056 = match("MESSAGE#628:00035:04/1_0", "nwparser.p0", "a(verify) %{p0}"); + + var part1057 = match("MESSAGE#628:00035:04/1_1", "nwparser.p0", "ert(verify) %{p0}"); + + var part1058 = match("MESSAGE#628:00035:04/1_2", "nwparser.p0", "ert(all) %{p0}"); + + var select226 = linear_select([ + part1056, + part1057, + part1058, + ]); + + var part1059 = match("MESSAGE#628:00035:04/2", "nwparser.p0", ": %{fld2}"); + + var all215 = all_match({ + processors: [ + part1055, + select226, + part1059, + ], + on_success: processor_chain([ + dup117, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg638 = msg("00035:04", all215); + + var part1060 = match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready for connections.%{}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg639 = msg("00035:05", part1060); + + var part1061 = match("MESSAGE#630:00035:06/0", "nwparser.payload", "SSL c%{p0}"); + + var part1062 = match("MESSAGE#630:00035:06/2", "nwparser.p0", "changed to none%{}"); + + var all216 = all_match({ + processors: [ + part1061, + dup388, + part1062, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg640 = msg("00035:06", all216); + + var part1063 = match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{fld2->} recieved %{fld3->} is expected", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg641 = msg("00035:07", part1063); + + var part1064 = match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg642 = msg("00035:08", part1064); + + var part1065 = match("MESSAGE#633:00035:09/1_0", "nwparser.p0", "enabled%{}"); + + var select227 = linear_select([ + part1065, + dup92, + ]); + + var all217 = all_match({ + processors: [ + dup253, + select227, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg643 = msg("00035:09", all217); + + var part1066 = match("MESSAGE#634:00035:10/0", "nwparser.payload", "SSL memory allocation fails in process_c%{p0}"); + + var part1067 = match("MESSAGE#634:00035:10/1_0", "nwparser.p0", "a()%{}"); + + var part1068 = match("MESSAGE#634:00035:10/1_1", "nwparser.p0", "ert()%{}"); + + var select228 = linear_select([ + part1067, + part1068, + ]); + + var all218 = all_match({ + processors: [ + part1066, + select228, + ], + on_success: processor_chain([ + dup184, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg644 = msg("00035:10", all218); + + var part1069 = match("MESSAGE#635:00035:11/0", "nwparser.payload", "SSL no ssl c%{p0}"); + + var part1070 = match("MESSAGE#635:00035:11/1_0", "nwparser.p0", "a%{}"); + + var part1071 = match("MESSAGE#635:00035:11/1_1", "nwparser.p0", "ert%{}"); + + var select229 = linear_select([ + part1070, + part1071, + ]); + + var all219 = all_match({ + processors: [ + part1069, + select229, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg645 = msg("00035:11", all219); + + var part1072 = match("MESSAGE#636:00035:12/0", "nwparser.payload", "SSL set c%{p0}"); + + var part1073 = match("MESSAGE#636:00035:12/2", "nwparser.p0", "id is invalid %{fld2}"); + + var all220 = all_match({ + processors: [ + part1072, + dup388, + part1073, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg646 = msg("00035:12", all220); + + var part1074 = match("MESSAGE#637:00035:13/1_1", "nwparser.p0", "verify %{p0}"); + + var select230 = linear_select([ + dup101, + part1074, + ]); + + var part1075 = match("MESSAGE#637:00035:13/2", "nwparser.p0", "cert failed. Key type is not RSA%{}"); + + var all221 = all_match({ + processors: [ + dup253, + select230, + part1075, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg647 = msg("00035:13", all221); + + var part1076 = match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg648 = msg("00035:14", part1076); + + var part1077 = match("MESSAGE#639:00035:15/0", "nwparser.payload", "%{change_attribute->} has been changed %{p0}"); + + var part1078 = match("MESSAGE#639:00035:15/1_0", "nwparser.p0", "from %{change_old->} to %{change_new}"); + + var part1079 = match("MESSAGE#639:00035:15/1_1", "nwparser.p0", "to %{fld2}"); + + var select231 = linear_select([ + part1078, + part1079, + ]); + + var all222 = all_match({ + processors: [ + part1077, + select231, + ], + on_success: processor_chain([ + dup184, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg649 = msg("00035:15", all222); + + var part1080 = match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed to by %{username->} via web from host %{saddr->} to %{daddr}:%{dport->} %{fld5}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg650 = msg("00035:16", part1080); + + var select232 = linear_select([ + msg634, + msg635, + msg636, + msg637, + msg638, + msg639, + msg640, + msg641, + msg642, + msg643, + msg644, + msg645, + msg646, + msg647, + msg648, + msg649, + msg650, + ]); + + var part1081 = match("MESSAGE#641:00036", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key%{}", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg651 = msg("00036", part1081); + + var part1082 = match("MESSAGE#642:00036:01/0", "nwparser.payload", "%{fld2->} license keys were updated successfully by %{p0}"); + + var part1083 = match("MESSAGE#642:00036:01/1_1", "nwparser.p0", "manual %{p0}"); + + var select233 = linear_select([ + dup214, + part1083, + ]); + + var part1084 = match("MESSAGE#642:00036:01/2", "nwparser.p0", "retrieval%{}"); + + var all223 = all_match({ + processors: [ + part1082, + select233, + part1084, + ], + on_success: processor_chain([ + dup254, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg652 = msg("00036:01", all223); + + var select234 = linear_select([ + msg651, + msg652, + ]); + + var part1085 = match("MESSAGE#643:00037/0", "nwparser.payload", "Intra-zone block for zone %{zone->} was set to o%{p0}"); + + var part1086 = match("MESSAGE#643:00037/1_0", "nwparser.p0", "n%{}"); + + var part1087 = match("MESSAGE#643:00037/1_1", "nwparser.p0", "ff%{}"); + + var select235 = linear_select([ + part1086, + part1087, + ]); + + var all224 = all_match({ + processors: [ + part1085, + select235, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg653 = msg("00037", all224); + + var part1088 = match("MESSAGE#644:00037:01/0", "nwparser.payload", "New zone %{zone->} ( %{p0}"); + + var select236 = linear_select([ + dup255, + dup256, + ]); + + var part1089 = match("MESSAGE#644:00037:01/2", "nwparser.p0", "%{fld2}) was created.%{p0}"); + + var all225 = all_match({ + processors: [ + part1088, + select236, + part1089, + dup351, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg654 = msg("00037:01", all225); + + var part1090 = match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was bound to out zone %{dst_zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg655 = msg("00037:02", part1090); + + var part1091 = match("MESSAGE#646:00037:03/1_0", "nwparser.p0", "was was %{p0}"); + + var part1092 = match("MESSAGE#646:00037:03/1_1", "nwparser.p0", "%{zone->} was %{p0}"); + + var select237 = linear_select([ + part1091, + part1092, + ]); + + var part1093 = match("MESSAGE#646:00037:03/3", "nwparser.p0", "virtual router %{p0}"); + + var part1094 = match("MESSAGE#646:00037:03/4_0", "nwparser.p0", "%{node->} (%{fld1})"); + + var part1095 = match("MESSAGE#646:00037:03/4_1", "nwparser.p0", "%{node}."); + + var select238 = linear_select([ + part1094, + part1095, + ]); + + var all226 = all_match({ + processors: [ + dup113, + select237, + dup371, + part1093, + select238, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg656 = msg("00037:03", all226); + + var part1096 = match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to non-shared.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg657 = msg("00037:04", part1096); + + var part1097 = match("MESSAGE#648:00037:05/0", "nwparser.payload", "Zone %{zone->} ( %{p0}"); + + var select239 = linear_select([ + dup256, + dup255, + ]); + + var part1098 = match("MESSAGE#648:00037:05/2", "nwparser.p0", "%{fld2}) was deleted. %{p0}"); + + var part1099 = match_copy("MESSAGE#648:00037:05/3_1", "nwparser.p0", "space"); + + var select240 = linear_select([ + dup10, + part1099, + ]); + + var all227 = all_match({ + processors: [ + part1097, + select239, + part1098, + select240, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg658 = msg("00037:05", all227); + + var part1100 = match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was %{disposition->} on zone %{zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg659 = msg("00037:06", part1100); + + var select241 = linear_select([ + msg653, + msg654, + msg655, + msg656, + msg657, + msg658, + msg659, + ]); + + var part1101 = match("MESSAGE#650:00038/0", "nwparser.payload", "OSPF routing instance in vrouter %{p0}"); + + var part1102 = match("MESSAGE#650:00038/1_0", "nwparser.p0", "%{node->} is %{p0}"); + + var part1103 = match("MESSAGE#650:00038/1_1", "nwparser.p0", "%{node->} %{p0}"); + + var select242 = linear_select([ + part1102, + part1103, + ]); + + var all228 = all_match({ + processors: [ + part1101, + select242, + dup36, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg660 = msg("00038", all228); + + var part1104 = match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr %{node}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg661 = msg("00039", part1104); + + var part1105 = match("MESSAGE#652:00040/0_0", "nwparser.payload", "Low watermark%{p0}"); + + var part1106 = match("MESSAGE#652:00040/0_1", "nwparser.payload", "High watermark%{p0}"); + + var select243 = linear_select([ + part1105, + part1106, + ]); + + var part1107 = match("MESSAGE#652:00040/1", "nwparser.p0", "%{}for early aging has been changed to the default %{fld2}"); + + var all229 = all_match({ + processors: [ + select243, + part1107, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg662 = msg("00040", all229); + + var part1108 = match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg663 = msg("00040:01", part1108); + + var select244 = linear_select([ + msg662, + msg663, + ]); + + var part1109 = match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual router %{node->} has been removed", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg664 = msg("00041", part1109); + + var part1110 = match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg665 = msg("00041:01", part1110); + + var select245 = linear_select([ + msg664, + msg665, + ]); + + var part1111 = match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec tunnel on %{interface->} with tunnel ID %{fld2}! From %{saddr->} to %{daddr}/%{dport}, %{info->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg666 = msg("00042", part1111); + + var part1112 = match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup9, + dup4, + dup5, + dup60, + ])); + + var msg667 = msg("00042:01", part1112); + + var select246 = linear_select([ + msg666, + msg667, + ]); + + var part1113 = match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp tunnel (%{fld2}-%{fld3}), Result code %{resultcode->} (%{result}). (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg668 = msg("00043", part1113); + + var part1114 = match("MESSAGE#659:00044/0", "nwparser.payload", "access list %{listnum->} sequence number %{fld3->} %{p0}"); + + var part1115 = match("MESSAGE#659:00044/1_1", "nwparser.p0", "deny %{p0}"); + + var select247 = linear_select([ + dup257, + part1115, + ]); + + var part1116 = match("MESSAGE#659:00044/2", "nwparser.p0", "ip %{hostip}/%{mask->} %{disposition->} in vrouter %{node}"); + + var all230 = all_match({ + processors: [ + part1114, + select247, + part1116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg669 = msg("00044", all230); + + var part1117 = match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{disposition->} in vrouter %{node}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg670 = msg("00044:01", part1117); + + var select248 = linear_select([ + msg669, + msg670, + ]); + + var part1118 = match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router %{node->} was %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg671 = msg("00045", part1118); + + var part1119 = match("MESSAGE#662:00047/1_0", "nwparser.p0", "remove %{p0}"); + + var part1120 = match("MESSAGE#662:00047/1_1", "nwparser.p0", "add %{p0}"); + + var select249 = linear_select([ + part1119, + part1120, + ]); + + var part1121 = match("MESSAGE#662:00047/2", "nwparser.p0", "multicast policy from %{src_zone->} %{fld4->} to %{dst_zone->} %{fld3->} (%{fld1})"); + + var all231 = all_match({ + processors: [ + dup183, + select249, + part1121, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg672 = msg("00047", all231); + + var part1122 = match("MESSAGE#663:00048/0", "nwparser.payload", "Access list entry %{listnum->} with %{p0}"); + + var part1123 = match("MESSAGE#663:00048/1_0", "nwparser.p0", "a sequence %{p0}"); + + var part1124 = match("MESSAGE#663:00048/1_1", "nwparser.p0", "sequence %{p0}"); + + var select250 = linear_select([ + part1123, + part1124, + ]); + + var part1125 = match("MESSAGE#663:00048/2", "nwparser.p0", "number %{fld2->} %{p0}"); + + var part1126 = match("MESSAGE#663:00048/3_0", "nwparser.p0", "with an action of %{p0}"); + + var select251 = linear_select([ + part1126, + dup112, + ]); + + var part1127 = match("MESSAGE#663:00048/5_0", "nwparser.p0", "with an IP %{p0}"); + + var select252 = linear_select([ + part1127, + dup139, + ]); + + var part1128 = match("MESSAGE#663:00048/6", "nwparser.p0", "address %{p0}"); + + var part1129 = match("MESSAGE#663:00048/7_0", "nwparser.p0", "and subnetwork mask of %{p0}"); + + var select253 = linear_select([ + part1129, + dup16, + ]); + + var part1130 = match("MESSAGE#663:00048/8", "nwparser.p0", "%{} %{fld3}was %{p0}"); + + var part1131 = match("MESSAGE#663:00048/9_0", "nwparser.p0", "created on %{p0}"); + + var select254 = linear_select([ + part1131, + dup129, + ]); + + var part1132 = match("MESSAGE#663:00048/10", "nwparser.p0", "virtual router %{node->} (%{fld1})"); + + var all232 = all_match({ + processors: [ + part1122, + select250, + part1125, + select251, + dup257, + select252, + part1128, + select253, + part1130, + select254, + part1132, + ], + on_success: processor_chain([ + setc("eventcategory","1501000000"), + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg673 = msg("00048", all232); + + var part1133 = match("MESSAGE#664:00048:01/0", "nwparser.payload", "Route %{p0}"); + + var part1134 = match("MESSAGE#664:00048:01/1_0", "nwparser.p0", "map entry %{p0}"); + + var part1135 = match("MESSAGE#664:00048:01/1_1", "nwparser.p0", "entry %{p0}"); + + var select255 = linear_select([ + part1134, + part1135, + ]); + + var part1136 = match("MESSAGE#664:00048:01/2", "nwparser.p0", "with sequence number %{fld2->} in route map binck-ospf%{p0}"); + + var part1137 = match("MESSAGE#664:00048:01/3_0", "nwparser.p0", " in %{p0}"); + + var select256 = linear_select([ + part1137, + dup105, + ]); + + var part1138 = match("MESSAGE#664:00048:01/4", "nwparser.p0", "virtual router %{node->} was %{disposition->} (%{fld1})"); + + var all233 = all_match({ + processors: [ + part1133, + select255, + part1136, + select256, + part1138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg674 = msg("00048:01", all233); + + var part1139 = match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface %{interface->} (%{fld1})", processor_chain([ + dup209, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg675 = msg("00048:02", part1139); + + var select257 = linear_select([ + msg673, + msg674, + msg675, + ]); + + var part1140 = match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed to %{fld8->} (%{fld2}) => %{fld3->} (%{fld4}) => %{fld5->} (%{fld6}) in virtual router (%{node})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg676 = msg("00049", part1140); + + var part1141 = match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} in virtual router %{node}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg677 = msg("00049:01", part1141); + + var part1142 = match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{node->} and ID %{fld2->} has been removed", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg678 = msg("00049:02", part1142); + + var part1143 = match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual router \"%{node}\" used by OSPF, BGP routing instances id has been uninitialized. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg679 = msg("00049:03", part1143); + + var part1144 = match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route through virtual router \"%{node}\" has been added in virtual router \"%{fld4}\" (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg680 = msg("00049:04", part1144); + + var part1145 = match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking for interfaces in virtual router (%{node}) has been enabled. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg681 = msg("00049:05", part1145); + + var select258 = linear_select([ + msg676, + msg677, + msg678, + msg679, + msg680, + msg681, + ]); + + var part1146 = match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg682 = msg("00050", part1146); + + var part1147 = match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached %{fld2}, which is %{fld3->} of the system capacity!", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg683 = msg("00051", part1147); + + var part1148 = match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:%{sport}->%{daddr}:%{dport->} used %{fld2->} percent of AV resources, which exceeded the max of %{fld3->} percent.", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg684 = msg("00052", part1148); + + var part1149 = match("MESSAGE#675:00055/1_1", "nwparser.p0", "router %{p0}"); + + var select259 = linear_select([ + dup169, + part1149, + ]); + + var part1150 = match("MESSAGE#675:00055/2", "nwparser.p0", "instance was %{disposition->} on interface %{interface}."); + + var all234 = all_match({ + processors: [ + dup258, + select259, + part1150, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg685 = msg("00055", all234); + + var part1151 = match("MESSAGE#676:00055:01/1_0", "nwparser.p0", "proxy %{p0}"); + + var part1152 = match("MESSAGE#676:00055:01/1_1", "nwparser.p0", "function %{p0}"); + + var select260 = linear_select([ + part1151, + part1152, + ]); + + var part1153 = match("MESSAGE#676:00055:01/2", "nwparser.p0", "was %{disposition->} on interface %{interface}."); + + var all235 = all_match({ + processors: [ + dup258, + select260, + part1153, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg686 = msg("00055:01", all235); + + var part1154 = match("MESSAGE#677:00055:02/2", "nwparser.p0", "same subnet check on interface %{interface}."); + + var all236 = all_match({ + processors: [ + dup259, + dup389, + part1154, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg687 = msg("00055:02", all236); + + var part1155 = match("MESSAGE#678:00055:03/2", "nwparser.p0", "router alert IP option check on interface %{interface}."); + + var all237 = all_match({ + processors: [ + dup259, + dup389, + part1155, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg688 = msg("00055:03", all237); + + var part1156 = match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to %{version->} on interface %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg689 = msg("00055:04", part1156); + + var part1157 = match("MESSAGE#680:00055:05/0", "nwparser.payload", "IGMP query %{p0}"); + + var part1158 = match("MESSAGE#680:00055:05/1_1", "nwparser.p0", "max response time %{p0}"); + + var select261 = linear_select([ + dup110, + part1158, + ]); + + var part1159 = match("MESSAGE#680:00055:05/2", "nwparser.p0", "was changed to %{fld2->} on interface %{interface}"); + + var all238 = all_match({ + processors: [ + part1157, + select261, + part1159, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg690 = msg("00055:05", all238); + + var part1160 = match("MESSAGE#681:00055:06/0", "nwparser.payload", "IGMP l%{p0}"); + + var part1161 = match("MESSAGE#681:00055:06/1_0", "nwparser.p0", "eave %{p0}"); + + var part1162 = match("MESSAGE#681:00055:06/1_1", "nwparser.p0", "ast member query %{p0}"); + + var select262 = linear_select([ + part1161, + part1162, + ]); + + var part1163 = match("MESSAGE#681:00055:06/2", "nwparser.p0", "interval was changed to %{fld2->} on interface %{interface}."); + + var all239 = all_match({ + processors: [ + part1160, + select262, + part1163, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg691 = msg("00055:06", all239); + + var part1164 = match("MESSAGE#682:00055:07/1_0", "nwparser.p0", "routers %{p0}"); + + var part1165 = match("MESSAGE#682:00055:07/1_1", "nwparser.p0", "hosts %{p0}"); + + var part1166 = match("MESSAGE#682:00055:07/1_2", "nwparser.p0", "groups %{p0}"); + + var select263 = linear_select([ + part1164, + part1165, + part1166, + ]); + + var part1167 = match("MESSAGE#682:00055:07/2", "nwparser.p0", "accept list ID was changed to %{fld2->} on interface %{interface}."); + + var all240 = all_match({ + processors: [ + dup258, + select263, + part1167, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg692 = msg("00055:07", all240); + + var part1168 = match("MESSAGE#683:00055:08/1_0", "nwparser.p0", "all groups %{p0}"); + + var part1169 = match("MESSAGE#683:00055:08/1_1", "nwparser.p0", "group %{p0}"); + + var select264 = linear_select([ + part1168, + part1169, + ]); + + var part1170 = match("MESSAGE#683:00055:08/2", "nwparser.p0", "%{group->} static flag was %{disposition->} on interface %{interface}."); + + var all241 = all_match({ + processors: [ + dup258, + select264, + part1170, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg693 = msg("00055:08", all241); + + var part1171 = match("MESSAGE#684:00055:09", "nwparser.payload", "IGMP static group %{group->} was added on interface %{interface}", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg694 = msg("00055:09", part1171); + + var part1172 = match("MESSAGE#685:00055:10", "nwparser.payload", "IGMP proxy always is %{disposition->} on interface %{interface}.", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg695 = msg("00055:10", part1172); + + var select265 = linear_select([ + msg685, + msg686, + msg687, + msg688, + msg689, + msg690, + msg691, + msg692, + msg693, + msg694, + msg695, + ]); + + var part1173 = match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{src_zone->} %{saddr->} to %{dst_zone->} %{daddr}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg696 = msg("00056", part1173); + + var part1174 = match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route src=%{saddr}, grp=%{group->} input ifp = %{sinterface->} output ifp = %{dinterface->} added", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg697 = msg("00057", part1174); + + var part1175 = match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on interface %{interface}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg698 = msg("00058", part1175); + + var part1176 = match("MESSAGE#689:00059/0", "nwparser.payload", "DDNS module is %{p0}"); + + var part1177 = match("MESSAGE#689:00059/1_0", "nwparser.p0", "initialized %{p0}"); + + var select266 = linear_select([ + part1177, + dup262, + dup157, + dup156, + ]); + + var all242 = all_match({ + processors: [ + part1176, + select266, + dup116, + ], + on_success: processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg699 = msg("00059", all242); + + var part1178 = match("MESSAGE#690:00059:02/0", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with server type \"%{fld3}\" name \"%{hostname}\" refresh-interval %{fld5->} hours minimum update interval %{fld6->} minutes with %{p0}"); + + var part1179 = match("MESSAGE#690:00059:02/1_0", "nwparser.p0", "secure %{p0}"); + + var part1180 = match("MESSAGE#690:00059:02/1_1", "nwparser.p0", "clear-text %{p0}"); + + var select267 = linear_select([ + part1179, + part1180, + ]); + + var part1181 = match("MESSAGE#690:00059:02/2", "nwparser.p0", "secure connection.%{}"); + + var all243 = all_match({ + processors: [ + part1178, + select267, + part1181, + ], + on_success: processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg700 = msg("00059:02", all243); + + var part1182 = match("MESSAGE#691:00059:03", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with user name \"%{username}\" agent \"%{fld3}\"", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg701 = msg("00059:03", part1182); + + var part1183 = match("MESSAGE#692:00059:04", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with interface \"%{interface}\" host-name \"%{hostname}\"", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg702 = msg("00059:04", part1183); + + var part1184 = match("MESSAGE#693:00059:05/0_0", "nwparser.payload", "Hostname %{p0}"); + + var part1185 = match("MESSAGE#693:00059:05/0_1", "nwparser.payload", "Source interface %{p0}"); + + var part1186 = match("MESSAGE#693:00059:05/0_2", "nwparser.payload", "Username and password %{p0}"); + + var part1187 = match("MESSAGE#693:00059:05/0_3", "nwparser.payload", "Server %{p0}"); + + var select268 = linear_select([ + part1184, + part1185, + part1186, + part1187, + ]); + + var part1188 = match("MESSAGE#693:00059:05/1", "nwparser.p0", "of DDNS entry with id %{fld2->} is cleared."); + + var all244 = all_match({ + processors: [ + select268, + part1188, + ], + on_success: processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg703 = msg("00059:05", all244); + + var part1189 = match("MESSAGE#694:00059:06", "nwparser.payload", "Agent of DDNS entry with id %{fld2->} is reset to its default value.", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg704 = msg("00059:06", part1189); + + var part1190 = match("MESSAGE#695:00059:07", "nwparser.payload", "Updates for DDNS entry with id %{fld2->} are set to be sent in secure (%{protocol}) mode.", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg705 = msg("00059:07", part1190); + + var part1191 = match("MESSAGE#696:00059:08/0_0", "nwparser.payload", "Refresh %{p0}"); + + var part1192 = match("MESSAGE#696:00059:08/0_1", "nwparser.payload", "Minimum update %{p0}"); + + var select269 = linear_select([ + part1191, + part1192, + ]); + + var part1193 = match("MESSAGE#696:00059:08/1", "nwparser.p0", "interval of DDNS entry with id %{fld2->} is set to default value (%{fld3})."); + + var all245 = all_match({ + processors: [ + select269, + part1193, + ], + on_success: processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg706 = msg("00059:08", all245); + + var part1194 = match("MESSAGE#697:00059:09/1_0", "nwparser.p0", "No-Change %{p0}"); + + var part1195 = match("MESSAGE#697:00059:09/1_1", "nwparser.p0", "Error %{p0}"); + + var select270 = linear_select([ + part1194, + part1195, + ]); + + var part1196 = match("MESSAGE#697:00059:09/2", "nwparser.p0", "response received for DDNS entry update for id %{fld2->} user \"%{username}\" domain \"%{domain}\" server type \" d%{p0}"); + + var part1197 = match("MESSAGE#697:00059:09/3_1", "nwparser.p0", "yndns %{p0}"); + + var select271 = linear_select([ + dup261, + part1197, + ]); + + var part1198 = match("MESSAGE#697:00059:09/4", "nwparser.p0", "\", server name \"%{hostname}\""); + + var all246 = all_match({ + processors: [ + dup160, + select270, + part1196, + select271, + part1198, + ], + on_success: processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg707 = msg("00059:09", all246); + + var part1199 = match("MESSAGE#698:00059:01", "nwparser.payload", "DDNS entry with id %{fld2->} is %{disposition}.", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg708 = msg("00059:01", part1199); + + var select272 = linear_select([ + msg699, + msg700, + msg701, + msg702, + msg703, + msg704, + msg705, + msg706, + msg707, + msg708, + ]); + + var part1200 = match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip->} failed. (%{event_time_string})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Track IP failed"), + ])); + + var msg709 = msg("00062:01", part1200); + + var part1201 = match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached threshold. (%{event_time_string})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Track IP failure reached threshold"), + ])); + + var msg710 = msg("00062:02", part1201); + + var part1202 = match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip->} succeeded. (%{event_time_string})", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Track IP succeeded"), + ])); + + var msg711 = msg("00062:03", part1202); + + var part1203 = match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg712 = msg("00062", part1203); + + var select273 = linear_select([ + msg709, + msg710, + msg711, + msg712, + ]); + + var part1204 = match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{disposition}!", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg713 = msg("00063", part1204); + + var part1205 = match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg714 = msg("00064", part1205); + + var part1206 = match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches threshold system may fail over!%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg715 = msg("00064:01", part1206); + + var part1207 = match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from policy ID %{policy_id}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg716 = msg("00064:02", part1207); + + var select274 = linear_select([ + msg714, + msg715, + msg716, + ]); + + var msg717 = msg("00070", dup411); + + var part1208 = match("MESSAGE#708:00070:01/2", "nwparser.p0", "%{}Device group %{group->} changed state from %{fld3->} to %{p0}"); + + var part1209 = match("MESSAGE#708:00070:01/3_0", "nwparser.p0", "Init%{}"); + + var part1210 = match("MESSAGE#708:00070:01/3_1", "nwparser.p0", "init. (%{fld1})"); + + var select275 = linear_select([ + part1209, + part1210, + ]); + + var all247 = all_match({ + processors: [ + dup267, + dup391, + part1208, + select275, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg718 = msg("00070:01", all247); + + var part1211 = match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel change to %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg719 = msg("00070:02", part1211); + + var select276 = linear_select([ + msg717, + msg718, + msg719, + ]); + + var msg720 = msg("00071", dup411); + + var part1212 = match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in the Virtual Security Device group %{group->} changed state", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg721 = msg("00071:01", part1212); + + var select277 = linear_select([ + msg720, + msg721, + ]); + + var msg722 = msg("00072", dup411); + + var msg723 = msg("00072:01", dup412); + + var select278 = linear_select([ + msg722, + msg723, + ]); + + var msg724 = msg("00073", dup411); + + var msg725 = msg("00073:01", dup412); + + var select279 = linear_select([ + msg724, + msg725, + ]); + + var msg726 = msg("00074", dup392); + + var all248 = all_match({ + processors: [ + dup263, + dup390, + dup271, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg727 = msg("00075", all248); + + var part1213 = match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} changed state from %{event_state->} to inoperable. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","local device in the Virtual Security Device group changed state to inoperable"), + ])); + + var msg728 = msg("00075:02", part1213); + + var part1214 = match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg729 = msg("00075:01", part1214); + + var select280 = linear_select([ + msg727, + msg728, + msg729, + ]); + + var msg730 = msg("00076", dup392); + + var part1215 = match("MESSAGE#721:00076:01/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} send 2nd path request to unit=%{fld3}"); + + var all249 = all_match({ + processors: [ + dup263, + dup390, + part1215, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg731 = msg("00076:01", all249); + + var select281 = linear_select([ + msg730, + msg731, + ]); + + var part1216 = match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use second path of HA%{}", processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg732 = msg("00077", part1216); + + var all250 = all_match({ + processors: [ + dup263, + dup390, + dup271, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg733 = msg("00077:01", all250); + + var part1217 = match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group}", processor_chain([ + setc("eventcategory","1607000000"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg734 = msg("00077:02", part1217); + + var select282 = linear_select([ + msg732, + msg733, + msg734, + ]); + + var part1218 = match("MESSAGE#725:00084", "nwparser.payload", "RTSYNC: NSRP route synchronization is %{disposition}", processor_chain([ + dup272, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg735 = msg("00084", part1218); + + var part1219 = match("MESSAGE#726:00090/0_0", "nwparser.payload", "Failover %{p0}"); + + var part1220 = match("MESSAGE#726:00090/0_1", "nwparser.payload", "Recovery %{p0}"); + + var select283 = linear_select([ + part1219, + part1220, + ]); + + var part1221 = match("MESSAGE#726:00090/3", "nwparser.p0", "untrust interface occurred.%{}"); + + var all251 = all_match({ + processors: [ + select283, + dup103, + dup369, + part1221, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg736 = msg("00090", all251); + + var part1222 = match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to the device because the maximum number of system route entries %{fld2->} has been exceeded", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg737 = msg("00200", part1222); + + var part1223 = match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cannot be added to the virtual router %{node->} because the number of route entries in the virtual router exceeds the maximum number of routes %{fld3->} allowed", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg738 = msg("00201", part1223); + + var part1224 = match("MESSAGE#729:00202", "nwparser.payload", "%{fld2->} hello-packet flood from neighbor (ip = %{hostip->} router-id = %{fld3}) on interface %{interface->} packet is dropped", processor_chain([ + dup272, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg739 = msg("00202", part1224); + + var part1225 = match("MESSAGE#730:00203", "nwparser.payload", "%{fld2->} lsa flood on interface %{interface->} has dropped a packet.", processor_chain([ + dup272, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg740 = msg("00203", part1225); + + var part1226 = match("MESSAGE#731:00206/0", "nwparser.payload", "The total number of redistributed routes into %{p0}"); + + var part1227 = match("MESSAGE#731:00206/1_0", "nwparser.p0", "BGP %{p0}"); + + var part1228 = match("MESSAGE#731:00206/1_1", "nwparser.p0", "OSPF %{p0}"); + + var select284 = linear_select([ + part1227, + part1228, + ]); + + var part1229 = match("MESSAGE#731:00206/2", "nwparser.p0", "in vrouter %{node->} exceeded system limit (%{fld2})"); + + var all252 = all_match({ + processors: [ + part1226, + select284, + part1229, + ], + on_success: processor_chain([ + dup272, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg741 = msg("00206", all252); + + var part1230 = match("MESSAGE#732:00206:01/0", "nwparser.payload", "LSA flood in OSPF with router-id %{fld2->} on %{p0}"); + + var part1231 = match("MESSAGE#732:00206:01/2", "nwparser.p0", "%{interface->} forced the interface to drop a packet."); + + var all253 = all_match({ + processors: [ + part1230, + dup352, + part1231, + ], + on_success: processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg742 = msg("00206:01", all253); + + var part1232 = match("MESSAGE#733:00206:02/0", "nwparser.payload", "OSPF instance with router-id %{fld3->} received a Hello packet flood from neighbor (IP address %{hostip}, router ID %{fld2}) on %{p0}"); + + var part1233 = match("MESSAGE#733:00206:02/2", "nwparser.p0", "%{interface->} forcing the interface to drop the packet."); + + var all254 = all_match({ + processors: [ + part1232, + dup352, + part1233, + ], + on_success: processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg743 = msg("00206:02", all254); + + var part1234 = match("MESSAGE#734:00206:03", "nwparser.payload", "Link State Advertisement Id %{fld2}, router ID %{fld3}, type %{fld4->} cannot be deleted from the real-time database in area %{fld5}", processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg744 = msg("00206:03", part1234); + + var part1235 = match("MESSAGE#735:00206:04", "nwparser.payload", "Reject second OSPF neighbor (%{fld2}) on interface (%{interface}) since it_s configured as point-to-point interface", processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg745 = msg("00206:04", part1235); + + var select285 = linear_select([ + msg741, + msg742, + msg743, + msg744, + msg745, + ]); + + var part1236 = match("MESSAGE#736:00207", "nwparser.payload", "System wide RIP route limit exceeded, RIP route dropped.%{}", processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg746 = msg("00207", part1236); + + var part1237 = match("MESSAGE#737:00207:01", "nwparser.payload", "%{fld2->} RIP routes dropped from last system wide RIP route limit exceed.", processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg747 = msg("00207:01", part1237); + + var part1238 = match("MESSAGE#738:00207:02", "nwparser.payload", "RIP database size limit exceeded for %{fld2}, RIP route dropped.", processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg748 = msg("00207:02", part1238); + + var part1239 = match("MESSAGE#739:00207:03", "nwparser.payload", "%{fld2->} RIP routes dropped from the last database size exceed in vr %{fld3}.", processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg749 = msg("00207:03", part1239); + + var select286 = linear_select([ + msg746, + msg747, + msg748, + msg749, + ]); + + var part1240 = match("MESSAGE#740:00257", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup276, + dup277, + dup278, + ])); + + var msg750 = msg("00257", part1240); + + var part1241 = match("MESSAGE#741:00257:14", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup279, + dup276, + dup277, + dup280, + ])); + + var msg751 = msg("00257:14", part1241); + + var part1242 = match("MESSAGE#742:00257:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup282, + dup278, + ])); + + var msg752 = msg("00257:01", part1242); + + var part1243 = match("MESSAGE#743:00257:15", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup279, + dup282, + dup280, + ])); + + var msg753 = msg("00257:15", part1243); + + var part1244 = match("MESSAGE#744:00257:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup276, + dup277, + ])); + + var msg754 = msg("00257:02", part1244); + + var part1245 = match("MESSAGE#745:00257:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup282, + ])); + + var msg755 = msg("00257:03", part1245); + + var part1246 = match("MESSAGE#746:00257:04", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup276, + dup277, + ])); + + var msg756 = msg("00257:04", part1246); + + var part1247 = match("MESSAGE#747:00257:05", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid->} reason=%{result}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup282, + ])); + + var msg757 = msg("00257:05", part1247); + + var part1248 = match("MESSAGE#748:00257:19/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} icmp code=%{icmpcode->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid->} reason=%{result}"); + + var all255 = all_match({ + processors: [ + dup283, + dup393, + part1248, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup282, + ]), + }); + + var msg758 = msg("00257:19", all255); + + var part1249 = match("MESSAGE#749:00257:16/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid}"); + + var all256 = all_match({ + processors: [ + dup283, + dup393, + part1249, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup282, + ]), + }); + + var msg759 = msg("00257:16", all256); + + var part1250 = match("MESSAGE#750:00257:17/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid}"); + + var all257 = all_match({ + processors: [ + dup283, + dup393, + part1250, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup282, + ]), + }); + + var msg760 = msg("00257:17", all257); + + var part1251 = match("MESSAGE#751:00257:18/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} session_id=%{sessionid}"); + + var all258 = all_match({ + processors: [ + dup283, + dup393, + part1251, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup282, + ]), + }); + + var msg761 = msg("00257:18", all258); + + var part1252 = match("MESSAGE#752:00257:06/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{p0}"); + + var part1253 = match("MESSAGE#752:00257:06/1_0", "nwparser.p0", "%{dport->} session_id=%{sessionid}"); + + var part1254 = match_copy("MESSAGE#752:00257:06/1_1", "nwparser.p0", "dport"); + + var select287 = linear_select([ + part1253, + part1254, + ]); + + var all259 = all_match({ + processors: [ + part1252, + select287, + ], + on_success: processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup276, + dup277, + ]), + }); + + var msg762 = msg("00257:06", all259); + + var part1255 = match("MESSAGE#753:00257:07", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup282, + ])); + + var msg763 = msg("00257:07", part1255); + + var part1256 = match("MESSAGE#754:00257:08", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} tcp=%{icmptype}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup276, + dup277, + ])); + + var msg764 = msg("00257:08", part1256); + + var part1257 = match("MESSAGE#755:00257:09/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{p0}"); + + var part1258 = match("MESSAGE#755:00257:09/1_0", "nwparser.p0", "%{icmptype->} icmp code=%{icmpcode->} session_id=%{sessionid->} reason=%{result}"); + + var part1259 = match("MESSAGE#755:00257:09/1_1", "nwparser.p0", "%{icmptype->} session_id=%{sessionid}"); + + var part1260 = match_copy("MESSAGE#755:00257:09/1_2", "nwparser.p0", "icmptype"); + + var select288 = linear_select([ + part1258, + part1259, + part1260, + ]); + + var all260 = all_match({ + processors: [ + part1257, + select288, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup282, + ]), + }); + + var msg765 = msg("00257:09", all260); + + var part1261 = match("MESSAGE#756:00257:10/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); + + var part1262 = match("MESSAGE#756:00257:10/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid}"); + + var select289 = linear_select([ + part1262, + dup286, + ]); + + var all261 = all_match({ + processors: [ + part1261, + select289, + ], + on_success: processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup276, + dup277, + ]), + }); + + var msg766 = msg("00257:10", all261); + + var part1263 = match("MESSAGE#757:00257:11/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); + + var part1264 = match("MESSAGE#757:00257:11/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid->} reason=%{result}"); + + var select290 = linear_select([ + part1264, + dup286, + ]); + + var all262 = all_match({ + processors: [ + part1263, + select290, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup282, + ]), + }); + + var msg767 = msg("00257:11", all262); + + var part1265 = match("MESSAGE#758:00257:12", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} type=%{fld3}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup282, + ])); + + var msg768 = msg("00257:12", part1265); + + var part1266 = match("MESSAGE#759:00257:13", "nwparser.payload", "start_time=\"%{fld2}", processor_chain([ + dup281, + dup2, + dup3, + dup274, + dup4, + dup5, + ])); + + var msg769 = msg("00257:13", part1266); + + var select291 = linear_select([ + msg750, + msg751, + msg752, + msg753, + msg754, + msg755, + msg756, + msg757, + msg758, + msg759, + msg760, + msg761, + msg762, + msg763, + msg764, + msg765, + msg766, + msg767, + msg768, + msg769, + ]); + + var part1267 = match("MESSAGE#760:00259/1", "nwparser.p0", "user %{username->} has logged on via %{p0}"); + + var part1268 = match("MESSAGE#760:00259/2_0", "nwparser.p0", "the console %{p0}"); + + var select292 = linear_select([ + part1268, + dup289, + dup241, + ]); + + var part1269 = match("MESSAGE#760:00259/3", "nwparser.p0", "from %{saddr}:%{sport}"); + + var all263 = all_match({ + processors: [ + dup394, + part1267, + select292, + part1269, + ], + on_success: processor_chain([ + dup28, + dup29, + dup30, + dup31, + dup32, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg770 = msg("00259", all263); + + var part1270 = match("MESSAGE#761:00259:07/1", "nwparser.p0", "user %{administrator->} has logged out via %{logon_type->} from %{saddr}:%{sport}"); + + var all264 = all_match({ + processors: [ + dup394, + part1270, + ], + on_success: processor_chain([ + dup33, + dup29, + dup34, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg771 = msg("00259:07", all264); + + var part1271 = match("MESSAGE#762:00259:01", "nwparser.payload", "Management session via %{logon_type->} from %{saddr}:%{sport->} for [vsys] admin %{administrator->} has timed out", processor_chain([ + dup290, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg772 = msg("00259:01", part1271); + + var part1272 = match("MESSAGE#763:00259:02", "nwparser.payload", "Management session via %{logon_type->} for [ vsys ] admin %{administrator->} has timed out", processor_chain([ + dup290, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg773 = msg("00259:02", part1272); + + var part1273 = match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by admin %{administrator->} via the %{logon_type->} has failed", processor_chain([ + dup206, + dup29, + dup30, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg774 = msg("00259:03", part1273); + + var part1274 = match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{logon_type->} from %{saddr}:%{sport->} has failed", processor_chain([ + dup206, + dup29, + dup30, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg775 = msg("00259:04", part1274); + + var part1275 = match("MESSAGE#766:00259:05/0", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the %{p0}"); + + var part1276 = match("MESSAGE#766:00259:05/1_2", "nwparser.p0", "Web %{p0}"); + + var select293 = linear_select([ + dup241, + dup289, + part1276, + ]); + + var part1277 = match("MESSAGE#766:00259:05/2", "nwparser.p0", "session on host %{daddr}:%{dport}"); + + var all265 = all_match({ + processors: [ + part1275, + select293, + part1277, + ], + on_success: processor_chain([ + dup290, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg776 = msg("00259:05", all265); + + var part1278 = match("MESSAGE#767:00259:06", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the serial console session.", processor_chain([ + dup290, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg777 = msg("00259:06", part1278); + + var select294 = linear_select([ + msg770, + msg771, + msg772, + msg773, + msg774, + msg775, + msg776, + msg777, + ]); + + var part1279 = match("MESSAGE#768:00262", "nwparser.payload", "Admin user %{administrator->} has been rejected via the %{logon_type->} server at %{hostip}", processor_chain([ + dup290, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg778 = msg("00262", part1279); + + var part1280 = match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} has been accepted via the %{logon_type->} server at %{hostip}", processor_chain([ + setc("eventcategory","1401050100"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg779 = msg("00263", part1280); + + var part1281 = match("MESSAGE#770:00400/0_0", "nwparser.payload", "ActiveX control %{p0}"); + + var part1282 = match("MESSAGE#770:00400/0_1", "nwparser.payload", "JAVA applet %{p0}"); + + var part1283 = match("MESSAGE#770:00400/0_2", "nwparser.payload", "EXE file %{p0}"); + + var part1284 = match("MESSAGE#770:00400/0_3", "nwparser.payload", "ZIP file %{p0}"); + + var select295 = linear_select([ + part1281, + part1282, + part1283, + part1284, + ]); + + var part1285 = match("MESSAGE#770:00400/1", "nwparser.p0", "has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{dinterface->} in zone %{dst_zone}. %{info}"); + + var all266 = all_match({ + processors: [ + select295, + part1285, + ], + on_success: processor_chain([ + setc("eventcategory","1003000000"), + dup2, + dup4, + dup5, + dup3, + dup61, + ]), + }); + + var msg780 = msg("00400", all266); + + var part1286 = match("MESSAGE#771:00401", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup85, + dup2, + dup4, + dup5, + dup3, + dup291, + ])); + + var msg781 = msg("00401", part1286); + + var part1287 = match("MESSAGE#772:00402", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup85, + dup2, + dup4, + dup5, + dup3, + dup292, + ])); + + var msg782 = msg("00402", part1287); + + var part1288 = match("MESSAGE#773:00402:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at %{p0}"); + + var part1289 = match("MESSAGE#773:00402:01/2", "nwparser.p0", "%{} %{interface->} in zone %{zone}. %{info}"); + + var all267 = all_match({ + processors: [ + part1288, + dup337, + part1289, + ], + on_success: processor_chain([ + dup85, + dup2, + dup4, + dup5, + dup3, + dup292, + ]), + }); + + var msg783 = msg("00402:01", all267); + + var select296 = linear_select([ + msg782, + msg783, + ]); + + var part1290 = match("MESSAGE#774:00403", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup85, + dup2, + dup4, + dup5, + dup3, + dup291, + ])); + + var msg784 = msg("00403", part1290); + + var part1291 = match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup4, + dup5, + dup3, + dup292, + ])); + + var msg785 = msg("00404", part1291); + + var part1292 = match("MESSAGE#776:00405", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup147, + dup2, + dup4, + dup5, + dup3, + dup291, + ])); + + var msg786 = msg("00405", part1292); + + var msg787 = msg("00406", dup413); + + var msg788 = msg("00407", dup413); + + var msg789 = msg("00408", dup413); + + var all268 = all_match({ + processors: [ + dup132, + dup343, + dup293, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup60, + ]), + }); + + var msg790 = msg("00409", all268); + + var msg791 = msg("00410", dup413); + + var part1293 = match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup60, + ])); + + var msg792 = msg("00410:01", part1293); + + var select297 = linear_select([ + msg791, + msg792, + ]); + + var part1294 = match("MESSAGE#783:00411/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto TCP (zone %{zone->} %{p0}"); + + var all269 = all_match({ + processors: [ + part1294, + dup343, + dup293, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg793 = msg("00411", all269); + + var part1295 = match("MESSAGE#784:00413/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at %{p0}"); + + var part1296 = match("MESSAGE#784:00413/2", "nwparser.p0", "%{} %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); + + var all270 = all_match({ + processors: [ + part1295, + dup337, + part1296, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg794 = msg("00413", all270); + + var part1297 = match("MESSAGE#785:00413:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}(zone %{group->} %{p0}"); + + var all271 = all_match({ + processors: [ + part1297, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup61, + ]), + }); + + var msg795 = msg("00413:01", all271); + + var part1298 = match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup59, + dup5, + dup9, + ])); + + var msg796 = msg("00413:02", part1298); + + var select298 = linear_select([ + msg794, + msg795, + msg796, + ]); + + var part1299 = match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + ])); + + var msg797 = msg("00414", part1299); + + var part1300 = match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup9, + ])); + + var msg798 = msg("00414:01", part1300); + + var select299 = linear_select([ + msg797, + msg798, + ]); + + var part1301 = match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg799 = msg("00415", part1301); + + var all272 = all_match({ + processors: [ + dup132, + dup343, + dup294, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup60, + ]), + }); + + var msg800 = msg("00423", all272); + + var all273 = all_match({ + processors: [ + dup80, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup60, + ]), + }); + + var msg801 = msg("00429", all273); + + var all274 = all_match({ + processors: [ + dup132, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup60, + ]), + }); + + var msg802 = msg("00429:01", all274); + + var select300 = linear_select([ + msg801, + msg802, + ]); + + var all275 = all_match({ + processors: [ + dup80, + dup343, + dup295, + dup351, + ], + on_success: processor_chain([ + dup85, + dup2, + dup59, + dup3, + dup9, + dup4, + dup5, + dup61, + ]), + }); + + var msg803 = msg("00430", all275); + + var all276 = all_match({ + processors: [ + dup132, + dup343, + dup295, + dup351, + ], + on_success: processor_chain([ + dup85, + dup2, + dup59, + dup3, + dup9, + dup4, + dup5, + dup60, + ]), + }); + + var msg804 = msg("00430:01", all276); + + var select301 = linear_select([ + msg803, + msg804, + ]); + + var msg805 = msg("00431", dup414); + + var msg806 = msg("00432", dup414); + + var msg807 = msg("00433", dup415); + + var msg808 = msg("00434", dup415); + + var msg809 = msg("00435", dup395); + + var all277 = all_match({ + processors: [ + dup132, + dup343, + dup294, + ], + on_success: processor_chain([ + dup58, + dup2, + dup4, + dup59, + dup5, + dup3, + dup60, + ]), + }); + + var msg810 = msg("00435:01", all277); + + var select302 = linear_select([ + msg809, + msg810, + ]); + + var msg811 = msg("00436", dup395); + + var all278 = all_match({ + processors: [ + dup64, + dup338, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup9, + dup4, + dup5, + dup3, + dup60, + ]), + }); + + var msg812 = msg("00436:01", all278); + + var select303 = linear_select([ + msg811, + msg812, + ]); + + var part1302 = match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg813 = msg("00437", part1302); + + var all279 = all_match({ + processors: [ + dup299, + dup338, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + dup9, + ]), + }); + + var msg814 = msg("00437:01", all279); + + var part1303 = match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + dup9, + ])); + + var msg815 = msg("00437:02", part1303); + + var select304 = linear_select([ + msg813, + msg814, + msg815, + ]); + + var part1304 = match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg816 = msg("00438", part1304); + + var part1305 = match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg817 = msg("00438:01", part1305); + + var all280 = all_match({ + processors: [ + dup299, + dup338, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup61, + ]), + }); + + var msg818 = msg("00438:02", all280); + + var select305 = linear_select([ + msg816, + msg817, + msg818, + ]); + + var part1306 = match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup60, + ])); + + var msg819 = msg("00440", part1306); + + var part1307 = match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup61, + ])); + + var msg820 = msg("00440:02", part1307); + + var all281 = all_match({ + processors: [ + dup239, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup9, + dup61, + ]), + }); + + var msg821 = msg("00440:01", all281); + + var part1308 = match("MESSAGE#812:00440:03/0", "nwparser.payload", "Fragmented traffic! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{group->} %{p0}"); + + var all282 = all_match({ + processors: [ + part1308, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup9, + dup60, + ]), + }); + + var msg822 = msg("00440:03", all282); + + var select306 = linear_select([ + msg819, + msg820, + msg821, + msg822, + ]); + + var part1309 = match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup4, + dup59, + dup5, + dup9, + dup2, + dup3, + dup60, + ])); + + var msg823 = msg("00441", part1309); + + var msg824 = msg("00442", dup396); + + var msg825 = msg("00443", dup396); + + var part1310 = match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued command %{fld2->} to redirect output.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg826 = msg("00511", part1310); + + var part1311 = match("MESSAGE#817:00511:01/0", "nwparser.payload", "All System Config saved by admin %{p0}"); + + var all283 = all_match({ + processors: [ + part1311, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg827 = msg("00511:01", all283); + + var part1312 = match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms are cleared by admin %{administrator}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg828 = msg("00511:02", part1312); + + var part1313 = match("MESSAGE#819:00511:03/0", "nwparser.payload", "Get new software from flash to slot (file: %{fld2}) by admin %{p0}"); + + var all284 = all_match({ + processors: [ + part1313, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg829 = msg("00511:03", all284); + + var part1314 = match("MESSAGE#820:00511:04/0", "nwparser.payload", "Get new software from %{hostip->} (file: %{fld2}) to slot (file: %{fld3}) by admin %{p0}"); + + var all285 = all_match({ + processors: [ + part1314, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg830 = msg("00511:04", all285); + + var part1315 = match("MESSAGE#821:00511:05/0", "nwparser.payload", "Get new software to %{hostip->} (file: %{fld2}) by admin %{p0}"); + + var all286 = all_match({ + processors: [ + part1315, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg831 = msg("00511:05", all286); + + var part1316 = match("MESSAGE#822:00511:06/0", "nwparser.payload", "Log setting is modified by admin %{p0}"); + + var all287 = all_match({ + processors: [ + part1316, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg832 = msg("00511:06", all287); + + var part1317 = match("MESSAGE#823:00511:07/0", "nwparser.payload", "Save configuration to %{hostip->} (file: %{fld2}) by admin %{p0}"); + + var all288 = all_match({ + processors: [ + part1317, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg833 = msg("00511:07", all288); + + var part1318 = match("MESSAGE#824:00511:08/0", "nwparser.payload", "Save new software from slot (file: %{fld2}) to flash by admin %{p0}"); + + var all289 = all_match({ + processors: [ + part1318, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg834 = msg("00511:08", all289); + + var part1319 = match("MESSAGE#825:00511:09/0", "nwparser.payload", "Save new software from %{hostip->} (file: %{result}) to flash by admin %{p0}"); + + var all290 = all_match({ + processors: [ + part1319, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg835 = msg("00511:09", all290); + + var part1320 = match("MESSAGE#826:00511:10/0", "nwparser.payload", "System Config from flash to slot - %{fld2->} by admin %{p0}"); + + var all291 = all_match({ + processors: [ + part1320, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg836 = msg("00511:10", all291); + + var part1321 = match("MESSAGE#827:00511:11/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) to slot - %{fld3->} by admin %{p0}"); + + var all292 = all_match({ + processors: [ + part1321, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg837 = msg("00511:11", all292); + + var part1322 = match("MESSAGE#828:00511:12/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) by admin %{p0}"); + + var all293 = all_match({ + processors: [ + part1322, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg838 = msg("00511:12", all293); + + var part1323 = match("MESSAGE#829:00511:13/0", "nwparser.payload", "The system configuration was loaded from the slot by admin %{p0}"); + + var all294 = all_match({ + processors: [ + part1323, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg839 = msg("00511:13", all294); + + var part1324 = match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS shared secret with invalid length %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg840 = msg("00511:14", part1324); + + var select307 = linear_select([ + msg826, + msg827, + msg828, + msg829, + msg830, + msg831, + msg832, + msg833, + msg834, + msg835, + msg836, + msg837, + msg838, + msg839, + msg840, + ]); + + var part1325 = match("MESSAGE#831:00513/0", "nwparser.payload", "The physical state of %{p0}"); + + var part1326 = match("MESSAGE#831:00513/1_1", "nwparser.p0", "the Interface %{p0}"); + + var select308 = linear_select([ + dup123, + part1326, + dup122, + ]); + + var part1327 = match("MESSAGE#831:00513/2", "nwparser.p0", "%{interface->} has changed to %{p0}"); + + var part1328 = match("MESSAGE#831:00513/3_0", "nwparser.p0", "%{result}. (%{fld1})"); + + var part1329 = match_copy("MESSAGE#831:00513/3_1", "nwparser.p0", "result"); + + var select309 = linear_select([ + part1328, + part1329, + ]); + + var all295 = all_match({ + processors: [ + part1325, + select308, + part1327, + select309, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + dup9, + ]), + }); + + var msg841 = msg("00513", all295); + + var part1330 = match("MESSAGE#832:00515/0_0", "nwparser.payload", "Vsys Admin %{p0}"); + + var select310 = linear_select([ + part1330, + dup287, + ]); + + var part1331 = match("MESSAGE#832:00515/1", "nwparser.p0", "%{administrator->} has logged on via the %{logon_type->} ( HTTP%{p0}"); + + var part1332 = match("MESSAGE#832:00515/2_1", "nwparser.p0", "S%{p0}"); + + var select311 = linear_select([ + dup96, + part1332, + ]); + + var part1333 = match("MESSAGE#832:00515/3", "nwparser.p0", "%{}) to port %{interface->} from %{saddr}:%{sport}"); + + var all296 = all_match({ + processors: [ + select310, + part1331, + select311, + part1333, + ], + on_success: processor_chain([ + dup301, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg842 = msg("00515", all296); + + var part1334 = match("MESSAGE#833:00515:01/0", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{p0}"); + + var part1335 = match("MESSAGE#833:00515:01/1_0", "nwparser.p0", "the %{logon_type->} has failed %{p0}"); + + var part1336 = match("MESSAGE#833:00515:01/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} has failed %{p0}"); + + var select312 = linear_select([ + part1335, + part1336, + ]); + + var part1337 = match_copy("MESSAGE#833:00515:01/2", "nwparser.p0", "fld2"); + + var all297 = all_match({ + processors: [ + part1334, + select312, + part1337, + ], + on_success: processor_chain([ + dup206, + dup29, + dup30, + dup31, + dup54, + dup2, + dup4, + dup5, + dup302, + dup3, + ]), + }); + + var msg843 = msg("00515:01", all297); + + var part1338 = match("MESSAGE#834:00515:02/0", "nwparser.payload", "Management session via %{p0}"); + + var part1339 = match("MESSAGE#834:00515:02/1_0", "nwparser.p0", "the %{logon_type->} for %{p0}"); + + var part1340 = match("MESSAGE#834:00515:02/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} for %{p0}"); + + var select313 = linear_select([ + part1339, + part1340, + ]); + + var part1341 = match("MESSAGE#834:00515:02/2_0", "nwparser.p0", "[vsys] admin %{p0}"); + + var part1342 = match("MESSAGE#834:00515:02/2_1", "nwparser.p0", "vsys admin %{p0}"); + + var select314 = linear_select([ + part1341, + part1342, + dup15, + ]); + + var part1343 = match("MESSAGE#834:00515:02/3", "nwparser.p0", "%{administrator->} has timed out"); + + var all298 = all_match({ + processors: [ + part1338, + select313, + select314, + part1343, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg844 = msg("00515:02", all298); + + var part1344 = match("MESSAGE#835:00515:04/0_0", "nwparser.payload", "[Vsys] %{p0}"); + + var part1345 = match("MESSAGE#835:00515:04/0_1", "nwparser.payload", "Vsys %{p0}"); + + var select315 = linear_select([ + part1344, + part1345, + ]); + + var part1346 = match("MESSAGE#835:00515:04/1", "nwparser.p0", "Admin %{administrator->} has logged o%{p0}"); + + var part1347 = match_copy("MESSAGE#835:00515:04/4_1", "nwparser.p0", "logon_type"); + + var select316 = linear_select([ + dup304, + part1347, + ]); + + var all299 = all_match({ + processors: [ + select315, + part1346, + dup398, + dup40, + select316, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg845 = msg("00515:04", all299); + + var part1348 = match("MESSAGE#836:00515:06", "nwparser.payload", "Admin User %{administrator->} has logged on via %{logon_type->} from %{saddr}:%{sport}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg846 = msg("00515:06", part1348); + + var part1349 = match("MESSAGE#837:00515:05/0", "nwparser.payload", "%{}Admin %{p0}"); + + var select317 = linear_select([ + dup305, + dup16, + ]); + + var part1350 = match("MESSAGE#837:00515:05/2", "nwparser.p0", "%{administrator->} has logged o%{p0}"); + + var part1351 = match("MESSAGE#837:00515:05/5_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{fld2})"); + + var select318 = linear_select([ + dup306, + part1351, + dup304, + ]); + + var all300 = all_match({ + processors: [ + part1349, + select317, + part1350, + dup398, + dup40, + select318, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg847 = msg("00515:05", all300); + + var part1352 = match("MESSAGE#838:00515:07", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(http) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg848 = msg("00515:07", part1352); + + var part1353 = match("MESSAGE#839:00515:08/0", "nwparser.payload", "%{fld2->} Admin User \"%{administrator}\" logged in for %{logon_type}(http%{p0}"); + + var part1354 = match("MESSAGE#839:00515:08/1_0", "nwparser.p0", ") %{p0}"); + + var part1355 = match("MESSAGE#839:00515:08/1_1", "nwparser.p0", "s) %{p0}"); + + var select319 = linear_select([ + part1354, + part1355, + ]); + + var part1356 = match("MESSAGE#839:00515:08/2", "nwparser.p0", "management (port %{network_port}) from %{saddr}:%{sport}"); + + var all301 = all_match({ + processors: [ + part1353, + select319, + part1356, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg849 = msg("00515:08", all301); + + var part1357 = match("MESSAGE#840:00515:09", "nwparser.payload", "User %{username->} telnet management session from (%{saddr}:%{sport}) timed out", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg850 = msg("00515:09", part1357); + + var part1358 = match("MESSAGE#841:00515:10", "nwparser.payload", "User %{username->} logged out of telnet session from %{saddr}:%{sport}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg851 = msg("00515:10", part1358); + + var part1359 = match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on zone %{zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg852 = msg("00515:11", part1359); + + var part1360 = match("MESSAGE#843:00515:12/0", "nwparser.payload", "[ Vsys ] Admin User \"%{administrator}\" logged in for Web( http%{p0}"); + + var part1361 = match("MESSAGE#843:00515:12/2", "nwparser.p0", ") management (port %{network_port})"); + + var all302 = all_match({ + processors: [ + part1360, + dup399, + part1361, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg853 = msg("00515:12", all302); + + var select320 = linear_select([ + dup288, + dup287, + ]); + + var part1362 = match("MESSAGE#844:00515:13/1", "nwparser.p0", "user %{administrator->} has logged o%{p0}"); + + var select321 = linear_select([ + dup306, + dup304, + ]); + + var all303 = all_match({ + processors: [ + select320, + part1362, + dup398, + dup40, + select321, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg854 = msg("00515:13", all303); + + var part1363 = match("MESSAGE#845:00515:14/0_0", "nwparser.payload", "Admin user %{administrator->} has been forced to log o%{p0}"); + + var part1364 = match("MESSAGE#845:00515:14/0_1", "nwparser.payload", "%{username->} %{fld1->} has been forced to log o%{p0}"); + + var select322 = linear_select([ + part1363, + part1364, + ]); + + var part1365 = match("MESSAGE#845:00515:14/2", "nwparser.p0", "of the %{p0}"); + + var part1366 = match("MESSAGE#845:00515:14/3_0", "nwparser.p0", "serial %{logon_type->} session."); + + var part1367 = match("MESSAGE#845:00515:14/3_1", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port->} (%{event_time})"); + + var part1368 = match("MESSAGE#845:00515:14/3_2", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port}"); + + var select323 = linear_select([ + part1366, + part1367, + part1368, + ]); + + var all304 = all_match({ + processors: [ + select322, + dup398, + part1365, + select323, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg855 = msg("00515:14", all304); + + var part1369 = match("MESSAGE#846:00515:15/0", "nwparser.payload", "%{fld2}: Admin User %{administrator->} has logged o%{p0}"); + + var part1370 = match("MESSAGE#846:00515:15/3_0", "nwparser.p0", "the %{logon_type->} (%{p0}"); + + var part1371 = match("MESSAGE#846:00515:15/3_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{p0}"); + + var select324 = linear_select([ + part1370, + part1371, + ]); + + var all305 = all_match({ + processors: [ + part1369, + dup398, + dup40, + select324, + dup41, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg856 = msg("00515:15", all305); + + var part1372 = match("MESSAGE#847:00515:16/0_0", "nwparser.payload", "%{fld2}: Admin %{p0}"); + + var select325 = linear_select([ + part1372, + dup287, + ]); + + var part1373 = match("MESSAGE#847:00515:16/1", "nwparser.p0", "user %{administrator->} attempt access to %{url->} illegal from %{logon_type}( http%{p0}"); + + var part1374 = match("MESSAGE#847:00515:16/3", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}. (%{fld1})"); + + var all306 = all_match({ + processors: [ + select325, + part1373, + dup399, + part1374, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg857 = msg("00515:16", all306); + + var part1375 = match("MESSAGE#848:00515:17/0", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{p0}"); + + var part1376 = match("MESSAGE#848:00515:17/1_0", "nwparser.p0", "https %{p0}"); + + var part1377 = match("MESSAGE#848:00515:17/1_1", "nwparser.p0", " http %{p0}"); + + var select326 = linear_select([ + part1376, + part1377, + ]); + + var part1378 = match("MESSAGE#848:00515:17/2", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}"); + + var all307 = all_match({ + processors: [ + part1375, + select326, + part1378, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg858 = msg("00515:17", all307); + + var part1379 = match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(https) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ + dup240, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg859 = msg("00515:18", part1379); + + var part1380 = match("MESSAGE#850:00515:19/0", "nwparser.payload", "Vsys admin user %{administrator->} logged on via %{p0}"); + + var part1381 = match("MESSAGE#850:00515:19/1_0", "nwparser.p0", "%{logon_type->} from remote IP address %{saddr->} using port %{sport}. (%{p0}"); + + var part1382 = match("MESSAGE#850:00515:19/1_1", "nwparser.p0", "the console. (%{p0}"); + + var select327 = linear_select([ + part1381, + part1382, + ]); + + var all308 = all_match({ + processors: [ + part1380, + select327, + dup41, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg860 = msg("00515:19", all308); + + var part1383 = match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session via SCS from %{saddr}:%{sport->} for admin netscreen has timed out (%{fld1})", processor_chain([ + dup240, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg861 = msg("00515:20", part1383); + + var select328 = linear_select([ + msg842, + msg843, + msg844, + msg845, + msg846, + msg847, + msg848, + msg849, + msg850, + msg851, + msg852, + msg853, + msg854, + msg855, + msg856, + msg857, + msg858, + msg859, + msg860, + msg861, + ]); + + var part1384 = match("MESSAGE#852:00518", "nwparser.payload", "Admin user %{administrator->} %{fld1}at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg862 = msg("00518", part1384); + + var part1385 = match("MESSAGE#853:00518:17", "nwparser.payload", "Admin user %{administrator->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg863 = msg("00518:17", part1385); + + var part1386 = match("MESSAGE#854:00518:01", "nwparser.payload", "Local authentication for WebAuth user %{username->} was %{disposition}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg864 = msg("00518:01", part1386); + + var part1387 = match("MESSAGE#855:00518:02", "nwparser.payload", "Local authentication for user %{username->} was %{disposition}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg865 = msg("00518:02", part1387); + + var part1388 = match("MESSAGE#856:00518:03", "nwparser.payload", "User %{username->} at %{saddr->} must enter \"Next Code\" for SecurID %{hostip}", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg866 = msg("00518:03", part1388); + + var part1389 = match("MESSAGE#857:00518:04", "nwparser.payload", "WebAuth user %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup203, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg867 = msg("00518:04", part1389); + + var part1390 = match("MESSAGE#858:00518:05", "nwparser.payload", "User %{username->} at %{saddr->} has been challenged via the %{authmethod->} server at %{hostip->} (Rejected since challenge is not supported for %{logon_type})", processor_chain([ + dup203, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg868 = msg("00518:05", part1390); + + var part1391 = match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for WebAuth user %{username}", processor_chain([ + dup35, + dup29, + dup31, + dup54, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg869 = msg("00518:06", part1391); + + var part1392 = match("MESSAGE#860:00518:07/0", "nwparser.payload", "Authentication for user %{username->} was denied (long %{p0}"); + + var part1393 = match("MESSAGE#860:00518:07/1_1", "nwparser.p0", "username %{p0}"); + + var select329 = linear_select([ + dup24, + part1393, + ]); + + var part1394 = match("MESSAGE#860:00518:07/2", "nwparser.p0", ")%{}"); + + var all309 = all_match({ + processors: [ + part1392, + select329, + part1394, + ], + on_success: processor_chain([ + dup53, + dup29, + dup31, + dup54, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg870 = msg("00518:07", all309); + + var part1395 = match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr->} %{authmethod->} authentication attempt has timed out", processor_chain([ + dup35, + dup29, + dup31, + dup39, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg871 = msg("00518:08", part1395); + + var part1396 = match("MESSAGE#862:00518:09", "nwparser.payload", "User %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup203, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg872 = msg("00518:09", part1396); + + var part1397 = match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed due to %{result}. (%{fld1})", processor_chain([ + dup206, + dup29, + dup30, + dup31, + dup54, + dup2, + dup4, + dup9, + dup5, + dup3, + dup302, + ])); + + var msg873 = msg("00518:10", part1397); + + var part1398 = match("MESSAGE#864:00518:11/0", "nwparser.payload", "ADM: Local admin authentication failed for login name %{p0}"); + + var part1399 = match("MESSAGE#864:00518:11/1_0", "nwparser.p0", "'%{username}': %{p0}"); + + var part1400 = match("MESSAGE#864:00518:11/1_1", "nwparser.p0", "%{username}: %{p0}"); + + var select330 = linear_select([ + part1399, + part1400, + ]); + + var part1401 = match("MESSAGE#864:00518:11/2", "nwparser.p0", "%{result->} (%{fld1})"); + + var all310 = all_match({ + processors: [ + part1398, + select330, + part1401, + ], + on_success: processor_chain([ + dup206, + dup29, + dup30, + dup31, + dup54, + dup2, + dup9, + dup4, + dup5, + dup3, + ]), + }); + + var msg874 = msg("00518:11", all310); + + var part1402 = match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ + dup240, + dup2, + dup4, + dup9, + dup5, + dup3, + ])); + + var msg875 = msg("00518:12", part1402); + + var part1403 = match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr->} is rejected by the Radius server at %{hostip}. (%{fld1})", processor_chain([ + dup290, + dup2, + dup3, + dup4, + dup9, + dup5, + ])); + + var msg876 = msg("00518:13", part1403); + + var part1404 = match("MESSAGE#867:00518:14", "nwparser.payload", "%{fld2}: Admin user has been rejected via the Radius server at %{hostip->} (%{fld1})", processor_chain([ + dup290, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg877 = msg("00518:14", part1404); + + var select331 = linear_select([ + msg862, + msg863, + msg864, + msg865, + msg866, + msg867, + msg868, + msg869, + msg870, + msg871, + msg872, + msg873, + msg874, + msg875, + msg876, + msg877, + ]); + + var part1405 = match("MESSAGE#868:00519/0", "nwparser.payload", "Admin user %{administrator->} %{p0}"); + + var part1406 = match("MESSAGE#868:00519/1_1", "nwparser.p0", "of group %{group->} at %{saddr->} has %{p0}"); + + var part1407 = match("MESSAGE#868:00519/1_2", "nwparser.p0", "%{group->} at %{saddr->} has %{p0}"); + + var select332 = linear_select([ + dup194, + part1406, + part1407, + ]); + + var part1408 = match("MESSAGE#868:00519/2", "nwparser.p0", "been %{disposition->} via the %{logon_type->} server %{p0}"); + + var part1409 = match("MESSAGE#868:00519/3_0", "nwparser.p0", "at %{p0}"); + + var select333 = linear_select([ + part1409, + dup16, + ]); + + var part1410 = match("MESSAGE#868:00519/4", "nwparser.p0", "%{hostip}"); + + var all311 = all_match({ + processors: [ + part1405, + select332, + part1408, + select333, + part1410, + ], + on_success: processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg878 = msg("00519", all311); + + var part1411 = match("MESSAGE#869:00519:01/0", "nwparser.payload", "Local authentication for %{p0}"); + + var select334 = linear_select([ + dup307, + dup305, + ]); + + var part1412 = match("MESSAGE#869:00519:01/2", "nwparser.p0", "%{username->} was %{disposition}"); + + var all312 = all_match({ + processors: [ + part1411, + select334, + part1412, + ], + on_success: processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg879 = msg("00519:01", all312); + + var part1413 = match("MESSAGE#870:00519:02/1_1", "nwparser.p0", "User %{p0}"); + + var select335 = linear_select([ + dup307, + part1413, + ]); + + var part1414 = match("MESSAGE#870:00519:02/2", "nwparser.p0", "%{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}"); + + var all313 = all_match({ + processors: [ + dup160, + select335, + part1414, + ], + on_success: processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg880 = msg("00519:02", all313); + + var part1415 = match("MESSAGE#871:00519:03", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{fld4}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg881 = msg("00519:03", part1415); + + var part1416 = match("MESSAGE#872:00519:04", "nwparser.payload", "ADM: Local admin authentication successful for login name %{username->} (%{fld1})", processor_chain([ + dup240, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg882 = msg("00519:04", part1416); + + var part1417 = match("MESSAGE#873:00519:05", "nwparser.payload", "%{fld2}Admin user %{administrator->} has been accepted via the Radius server at %{hostip}(%{fld1})", processor_chain([ + dup240, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg883 = msg("00519:05", part1417); + + var select336 = linear_select([ + msg878, + msg879, + msg880, + msg881, + msg882, + msg883, + ]); + + var part1418 = match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authentication attempt has timed out", processor_chain([ + dup35, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg884 = msg("00520", part1418); + + var part1419 = match("MESSAGE#875:00520:01/0", "nwparser.payload", "User %{username->} at %{hostip->} %{p0}"); + + var part1420 = match("MESSAGE#875:00520:01/1_0", "nwparser.p0", "RADIUS %{p0}"); + + var part1421 = match("MESSAGE#875:00520:01/1_1", "nwparser.p0", "SecurID %{p0}"); + + var part1422 = match("MESSAGE#875:00520:01/1_2", "nwparser.p0", "LDAP %{p0}"); + + var part1423 = match("MESSAGE#875:00520:01/1_3", "nwparser.p0", "Local %{p0}"); + + var select337 = linear_select([ + part1420, + part1421, + part1422, + part1423, + ]); + + var part1424 = match("MESSAGE#875:00520:01/2", "nwparser.p0", "authentication attempt has timed out%{}"); + + var all314 = all_match({ + processors: [ + part1419, + select337, + part1424, + ], + on_success: processor_chain([ + dup35, + dup31, + dup39, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg885 = msg("00520:01", all314); + + var part1425 = match("MESSAGE#876:00520:02/0", "nwparser.payload", "Trying %{p0}"); + + var part1426 = match("MESSAGE#876:00520:02/2", "nwparser.p0", "server %{fld2}"); + + var all315 = all_match({ + processors: [ + part1425, + dup400, + part1426, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg886 = msg("00520:02", all315); + + var part1427 = match("MESSAGE#877:00520:03/1_0", "nwparser.p0", "Primary %{p0}"); + + var part1428 = match("MESSAGE#877:00520:03/1_1", "nwparser.p0", "Backup1 %{p0}"); + + var part1429 = match("MESSAGE#877:00520:03/1_2", "nwparser.p0", "Backup2 %{p0}"); + + var select338 = linear_select([ + part1427, + part1428, + part1429, + ]); + + var part1430 = match("MESSAGE#877:00520:03/2", "nwparser.p0", "%{fld2}, %{p0}"); + + var part1431 = match("MESSAGE#877:00520:03/4", "nwparser.p0", "%{fld3}, and %{p0}"); + + var part1432 = match("MESSAGE#877:00520:03/6", "nwparser.p0", "%{fld4->} servers failed"); + + var all316 = all_match({ + processors: [ + dup160, + select338, + part1430, + dup400, + part1431, + dup400, + part1432, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg887 = msg("00520:03", all316); + + var part1433 = match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hostip->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg888 = msg("00520:04", part1433); + + var part1434 = match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: New requests for %{fld31->} server will try %{fld32->} from now on. (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg889 = msg("00520:05", part1434); + + var select339 = linear_select([ + msg884, + msg885, + msg886, + msg887, + msg888, + msg889, + ]); + + var part1435 = match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server %{hostip}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg890 = msg("00521", part1435); + + var part1436 = match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg891 = msg("00522", part1436); + + var part1437 = match("MESSAGE#881:00523", "nwparser.payload", "URL filtering received an error from %{fld2->} (error %{resultcode}).", processor_chain([ + dup232, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg892 = msg("00523", part1437); + + var part1438 = match("MESSAGE#882:00524", "nwparser.payload", "NetScreen device at %{hostip}:%{network_port->} has responded successfully to SNMP request from %{saddr}:%{sport}", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg893 = msg("00524", part1438); + + var part1439 = match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown SNMP community public at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg894 = msg("00524:02", part1439); + + var part1440 = match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has responded successfully to the SNMP request from %{saddr}:%{sport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg895 = msg("00524:03", part1440); + + var part1441 = match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown SNMP community admin at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg896 = msg("00524:04", part1441); + + var part1442 = match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ + dup18, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg897 = msg("00524:05", part1442); + + var part1443 = match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been received from an unknown host in SNMP community %{fld2->} at %{hostip}:%{network_port}. (%{fld1})", processor_chain([ + dup18, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg898 = msg("00524:06", part1443); + + var part1444 = match("MESSAGE#888:00524:12", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{saddr}:%{sport->} to %{daddr}:%{dport->} has been received", processor_chain([ + dup18, + dup2, + dup4, + dup5, + ])); + + var msg899 = msg("00524:12", part1444); + + var part1445 = match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{sport->} has been received, but the SNMP version type is incorrect. (%{fld1})", processor_chain([ + dup19, + dup2, + dup4, + setc("result","the SNMP version type is incorrect"), + dup5, + dup9, + ])); + + var msg900 = msg("00524:14", part1445); + + var part1446 = match("MESSAGE#890:00524:13/0", "nwparser.payload", "SNMP request has been received%{p0}"); + + var part1447 = match("MESSAGE#890:00524:13/2", "nwparser.p0", "%{}but %{result}"); + + var all317 = all_match({ + processors: [ + part1446, + dup401, + part1447, + ], + on_success: processor_chain([ + dup18, + dup2, + dup4, + dup5, + ]), + }); + + var msg901 = msg("00524:13", all317); + + var part1448 = match("MESSAGE#891:00524:07", "nwparser.payload", "Response to SNMP request from %{saddr}:%{sport->} to %{daddr}:%{dport->} has %{disposition->} due to %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + ])); + + var msg902 = msg("00524:07", part1448); + + var part1449 = match("MESSAGE#892:00524:08", "nwparser.payload", "SNMP community %{fld2->} cannot be added because %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + ])); + + var msg903 = msg("00524:08", part1449); + + var part1450 = match("MESSAGE#893:00524:09", "nwparser.payload", "SNMP host %{hostip->} cannot be added to community %{fld2->} because of %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + ])); + + var msg904 = msg("00524:09", part1450); + + var part1451 = match("MESSAGE#894:00524:10", "nwparser.payload", "SNMP host %{hostip->} cannot be added because %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + ])); + + var msg905 = msg("00524:10", part1451); + + var part1452 = match("MESSAGE#895:00524:11", "nwparser.payload", "SNMP host %{hostip->} cannot be removed from community %{fld2->} because %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + ])); + + var msg906 = msg("00524:11", part1452); + + var part1453 = match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34->} doesn't exist. (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg907 = msg("00524:16", part1453); + + var select340 = linear_select([ + msg893, + msg894, + msg895, + msg896, + msg897, + msg898, + msg899, + msg900, + msg901, + msg902, + msg903, + msg904, + msg905, + msg906, + msg907, + ]); + + var part1454 = match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username->} at %{hostip->} has been %{disposition->} by SecurID %{fld2}", processor_chain([ + dup203, + setc("ec_subject","Password"), + dup38, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg908 = msg("00525", part1454); + + var part1455 = match("MESSAGE#897:00525:01", "nwparser.payload", "User %{username->} at %{hostip->} has selected a system-generated PIN for authentication with SecurID %{fld2}", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg909 = msg("00525:01", part1455); + + var part1456 = match("MESSAGE#898:00525:02", "nwparser.payload", "User %{username->} at %{hostip->} must enter the \"new PIN\" for SecurID %{fld2}", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg910 = msg("00525:02", part1456); + + var part1457 = match("MESSAGE#899:00525:03", "nwparser.payload", "User %{username->} at %{hostip->} must make a \"New PIN\" choice for SecurID %{fld2}", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg911 = msg("00525:03", part1457); + + var select341 = linear_select([ + msg908, + msg909, + msg910, + msg911, + ]); + + var part1458 = match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded and %{hostip->} cannot be added", processor_chain([ + dup37, + dup219, + dup38, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg912 = msg("00526", part1458); + + var part1459 = match("MESSAGE#901:00527/0", "nwparser.payload", "A DHCP-%{p0}"); + + var part1460 = match("MESSAGE#901:00527/1_1", "nwparser.p0", " assigned %{p0}"); + + var select342 = linear_select([ + dup311, + part1460, + ]); + + var part1461 = match("MESSAGE#901:00527/2", "nwparser.p0", "IP address %{hostip->} has been %{p0}"); + + var part1462 = match("MESSAGE#901:00527/3_1", "nwparser.p0", "freed from %{p0}"); + + var part1463 = match("MESSAGE#901:00527/3_2", "nwparser.p0", "freed %{p0}"); + + var select343 = linear_select([ + dup312, + part1462, + part1463, + ]); + + var all318 = all_match({ + processors: [ + part1459, + select342, + part1461, + select343, + dup108, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg913 = msg("00527", all318); + + var part1464 = match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address has been manually released%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg914 = msg("00527:01", part1464); + + var part1465 = match("MESSAGE#903:00527:02/0", "nwparser.payload", "DHCP server has %{p0}"); + + var part1466 = match("MESSAGE#903:00527:02/1_1", "nwparser.p0", "released %{p0}"); + + var part1467 = match("MESSAGE#903:00527:02/1_2", "nwparser.p0", "assigned or released %{p0}"); + + var select344 = linear_select([ + dup311, + part1466, + part1467, + ]); + + var part1468 = match("MESSAGE#903:00527:02/2", "nwparser.p0", "an IP address%{}"); + + var all319 = all_match({ + processors: [ + part1465, + select344, + part1468, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg915 = msg("00527:02", all319); + + var part1469 = match("MESSAGE#904:00527:03", "nwparser.payload", "MAC address %{macaddr->} has detected an IP conflict and has declined address %{hostip}", processor_chain([ + dup272, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg916 = msg("00527:03", part1469); + + var part1470 = match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP addresses have been manually released.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg917 = msg("00527:04", part1470); + + var part1471 = match("MESSAGE#906:00527:05/2", "nwparser.p0", "%{} %{interface->} is more than %{fld2->} allocated."); + + var all320 = all_match({ + processors: [ + dup210, + dup337, + part1471, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg918 = msg("00527:05", all320); + + var part1472 = match("MESSAGE#907:00527:06/0", "nwparser.payload", "IP address %{hostip->} %{p0}"); + + var select345 = linear_select([ + dup106, + dup127, + ]); + + var part1473 = match("MESSAGE#907:00527:06/3_1", "nwparser.p0", "released from %{p0}"); + + var select346 = linear_select([ + dup312, + part1473, + ]); + + var part1474 = match("MESSAGE#907:00527:06/4", "nwparser.p0", "%{fld2->} (%{fld1})"); + + var all321 = all_match({ + processors: [ + part1472, + select345, + dup23, + select346, + part1474, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg919 = msg("00527:06", all321); + + var part1475 = match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have expired. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg920 = msg("00527:07", part1475); + + var part1476 = match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{interface->} received %{protocol_detail->} from %{smacaddr->} requesting out-of-scope IP address %{hostip}/%{mask->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg921 = msg("00527:08", part1476); + + var part1477 = match("MESSAGE#910:00527:09/0", "nwparser.payload", "MAC address %{macaddr->} has %{disposition->} %{p0}"); + + var part1478 = match("MESSAGE#910:00527:09/1_0", "nwparser.p0", "address %{hostip->} (%{p0}"); + + var part1479 = match("MESSAGE#910:00527:09/1_1", "nwparser.p0", "%{hostip->} (%{p0}"); + + var select347 = linear_select([ + part1478, + part1479, + ]); + + var all322 = all_match({ + processors: [ + part1477, + select347, + dup41, + ], + on_success: processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg922 = msg("00527:09", all322); + + var part1480 = match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are expired. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg923 = msg("00527:10", part1480); + + var select348 = linear_select([ + msg913, + msg914, + msg915, + msg916, + msg917, + msg918, + msg919, + msg920, + msg921, + msg922, + msg923, + ]); + + var part1481 = match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenticated using password :", processor_chain([ + setc("eventcategory","1302010000"), + dup29, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg924 = msg("00528", part1481); + + var part1482 = match("MESSAGE#913:00528:01", "nwparser.payload", "SCS: Connection terminated for user %{username->} from", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg925 = msg("00528:01", part1482); + + var part1483 = match("MESSAGE#914:00528:02", "nwparser.payload", "SCS: Disabled for all root/vsys on device. Client host attempting connection to interface '%{interface}' with address %{hostip->} from %{saddr}", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg926 = msg("00528:02", part1483); + + var part1484 = match("MESSAGE#915:00528:03", "nwparser.payload", "SSH: NetScreen device %{disposition->} to identify itself to the SSH client at %{hostip}", processor_chain([ + dup203, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg927 = msg("00528:03", part1484); + + var part1485 = match("MESSAGE#916:00528:04", "nwparser.payload", "SSH: Incompatible SSH version string has been received from SSH client at %{hostip}", processor_chain([ + dup203, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg928 = msg("00528:04", part1485); + + var part1486 = match("MESSAGE#917:00528:05", "nwparser.payload", "SSH: %{disposition->} to send identification string to client host at %{hostip}", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg929 = msg("00528:05", part1486); + + var part1487 = match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} attempted to connect with invalid version string.", processor_chain([ + dup313, + dup2, + dup3, + dup4, + dup5, + setc("result","invalid version string"), + ])); + + var msg930 = msg("00528:06", part1487); + + var part1488 = match("MESSAGE#919:00528:07/0", "nwparser.payload", "SSH: %{disposition->} to negotiate %{p0}"); + + var part1489 = match("MESSAGE#919:00528:07/1_1", "nwparser.p0", "MAC %{p0}"); + + var part1490 = match("MESSAGE#919:00528:07/1_2", "nwparser.p0", "key exchange %{p0}"); + + var part1491 = match("MESSAGE#919:00528:07/1_3", "nwparser.p0", "host key %{p0}"); + + var select349 = linear_select([ + dup88, + part1489, + part1490, + part1491, + ]); + + var part1492 = match("MESSAGE#919:00528:07/2", "nwparser.p0", "algorithm with host %{hostip}"); + + var all323 = all_match({ + processors: [ + part1488, + select349, + part1492, + ], + on_success: processor_chain([ + dup314, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg931 = msg("00528:07", all323); + + var part1493 = match("MESSAGE#920:00528:08", "nwparser.payload", "SSH: Unsupported cipher type %{fld2->} requested from %{saddr}", processor_chain([ + dup314, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg932 = msg("00528:08", part1493); + + var part1494 = match("MESSAGE#921:00528:09", "nwparser.payload", "SSH: Host client has requested NO cipher from %{saddr}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg933 = msg("00528:09", part1494); + + var part1495 = match("MESSAGE#922:00528:10", "nwparser.payload", "SSH: Disabled for '%{vsys}'. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg934 = msg("00528:10", part1495); + + var part1496 = match("MESSAGE#923:00528:11", "nwparser.payload", "SSH: Disabled for %{fld2->} Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg935 = msg("00528:11", part1496); + + var part1497 = match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} at %{saddr->} tried unsuccessfully to log in to %{vsys->} using the shared untrusted interface. SSH disabled on that interface.", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + setc("disposition","disabled"), + ])); + + var msg936 = msg("00528:12", part1497); + + var part1498 = match("MESSAGE#925:00528:13/0", "nwparser.payload", "SSH: SSH client at %{saddr->} tried unsuccessfully to %{p0}"); + + var part1499 = match("MESSAGE#925:00528:13/1_0", "nwparser.p0", "make %{p0}"); + + var part1500 = match("MESSAGE#925:00528:13/1_1", "nwparser.p0", "establish %{p0}"); + + var select350 = linear_select([ + part1499, + part1500, + ]); + + var part1501 = match("MESSAGE#925:00528:13/2", "nwparser.p0", "an SSH connection to %{p0}"); + + var part1502 = match("MESSAGE#925:00528:13/4", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} SSH %{p0}"); + + var part1503 = match("MESSAGE#925:00528:13/5_0", "nwparser.p0", "not enabled %{p0}"); + + var select351 = linear_select([ + part1503, + dup157, + ]); + + var part1504 = match("MESSAGE#925:00528:13/6", "nwparser.p0", "on that interface.%{}"); + + var all324 = all_match({ + processors: [ + part1498, + select350, + part1501, + dup337, + part1502, + select351, + part1504, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg937 = msg("00528:13", all324); + + var part1505 = match("MESSAGE#926:00528:14", "nwparser.payload", "SSH: SSH client %{saddr->} unsuccessfully attempted to make an SSH connection to %{vsys->} SSH was not completely initialized for that system.", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg938 = msg("00528:14", part1505); + + var part1506 = match("MESSAGE#927:00528:15/0", "nwparser.payload", "SSH: Admin user %{p0}"); + + var part1507 = match("MESSAGE#927:00528:15/1_1", "nwparser.p0", "%{administrator->} %{p0}"); + + var select352 = linear_select([ + dup315, + part1507, + ]); + + var part1508 = match("MESSAGE#927:00528:15/2", "nwparser.p0", "at host %{saddr->} requested unsupported %{p0}"); + + var part1509 = match("MESSAGE#927:00528:15/3_0", "nwparser.p0", "PKA algorithm %{p0}"); + + var part1510 = match("MESSAGE#927:00528:15/3_1", "nwparser.p0", "authentication method %{p0}"); + + var select353 = linear_select([ + part1509, + part1510, + ]); + + var all325 = all_match({ + processors: [ + part1506, + select352, + part1508, + select353, + dup108, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg939 = msg("00528:15", all325); + + var part1511 = match("MESSAGE#928:00528:16", "nwparser.payload", "SCP: Admin '%{administrator}' at host %{saddr->} executed invalid scp command: '%{fld2}'", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg940 = msg("00528:16", part1511); + + var part1512 = match("MESSAGE#929:00528:17", "nwparser.payload", "SCP: Disabled for '%{username}'. Attempted file transfer failed from host %{saddr}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg941 = msg("00528:17", part1512); + + var part1513 = match("MESSAGE#930:00528:18/2", "nwparser.p0", "authentication successful for admin user %{p0}"); + + var all326 = all_match({ + processors: [ + dup316, + dup402, + part1513, + dup403, + dup320, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + setc("disposition","successful"), + setc("event_description","authentication successful for admin user"), + ]), + }); + + var msg942 = msg("00528:18", all326); + + var part1514 = match("MESSAGE#931:00528:26/2", "nwparser.p0", "authentication failed for admin user %{p0}"); + + var all327 = all_match({ + processors: [ + dup316, + dup402, + part1514, + dup403, + dup320, + ], + on_success: processor_chain([ + dup206, + dup29, + dup31, + dup54, + dup2, + dup4, + dup5, + dup302, + dup3, + setc("event_description","authentication failed for admin user"), + ]), + }); + + var msg943 = msg("00528:26", all327); + + var part1515 = match("MESSAGE#932:00528:19/2", "nwparser.p0", ": SSH user %{username->} has been %{disposition->} using password from %{saddr}:%{sport}"); + + var all328 = all_match({ + processors: [ + dup321, + dup404, + part1515, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg944 = msg("00528:19", all328); + + var part1516 = match("MESSAGE#933:00528:20/2", "nwparser.p0", ": Connection has been %{disposition->} for admin user %{administrator->} at %{saddr}:%{sport}"); + + var all329 = all_match({ + processors: [ + dup321, + dup404, + part1516, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg945 = msg("00528:20", all329); + + var part1517 = match("MESSAGE#934:00528:21", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has requested PKA RSA authentication, which is not supported for that client.", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg946 = msg("00528:21", part1517); + + var part1518 = match("MESSAGE#935:00528:22/0", "nwparser.payload", "SCS: SSH client at %{saddr->} has attempted to make an SCS connection to %{p0}"); + + var part1519 = match("MESSAGE#935:00528:22/2", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} but %{disposition->} because SCS is not enabled for that interface."); + + var all330 = all_match({ + processors: [ + part1518, + dup337, + part1519, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + setc("result","SCS is not enabled for that interface"), + ]), + }); + + var msg947 = msg("00528:22", all330); + + var part1520 = match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to vsys %{vsys->} because SCS cannot generate the host and server keys before timing out.", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + setc("result","SCS cannot generate the host and server keys before timing out"), + ])); + + var msg948 = msg("00528:23", part1520); + + var part1521 = match("MESSAGE#937:00528:24", "nwparser.payload", "SSH: %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup281, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg949 = msg("00528:24", part1521); + + var part1522 = match("MESSAGE#938:00528:25/0", "nwparser.payload", "SSH: Admin %{p0}"); + + var part1523 = match("MESSAGE#938:00528:25/2", "nwparser.p0", "at host %{saddr->} attempted to be authenticated with no authentication methods enabled."); + + var all331 = all_match({ + processors: [ + part1522, + dup403, + part1523, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg950 = msg("00528:25", all331); + + var select354 = linear_select([ + msg924, + msg925, + msg926, + msg927, + msg928, + msg929, + msg930, + msg931, + msg932, + msg933, + msg934, + msg935, + msg936, + msg937, + msg938, + msg939, + msg940, + msg941, + msg942, + msg943, + msg944, + msg945, + msg946, + msg947, + msg948, + msg949, + msg950, + ]); + + var part1524 = match("MESSAGE#939:00529/1_0", "nwparser.p0", "manually %{p0}"); + + var part1525 = match("MESSAGE#939:00529/1_1", "nwparser.p0", "automatically %{p0}"); + + var select355 = linear_select([ + part1524, + part1525, + ]); + + var part1526 = match("MESSAGE#939:00529/2", "nwparser.p0", "refreshed%{}"); + + var all332 = all_match({ + processors: [ + dup63, + select355, + part1526, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg951 = msg("00529", all332); + + var part1527 = match("MESSAGE#940:00529:01/0", "nwparser.payload", "DNS entries have been refreshed by %{p0}"); + + var part1528 = match("MESSAGE#940:00529:01/1_0", "nwparser.p0", "state change%{}"); + + var part1529 = match("MESSAGE#940:00529:01/1_1", "nwparser.p0", "HA%{}"); + + var select356 = linear_select([ + part1528, + part1529, + ]); + + var all333 = all_match({ + processors: [ + part1527, + select356, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg952 = msg("00529:01", all333); + + var select357 = linear_select([ + msg951, + msg952, + ]); + + var part1530 = match("MESSAGE#941:00530", "nwparser.payload", "An IP conflict has been detected and the DHCP client has declined address %{hostip}", processor_chain([ + dup272, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg953 = msg("00530", part1530); + + var part1531 = match("MESSAGE#942:00530:01/0", "nwparser.payload", "DHCP client IP %{hostip->} for the %{p0}"); + + var part1532 = match("MESSAGE#942:00530:01/2", "nwparser.p0", "%{} %{interface->} has been manually released"); + + var all334 = all_match({ + processors: [ + part1531, + dup337, + part1532, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg954 = msg("00530:01", all334); + + var part1533 = match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get an IP address for the %{interface->} interface", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg955 = msg("00530:02", part1533); + + var part1534 = match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hostip->} has expired", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg956 = msg("00530:03", part1534); + + var part1535 = match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has assigned the untrust Interface %{interface->} with lease %{fld2}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg957 = msg("00530:04", part1535); + + var part1536 = match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has assigned the %{interface->} interface %{fld2->} with lease %{fld3}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg958 = msg("00530:05", part1536); + + var part1537 = match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get IP address for the untrust interface.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg959 = msg("00530:06", part1537); + + var select358 = linear_select([ + msg953, + msg954, + msg955, + msg956, + msg957, + msg958, + msg959, + ]); + + var part1538 = match("MESSAGE#948:00531/0", "nwparser.payload", "System clock configurations have been changed by admin %{p0}"); + + var all335 = all_match({ + processors: [ + part1538, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg960 = msg("00531", all335); + + var part1539 = match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg961 = msg("00531:01", part1539); + + var part1540 = match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been updated through NTP.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg962 = msg("00531:02", part1540); + + var part1541 = match("MESSAGE#951:00531:03/0", "nwparser.payload", "The system clock was updated from %{type->} NTP server type %{hostname->} with a%{p0}"); + + var part1542 = match("MESSAGE#951:00531:03/1_0", "nwparser.p0", " ms %{p0}"); + + var select359 = linear_select([ + part1542, + dup115, + ]); + + var part1543 = match("MESSAGE#951:00531:03/2", "nwparser.p0", "adjustment of %{fld3}. Authentication was %{fld4}. Update mode was %{p0}"); + + var part1544 = match("MESSAGE#951:00531:03/3_0", "nwparser.p0", "%{fld5}(%{fld2})"); + + var part1545 = match_copy("MESSAGE#951:00531:03/3_1", "nwparser.p0", "fld5"); + + var select360 = linear_select([ + part1544, + part1545, + ]); + + var all336 = all_match({ + processors: [ + part1541, + select359, + part1543, + select360, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup146, + ]), + }); + + var msg963 = msg("00531:03", all336); + + var part1546 = match("MESSAGE#952:00531:04/0", "nwparser.payload", "The NetScreen device is attempting to contact the %{p0}"); + + var part1547 = match("MESSAGE#952:00531:04/1_0", "nwparser.p0", "primary backup %{p0}"); + + var part1548 = match("MESSAGE#952:00531:04/1_1", "nwparser.p0", "secondary backup %{p0}"); + + var select361 = linear_select([ + part1547, + part1548, + dup189, + ]); + + var part1549 = match("MESSAGE#952:00531:04/2", "nwparser.p0", "NTP server %{hostname}"); + + var all337 = all_match({ + processors: [ + part1546, + select361, + part1549, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg964 = msg("00531:04", all337); + + var part1550 = match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contacted. (%{fld1})", processor_chain([ + dup86, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg965 = msg("00531:05", part1550); + + var part1551 = match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustment of %{fld2->} from NTP server %{hostname->} exceeds the allowed adjustment of %{fld3}. (%{fld1})", processor_chain([ + dup86, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg966 = msg("00531:06", part1551); + + var part1552 = match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be obtained from any NTP server. (%{fld1})", processor_chain([ + dup86, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg967 = msg("00531:07", part1552); + + var part1553 = match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator->} changed the %{change_attribute->} from %{change_old->} to %{change_new->} (by %{fld3->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}) (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg968 = msg("00531:08", part1553); + + var part1554 = match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol settings changed. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg969 = msg("00531:09", part1554); + + var part1555 = match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition->} on interface %{interface->} (%{fld1})", processor_chain([ + dup86, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg970 = msg("00531:10", part1555); + + var part1556 = match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be changed from %{change_old->} to %{change_new->} received from primary NTP server %{hostip->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","system clock changed based on receive from primary NTP server"), + ])); + + var msg971 = msg("00531:11", part1556); + + var part1557 = match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{saddr->} could not be contacted. (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg972 = msg("00531:12", part1557); + + var select362 = linear_select([ + msg960, + msg961, + msg962, + msg963, + msg964, + msg965, + msg966, + msg967, + msg968, + msg969, + msg970, + msg971, + msg972, + ]); + + var part1558 = match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now responding", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg973 = msg("00533", part1558); + + var part1559 = match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg974 = msg("00534", part1559); + + var part1560 = match("MESSAGE#962:00535", "nwparser.payload", "Cannot find the CA certificate with distinguished name %{fld2}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg975 = msg("00535", part1560); + + var part1561 = match("MESSAGE#963:00535:01", "nwparser.payload", "Distinguished name %{dn->} in the X509 certificate request is %{disposition}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg976 = msg("00535:01", part1561); + + var part1562 = match("MESSAGE#964:00535:02", "nwparser.payload", "Local certificate with distinguished name %{dn->} is %{disposition}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg977 = msg("00535:02", part1562); + + var part1563 = match("MESSAGE#965:00535:03", "nwparser.payload", "PKCS #7 data cannot be decapsulated%{}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg978 = msg("00535:03", part1563); + + var part1564 = match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been received from the CA%{}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + setc("result","SCEP_FAILURE message"), + ])); + + var msg979 = msg("00535:04", part1564); + + var part1565 = match("MESSAGE#967:00535:05", "nwparser.payload", "PKI error message has been received: %{result}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg980 = msg("00535:05", part1565); + + var part1566 = match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration (CA cert subject name %{dn}). (%{event_time_string})", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Saved CA configuration - cert subject name"), + ])); + + var msg981 = msg("00535:06", part1566); + + var select363 = linear_select([ + msg975, + msg976, + msg977, + msg978, + msg979, + msg980, + msg981, + ]); + + var part1567 = match("MESSAGE#969:00536:49/0", "nwparser.payload", "IKE %{hostip->} %{p0}"); + + var part1568 = match("MESSAGE#969:00536:49/1_0", "nwparser.p0", "Phase 2 msg ID %{sessionid}: %{disposition}. %{p0}"); + + var part1569 = match("MESSAGE#969:00536:49/1_1", "nwparser.p0", "Phase 1: %{disposition->} %{p0}"); + + var part1570 = match("MESSAGE#969:00536:49/1_2", "nwparser.p0", "phase 2:%{disposition}. %{p0}"); + + var part1571 = match("MESSAGE#969:00536:49/1_3", "nwparser.p0", "phase 1:%{disposition}. %{p0}"); + + var select364 = linear_select([ + part1568, + part1569, + part1570, + part1571, + ]); + + var all338 = all_match({ + processors: [ + part1567, + select364, + dup10, + ], + on_success: processor_chain([ + dup44, + dup2, + dup9, + dup3, + dup4, + dup5, + ]), + }); + + var msg982 = msg("00536:49", all338); + + var part1572 = match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received from %{saddr}/%{sport->} at interface %{interface->} at %{daddr}/%{dport}", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup3, + dup61, + ])); + + var msg983 = msg("00536", part1572); + + var part1573 = match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2}) without IP address at both end points! Check outgoing interface.", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg984 = msg("00536:01", part1573); + + var part1574 = match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip->} in %{fld4->} mode with ID: %{fld3->} has been %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg985 = msg("00536:02", part1574); + + var part1575 = match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has been %{disposition}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg986 = msg("00536:03", part1575); + + var part1576 = match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{group->} has deactivated the SA with ID %{fld2}.", processor_chain([ + setc("eventcategory","1801010100"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg987 = msg("00536:04", part1576); + + var part1577 = match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assigned%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg988 = msg("00536:05", part1577); + + var part1578 = match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has changed to %{fld2}. VPNs cannot terminate at an interface with IP %{hostip}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg989 = msg("00536:06", part1578); + + var part1579 = match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has changed from %{change_old->} to another setting", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg990 = msg("00536:07", part1579); + + var part1580 = match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification message", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg991 = msg("00536:08", part1580); + + var part1581 = match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg992 = msg("00536:09", part1581); + + var part1582 = match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a packet with a bad SPI after rebooting", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg993 = msg("00536:10", part1582); + + var part1583 = match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase 2 SAs after receiving a notification message", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg994 = msg("00536:11", part1583); + + var part1584 = match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first Phase 1 packet from an unrecognized source", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg995 = msg("00536:12", part1584); + + var part1585 = match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an initial Phase 1 packet from an unrecognized peer gateway", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg996 = msg("00536:13", part1585); + + var part1586 = match("MESSAGE#984:00536:14/0", "nwparser.payload", "IKE %{hostip}: Received initial contact notification and removed Phase %{p0}"); + + var part1587 = match("MESSAGE#984:00536:14/2", "nwparser.p0", "SAs%{}"); + + var all339 = all_match({ + processors: [ + part1586, + dup383, + part1587, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg997 = msg("00536:14", all339); + + var part1588 = match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a notification message for %{disposition}. (%{fld1})", processor_chain([ + dup44, + dup2, + dup9, + dup3, + dup4, + dup5, + ])); + + var msg998 = msg("00536:50", part1588); + + var part1589 = match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incorrect ID payload: IP address %{fld2->} instead of IP address %{fld3}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg999 = msg("00536:15", part1589); + + var part1590 = match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negotiation request is already in the task list", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1000 = msg("00536:16", part1590); + + var part1591 = match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats have been lost %{fld2->} times", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1001 = msg("00536:17", part1591); + + var part1592 = match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer packet because no policy uses the peer configuration", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1002 = msg("00536:18", part1592); + + var part1593 = match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1003 = msg("00536:19", part1593); + + var part1594 = match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the initial contact task to the task list", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1004 = msg("00536:20", part1594); + + var part1595 = match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 session tasks to the task list", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1005 = msg("00536:21", part1595); + + var part1596 = match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{disposition->} proposals from peer. Negotiations failed", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + setc("result","Negotiations failed"), + ])); + + var msg1006 = msg("00536:22", part1596); + + var part1597 = match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Aborted negotiations because the time limit has elapsed", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + setc("result","The time limit has elapsed"), + setc("disposition","Aborted"), + ])); + + var msg1007 = msg("00536:23", part1597); + + var part1598 = match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1008 = msg("00536:24", part1598); + + var part1599 = match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Received DH group %{fld2->} instead of expected group %{fld3->} for PFS", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1009 = msg("00536:25", part1599); + + var part1600 = match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No policy exists for the proxy ID received: local ID %{fld2->} remote ID %{fld3}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1010 = msg("00536:26", part1600); + + var part1601 = match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA private key is needed to sign packets", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1011 = msg("00536:27", part1601); + + var part1602 = match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggressive mode negotiations have %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1012 = msg("00536:28", part1602); + + var part1603 = match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Vendor ID payload indicates that the peer does not support NAT-T", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1013 = msg("00536:29", part1603); + + var part1604 = match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Retransmission limit has been reached", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1014 = msg("00536:30", part1604); + + var part1605 = match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an invalid RSA signature", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1015 = msg("00536:31", part1605); + + var part1606 = match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an incorrect public key authentication method", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1016 = msg("00536:32", part1606); + + var part1607 = match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No private key exists to sign packets", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1017 = msg("00536:33", part1607); + + var part1608 = match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1018 = msg("00536:34", part1608); + + var part1609 = match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE initiator has detected NAT in front of the local device", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1019 = msg("00536:35", part1609); + + var part1610 = match("MESSAGE#1007:00536:36/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Discarded a second initial packet%{p0}"); + + var part1611 = match("MESSAGE#1007:00536:36/2", "nwparser.p0", "%{}which arrived within %{fld2->} after the first"); + + var all340 = all_match({ + processors: [ + part1610, + dup401, + part1611, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1020 = msg("00536:36", all340); + + var part1612 = match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Completed Aggressive mode negotiations with a %{fld2->} lifetime", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1021 = msg("00536:37", part1612); + + var part1613 = match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a subject name that does not match the ID payload", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1022 = msg("00536:38", part1613); + + var part1614 = match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a different IP address %{fld2->} than expected", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1023 = msg("00536:39", part1614); + + var part1615 = match("MESSAGE#1011:00536:40", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot use a preshared key because the peer%{quote}s gateway has a dynamic IP address and negotiations are in Main mode", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1024 = msg("00536:40", part1615); + + var part1616 = match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated negotiations in Aggressive mode", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1025 = msg("00536:47", part1616); + + var part1617 = match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot verify RSA signature", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1026 = msg("00536:41", part1617); + + var part1618 = match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated Main mode negotiations", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1027 = msg("00536:42", part1618); + + var part1619 = match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Initiated negotiations", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1028 = msg("00536:43", part1619); + + var part1620 = match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heartbeat interval to %{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1029 = msg("00536:44", part1620); + + var part1621 = match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats have been %{disposition->} because %{result}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1030 = msg("00536:45", part1621); + + var part1622 = match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{interface->} from %{saddr}:%{sport->} to %{daddr}:%{dport}/%{fld1}. Cookies: %{ike_cookie1}, %{ike_cookie2}. (%{event_time_string})", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Received an IKE packet on interface"), + ])); + + var msg1031 = msg("00536:48", part1622); + + var part1623 = match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a bad SPI", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1032 = msg("00536:46", part1623); + + var select365 = linear_select([ + msg982, + msg983, + msg984, + msg985, + msg986, + msg987, + msg988, + msg989, + msg990, + msg991, + msg992, + msg993, + msg994, + msg995, + msg996, + msg997, + msg998, + msg999, + msg1000, + msg1001, + msg1002, + msg1003, + msg1004, + msg1005, + msg1006, + msg1007, + msg1008, + msg1009, + msg1010, + msg1011, + msg1012, + msg1013, + msg1014, + msg1015, + msg1016, + msg1017, + msg1018, + msg1019, + msg1020, + msg1021, + msg1022, + msg1023, + msg1024, + msg1025, + msg1026, + msg1027, + msg1028, + msg1029, + msg1030, + msg1031, + msg1032, + ]); + + var part1624 = match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to establish a session: %{info}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg1033 = msg("00537", part1624); + + var part1625 = match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{result}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1034 = msg("00537:01", part1625); + + var part1626 = match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: %{result}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1035 = msg("00537:02", part1626); + + var part1627 = match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successfully established%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1036 = msg("00537:03", part1627); + + var select366 = linear_select([ + msg1033, + msg1034, + msg1035, + msg1036, + ]); + + var part1628 = match("MESSAGE#1024:00538/0", "nwparser.payload", "NACN failed to register to Policy Manager %{fld2->} because %{p0}"); + + var select367 = linear_select([ + dup111, + dup119, + ]); + + var part1629 = match("MESSAGE#1024:00538/2", "nwparser.p0", "%{result}"); + + var all341 = all_match({ + processors: [ + part1628, + select367, + part1629, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1037 = msg("00538", all341); + + var part1630 = match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered to Policy Manager %{fld2}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1038 = msg("00538:01", part1630); + + var part1631 = match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has started for Policy Manager %{fld2->} on hostname %{hostname->} IP address %{hostip->} port %{network_port}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1039 = msg("00538:02", part1631); + + var part1632 = match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server at %{hostip->} (%{fld2->} connect attempt(s)) %{fld3}", processor_chain([ + dup19, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg1040 = msg("00538:03", part1632); + + var part1633 = match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Global PRO data collector at %{hostip}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1041 = msg("00538:04", part1633); + + var part1634 = match("MESSAGE#1029:00538:05/0", "nwparser.payload", "Lost %{p0}"); + + var part1635 = match("MESSAGE#1029:00538:05/1_0", "nwparser.p0", "socket connection%{p0}"); + + var part1636 = match("MESSAGE#1029:00538:05/1_1", "nwparser.p0", "connection%{p0}"); + + var select368 = linear_select([ + part1635, + part1636, + ]); + + var part1637 = match("MESSAGE#1029:00538:05/2", "nwparser.p0", "%{}to Global PRO data collector at %{hostip}"); + + var all342 = all_match({ + processors: [ + part1634, + select368, + part1637, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1042 = msg("00538:05", all342); + + var part1638 = match("MESSAGE#1030:00538:06/0", "nwparser.payload", "Device has connected to the Global PRO%{p0}"); + + var part1639 = match("MESSAGE#1030:00538:06/1_0", "nwparser.p0", " %{fld2->} primary data collector at %{p0}"); + + var part1640 = match("MESSAGE#1030:00538:06/1_1", "nwparser.p0", " primary data collector at %{p0}"); + + var select369 = linear_select([ + part1639, + part1640, + ]); + + var part1641 = match_copy("MESSAGE#1030:00538:06/2", "nwparser.p0", "hostip"); + + var all343 = all_match({ + processors: [ + part1638, + select369, + part1641, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1043 = msg("00538:06", all343); + + var part1642 = match("MESSAGE#1031:00538:07/0", "nwparser.payload", "Connection to Global PRO data collector at %{hostip->} has%{p0}"); + + var part1643 = match("MESSAGE#1031:00538:07/1_0", "nwparser.p0", " been%{p0}"); + + var select370 = linear_select([ + part1643, + dup16, + ]); + + var all344 = all_match({ + processors: [ + part1642, + select370, + dup136, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1044 = msg("00538:07", all344); + + var part1644 = match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO data collector at %{hostip}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1045 = msg("00538:08", part1644); + + var part1645 = match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server at %{hostip->} (%{info}) (%{fld1})", processor_chain([ + dup301, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","Connected to NSM server"), + ])); + + var msg1046 = msg("00538:09", part1645); + + var part1646 = match("MESSAGE#1034:00538:10/0", "nwparser.payload", "NSM: Connection to NSM server at %{hostip->} is down. Reason: %{resultcode}, %{result->} (%{p0}"); + + var part1647 = match("MESSAGE#1034:00538:10/1_0", "nwparser.p0", "%{info}) (%{fld1})"); + + var select371 = linear_select([ + part1647, + dup41, + ]); + + var all345 = all_match({ + processors: [ + part1646, + select371, + ], + on_success: processor_chain([ + dup198, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","Connection to NSM server is down"), + ]), + }); + + var msg1047 = msg("00538:10", all345); + + var part1648 = match("MESSAGE#1035:00538:11", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld2->} connect attempt(s)) (%{fld1})", processor_chain([ + dup198, + dup2, + dup3, + dup9, + dup4, + dup5, + dup323, + ])); + + var msg1048 = msg("00538:11", part1648); + + var part1649 = match("MESSAGE#1036:00538:12", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld1})", processor_chain([ + dup198, + dup2, + dup3, + dup9, + dup4, + dup5, + dup323, + ])); + + var msg1049 = msg("00538:12", part1649); + + var part1650 = match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","Sent 2B message"), + ])); + + var msg1050 = msg("00538:13", part1650); + + var select372 = linear_select([ + msg1037, + msg1038, + msg1039, + msg1040, + msg1041, + msg1042, + msg1043, + msg1044, + msg1045, + msg1046, + msg1047, + msg1048, + msg1049, + msg1050, + ]); + + var part1651 = match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool for user %{username}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1051 = msg("00539", part1651); + + var part1652 = match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{username}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1052 = msg("00539:01", part1652); + + var part1653 = match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from Pool %{group_object->} for user %{username}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1053 = msg("00539:02", part1653); + + var part1654 = match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to establish a session: %{fld2}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1054 = msg("00539:03", part1654); + + var part1655 = match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has successfully established.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1055 = msg("00539:04", part1655); + + var part1656 = match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned. You cannot allocate an IP address%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1056 = msg("00539:05", part1656); + + var part1657 = match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1057 = msg("00539:06", part1657); + + var select373 = linear_select([ + msg1051, + msg1052, + msg1053, + msg1054, + msg1055, + msg1056, + msg1057, + ]); + + var part1658 = match("MESSAGE#1045:00541", "nwparser.payload", "ScreenOS %{fld2->} serial # %{serial_number}: Asset recovery has been %{disposition}", processor_chain([ + dup324, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1058 = msg("00541", part1658); + + var part1659 = match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2->} IP address - %{hostip->} changed its state to %{change_new}. (%{fld1})", processor_chain([ + dup273, + dup9, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1059 = msg("00541:01", part1659); + + var part1660 = match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from %{change_old->} to %{change_new->} state, (neighbor router-id 1%{fld2}, ip-address %{hostip}). (%{fld1})", processor_chain([ + dup273, + dup9, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1060 = msg("00541:02", part1660); + + var part1661 = match("MESSAGE#1219:00541:03/0", "nwparser.payload", "LSA in following area aged out: LSA area ID %{fld3}, LSA ID %{fld4}, router ID %{fld2}, type %{fld7->} in OSPF. (%{fld1})%{p0}"); + + var part1662 = match("MESSAGE#1219:00541:03/1_0", "nwparser.p0", "\u003c\u003c%{fld16}>"); + + var select374 = linear_select([ + part1662, + dup21, + ]); + + var all346 = all_match({ + processors: [ + part1661, + select374, + ], + on_success: processor_chain([ + dup44, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1061 = msg("00541:03", all346); + + var select375 = linear_select([ + msg1058, + msg1059, + msg1060, + msg1061, + ]); + + var part1663 = match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix adding: %{fld2}, ribin overflow %{fld3->} times (max rib-in %{fld4})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1062 = msg("00542", part1663); + + var part1664 = match("MESSAGE#1047:00543/0", "nwparser.payload", "Access for %{p0}"); + + var part1665 = match("MESSAGE#1047:00543/1_0", "nwparser.p0", "WebAuth firewall %{p0}"); + + var part1666 = match("MESSAGE#1047:00543/1_1", "nwparser.p0", "firewall %{p0}"); + + var select376 = linear_select([ + part1665, + part1666, + ]); + + var part1667 = match("MESSAGE#1047:00543/2", "nwparser.p0", "user %{username->} %{space}at %{hostip->} (accepted at %{fld2->} for duration %{duration->} via the %{logon_type}) %{p0}"); + + var part1668 = match("MESSAGE#1047:00543/3_0", "nwparser.p0", "by policy id %{policy_id->} is %{p0}"); + + var select377 = linear_select([ + part1668, + dup106, + ]); + + var part1669 = match("MESSAGE#1047:00543/4", "nwparser.p0", "now over (%{fld1})"); + + var all347 = all_match({ + processors: [ + part1664, + select376, + part1667, + select377, + part1669, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup9, + dup3, + ]), + }); + + var msg1063 = msg("00543", all347); + + var part1670 = match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group %{group->} ] at %{hostip->} has been challenged by the RADIUS server at %{daddr}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup60, + setc("action","RADIUS server challenge"), + ])); + + var msg1064 = msg("00544", part1670); + + var part1671 = match("MESSAGE#1049:00546", "nwparser.payload", "delete-route-> trust-vr: %{fld2}", processor_chain([ + dup281, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1065 = msg("00546", part1671); + + var part1672 = match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned because max content size was exceeded.", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup3, + dup61, + ])); + + var msg1066 = msg("00547", part1672); + + var part1673 = match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned due to a scan engine error or constraint.", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup3, + dup61, + ])); + + var msg1067 = msg("00547:01", part1673); + + var part1674 = match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has been %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1068 = msg("00547:02", part1674); + + var part1675 = match("MESSAGE#1053:00547:03/0", "nwparser.payload", "AV: Content from %{location_desc}, http url: %{url}, is passed %{p0}"); + + var part1676 = match("MESSAGE#1053:00547:03/1_0", "nwparser.p0", "due to %{p0}"); + + var part1677 = match("MESSAGE#1053:00547:03/1_1", "nwparser.p0", "because %{p0}"); + + var select378 = linear_select([ + part1676, + part1677, + ]); + + var part1678 = match("MESSAGE#1053:00547:03/2", "nwparser.p0", "%{result}. (%{event_time_string})"); + + var all348 = all_match({ + processors: [ + part1675, + select378, + part1678, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Content is bypassed for connection"), + ]), + }); + + var msg1069 = msg("00547:03", all348); + + var select379 = linear_select([ + msg1066, + msg1067, + msg1068, + msg1069, + ]); + + var part1679 = match("MESSAGE#1054:00549", "nwparser.payload", "add-route-> untrust-vr: %{fld2}", processor_chain([ + dup281, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1070 = msg("00549", part1679); + + var part1680 = match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred during configlet file processing.", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1071 = msg("00551", part1680); + + var part1681 = match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurred, causing failure to establish secure management with Management System.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1072 = msg("00551:01", part1681); + + var part1682 = match("MESSAGE#1057:00551:02/0", "nwparser.payload", "Configlet file %{p0}"); + + var part1683 = match("MESSAGE#1057:00551:02/1_0", "nwparser.p0", "decryption %{p0}"); + + var select380 = linear_select([ + part1683, + dup89, + ]); + + var all349 = all_match({ + processors: [ + part1682, + select380, + dup128, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1073 = msg("00551:02", all349); + + var part1684 = match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot start because gateway has undergone configuration changes. (%{fld1})", processor_chain([ + dup18, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1074 = msg("00551:03", part1684); + + var part1685 = match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management established successfully with remote server. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1075 = msg("00551:04", part1685); + + var select381 = linear_select([ + msg1071, + msg1072, + msg1073, + msg1074, + msg1075, + ]); + + var part1686 = match("MESSAGE#1060:00553/0", "nwparser.payload", "SCAN-MGR: Failed to get %{p0}"); + + var part1687 = match("MESSAGE#1060:00553/1_0", "nwparser.p0", "AltServer %{p0}"); + + var part1688 = match("MESSAGE#1060:00553/1_1", "nwparser.p0", "Version %{p0}"); + + var part1689 = match("MESSAGE#1060:00553/1_2", "nwparser.p0", "Path_GateLockCE %{p0}"); + + var select382 = linear_select([ + part1687, + part1688, + part1689, + ]); + + var all350 = all_match({ + processors: [ + part1686, + select382, + dup325, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1076 = msg("00553", all350); + + var part1690 = match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size from server.ini.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1077 = msg("00553:01", part1690); + + var part1691 = match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from server.ini is too large: %{bytes->} (bytes).", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1078 = msg("00553:02", part1691); + + var part1692 = match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from server.ini is too long: %{fld2}; max is %{fld3}.", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1079 = msg("00553:03", part1692); + + var part1693 = match("MESSAGE#1064:00553:04/0", "nwparser.payload", "SCAN-MGR: Failed to retrieve %{p0}"); + + var select383 = linear_select([ + dup326, + dup327, + ]); + + var part1694 = match("MESSAGE#1064:00553:04/2", "nwparser.p0", "file: %{fld2}; http status code: %{resultcode}."); + + var all351 = all_match({ + processors: [ + part1693, + select383, + part1694, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1080 = msg("00553:04", all351); + + var part1695 = match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pattern into a RAM file.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1081 = msg("00553:05", part1695); + + var part1696 = match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File failed: code from VSAPI: %{resultcode}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1082 = msg("00553:06", part1696); + + var part1697 = match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pattern into flash.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1083 = msg("00553:07", part1697); + + var part1698 = match("MESSAGE#1068:00553:08/0", "nwparser.payload", "SCAN-MGR: Internal error while setting up for retrieving %{p0}"); + + var select384 = linear_select([ + dup327, + dup326, + ]); + + var all352 = all_match({ + processors: [ + part1698, + select384, + dup328, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1084 = msg("00553:08", all352); + + var part1699 = match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{disposition}: Err: %{resultcode}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1085 = msg("00553:09", part1699); + + var part1700 = match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{disposition->} due to %{result}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1086 = msg("00553:10", part1700); + + var part1701 = match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern Creation Date(%{fld2}) is after AV Key Expiration date(%{fld3}).", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1087 = msg("00553:11", part1701); + + var part1702 = match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompressLayer %{disposition}: Layer: %{fld2}, Err: %{resultcode}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1088 = msg("00553:12", part1702); + + var part1703 = match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFileSizeLimit %{disposition}: Limit: %{fld2}, Err: %{resultcode}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1089 = msg("00553:13", part1703); + + var part1704 = match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{disposition}: ret: %{fld2}; cpapiErrCode: %{resultcode}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1090 = msg("00553:14", part1704); + + var part1705 = match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usage error. Left usage: %{fld2}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1091 = msg("00553:15", part1705); + + var part1706 = match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress layer to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1092 = msg("00553:16", part1706); + + var part1707 = match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum content size to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1093 = msg("00553:17", part1707); + + var part1708 = match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number of concurrent messages to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1094 = msg("00553:18", part1708); + + var part1709 = match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1095 = msg("00553:19", part1709); + + var part1710 = match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to %{fld2}; update interval is %{fld3}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1096 = msg("00553:20", part1710); + + var part1711 = match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1097 = msg("00553:21", part1711); + + var part1712 = match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern updated: version: %{version}, size: %{bytes->} (bytes).", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1098 = msg("00553:22", part1712); + + var select385 = linear_select([ + msg1076, + msg1077, + msg1078, + msg1079, + msg1080, + msg1081, + msg1082, + msg1083, + msg1084, + msg1085, + msg1086, + msg1087, + msg1088, + msg1089, + msg1090, + msg1091, + msg1092, + msg1093, + msg1094, + msg1095, + msg1096, + msg1097, + msg1098, + ]); + + var part1713 = match("MESSAGE#1083:00554/0", "nwparser.payload", "SCAN-MGR: Cannot get %{p0}"); + + var part1714 = match("MESSAGE#1083:00554/1_0", "nwparser.p0", "AltServer info %{p0}"); + + var part1715 = match("MESSAGE#1083:00554/1_1", "nwparser.p0", "Version number %{p0}"); + + var part1716 = match("MESSAGE#1083:00554/1_2", "nwparser.p0", "Path_GateLockCE info %{p0}"); + + var select386 = linear_select([ + part1714, + part1715, + part1716, + ]); + + var all353 = all_match({ + processors: [ + part1713, + select386, + dup325, + ], + on_success: processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1099 = msg("00554", all353); + + var part1717 = match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini file, the AV pattern file size is zero.%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1100 = msg("00554:01", part1717); + + var part1718 = match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file size is too large (%{bytes->} bytes).", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1101 = msg("00554:02", part1718); + + var part1719 = match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV pattern file server URL is too long: %{bytes->} bytes. Max: %{fld2->} bytes.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1102 = msg("00554:03", part1719); + + var part1720 = match("MESSAGE#1087:00554:04/0", "nwparser.payload", "SCAN-MGR: Cannot retrieve %{p0}"); + + var part1721 = match("MESSAGE#1087:00554:04/2", "nwparser.p0", "file from %{hostip}:%{network_port}. HTTP status code: %{fld2}."); + + var all354 = all_match({ + processors: [ + part1720, + dup405, + part1721, + ], + on_success: processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1103 = msg("00554:04", all354); + + var part1722 = match("MESSAGE#1088:00554:05/0", "nwparser.payload", "SCAN-MGR: Cannot write AV pattern file to %{p0}"); + + var part1723 = match("MESSAGE#1088:00554:05/1_0", "nwparser.p0", "RAM %{p0}"); + + var part1724 = match("MESSAGE#1088:00554:05/1_1", "nwparser.p0", "flash %{p0}"); + + var select387 = linear_select([ + part1723, + part1724, + ]); + + var all355 = all_match({ + processors: [ + part1722, + select387, + dup116, + ], + on_success: processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1104 = msg("00554:05", all355); + + var part1725 = match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pattern file. VSAPI code: %{fld2}", processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1105 = msg("00554:06", part1725); + + var part1726 = match("MESSAGE#1090:00554:07/0", "nwparser.payload", "SCAN-MGR: Internal error occurred while retrieving %{p0}"); + + var all356 = all_match({ + processors: [ + part1726, + dup405, + dup328, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1106 = msg("00554:07", all356); + + var part1727 = match("MESSAGE#1091:00554:08/0", "nwparser.payload", "SCAN-MGR: Internal error occurred when calling this function: %{fld2}. %{fld3->} %{p0}"); + + var part1728 = match("MESSAGE#1091:00554:08/1_0", "nwparser.p0", "Error: %{resultcode->} %{p0}"); + + var part1729 = match("MESSAGE#1091:00554:08/1_1", "nwparser.p0", "Returned a NULL VSC handler %{p0}"); + + var part1730 = match("MESSAGE#1091:00554:08/1_2", "nwparser.p0", "cpapiErrCode: %{resultcode->} %{p0}"); + + var select388 = linear_select([ + part1728, + part1729, + part1730, + ]); + + var all357 = all_match({ + processors: [ + part1727, + select388, + dup116, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1107 = msg("00554:08", all357); + + var part1731 = match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompression layers has been set to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1108 = msg("00554:09", part1731); + + var part1732 = match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content size has been set to %{fld2->} KB.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1109 = msg("00554:10", part1732); + + var part1733 = match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of concurrent messages has been set to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1110 = msg("00554:11", part1733); + + var part1734 = match("MESSAGE#1095:00554:12/0", "nwparser.payload", "SCAN-MGR: Fail mode has been set to %{p0}"); + + var part1735 = match("MESSAGE#1095:00554:12/1_0", "nwparser.p0", "drop %{p0}"); + + var part1736 = match("MESSAGE#1095:00554:12/1_1", "nwparser.p0", "pass %{p0}"); + + var select389 = linear_select([ + part1735, + part1736, + ]); + + var part1737 = match("MESSAGE#1095:00554:12/2", "nwparser.p0", "unexamined traffic if %{p0}"); + + var part1738 = match("MESSAGE#1095:00554:12/3_0", "nwparser.p0", "content size %{p0}"); + + var part1739 = match("MESSAGE#1095:00554:12/3_1", "nwparser.p0", "number of concurrent messages %{p0}"); + + var select390 = linear_select([ + part1738, + part1739, + ]); + + var part1740 = match("MESSAGE#1095:00554:12/4", "nwparser.p0", "exceeds max.%{}"); + + var all358 = all_match({ + processors: [ + part1734, + select389, + part1737, + select390, + part1740, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1111 = msg("00554:12", all358); + + var part1741 = match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been set to %{fld2}, and the update interval to %{fld3->} minutes.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1112 = msg("00554:13", part1741); + + var part1742 = match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1113 = msg("00554:14", part1742); + + var part1743 = match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern file has been updated. Version: %{version}; size: %{bytes->} bytes.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1114 = msg("00554:15", part1743); + + var part1744 = match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: %{fld2}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1115 = msg("00554:16", part1744); + + var part1745 = match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load AV pattern file created %{fld2->} after the AV subscription expired. (Exp: %{fld3})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1116 = msg("00554:17", part1745); + + var select391 = linear_select([ + msg1099, + msg1100, + msg1101, + msg1102, + msg1103, + msg1104, + msg1105, + msg1106, + msg1107, + msg1108, + msg1109, + msg1110, + msg1111, + msg1112, + msg1113, + msg1114, + msg1115, + msg1116, + ]); + + var part1746 = match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot process non-multicast address %{hostip}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1117 = msg("00555", part1746); + + var part1747 = match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a request. Reason: %{result}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1118 = msg("00556", part1747); + + var part1748 = match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a transaction. Reason: %{result}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1119 = msg("00556:01", part1748); + + var part1749 = match("MESSAGE#1104:00556:02/0", "nwparser.payload", "UF-MGR: UF %{p0}"); + + var part1750 = match("MESSAGE#1104:00556:02/1_0", "nwparser.p0", "K%{p0}"); + + var part1751 = match("MESSAGE#1104:00556:02/1_1", "nwparser.p0", "k%{p0}"); + + var select392 = linear_select([ + part1750, + part1751, + ]); + + var part1752 = match("MESSAGE#1104:00556:02/2", "nwparser.p0", "ey %{p0}"); + + var part1753 = match("MESSAGE#1104:00556:02/3_0", "nwparser.p0", "Expired%{p0}"); + + var part1754 = match("MESSAGE#1104:00556:02/3_1", "nwparser.p0", "expired%{p0}"); + + var select393 = linear_select([ + part1753, + part1754, + ]); + + var part1755 = match("MESSAGE#1104:00556:02/4", "nwparser.p0", "%{}(expiration date: %{fld2}; current date: %{fld3})."); + + var all359 = all_match({ + processors: [ + part1749, + select392, + part1752, + select393, + part1755, + ], + on_success: processor_chain([ + dup254, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1120 = msg("00556:02", all359); + + var part1756 = match("MESSAGE#1105:00556:03/0", "nwparser.payload", "UF-MGR: Failed to %{p0}"); + + var part1757 = match("MESSAGE#1105:00556:03/1_0", "nwparser.p0", "enable %{p0}"); + + var part1758 = match("MESSAGE#1105:00556:03/1_1", "nwparser.p0", "disable %{p0}"); + + var select394 = linear_select([ + part1757, + part1758, + ]); + + var part1759 = match("MESSAGE#1105:00556:03/2", "nwparser.p0", "cache.%{}"); + + var all360 = all_match({ + processors: [ + part1756, + select394, + part1759, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1121 = msg("00556:03", all360); + + var part1760 = match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{resultcode}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1122 = msg("00556:04", part1760); + + var part1761 = match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed to %{fld2}(K).", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1123 = msg("00556:05", part1761); + + var part1762 = match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout changes to %{fld2->} (hours).", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1124 = msg("00556:06", part1762); + + var part1763 = match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update interval changed to %{fld2->} (weeks).", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1125 = msg("00556:07", part1763); + + var part1764 = match("MESSAGE#1110:00556:08/0", "nwparser.payload", "UF-MGR: Cache %{p0}"); + + var all361 = all_match({ + processors: [ + part1764, + dup358, + dup116, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1126 = msg("00556:08", all361); + + var part1765 = match("MESSAGE#1111:00556:09", "nwparser.payload", "UF-MGR: URL BLOCKED: ip_addr (%{fld2}) -> ip_addr (%{fld3}), %{fld4->} action: %{disposition}, category: %{fld5}, reason %{result}", processor_chain([ + dup232, + dup2, + dup3, + dup4, + dup5, + dup282, + ])); + + var msg1127 = msg("00556:09", part1765); + + var part1766 = match("MESSAGE#1112:00556:10", "nwparser.payload", "UF-MGR: URL FILTER ERR: ip_addr (%{fld2}) -> ip_addr (%{fld3}), host: %{fld5->} page: %{fld4->} code: %{resultcode->} reason: %{result}.", processor_chain([ + dup232, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1128 = msg("00556:10", part1766); + + var part1767 = match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server changed to %{fld2}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1129 = msg("00556:11", part1767); + + var part1768 = match("MESSAGE#1114:00556:12/0", "nwparser.payload", "UF-MGR: %{fld2->} CPA server %{p0}"); + + var select395 = linear_select([ + dup140, + dup169, + ]); + + var part1769 = match("MESSAGE#1114:00556:12/2", "nwparser.p0", "changed to %{fld3}."); + + var all362 = all_match({ + processors: [ + part1768, + select395, + part1769, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1130 = msg("00556:12", all362); + + var part1770 = match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filtering %{disposition}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1131 = msg("00556:13", part1770); + + var part1771 = match("MESSAGE#1116:00556:14/0", "nwparser.payload", "UF-MGR: The url %{url->} was %{p0}"); + + var part1772 = match("MESSAGE#1116:00556:14/2", "nwparser.p0", "category %{fld2}."); + + var all363 = all_match({ + processors: [ + part1771, + dup406, + part1772, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1132 = msg("00556:14", all363); + + var part1773 = match("MESSAGE#1117:00556:15/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was %{p0}"); + + var part1774 = match("MESSAGE#1117:00556:15/2", "nwparser.p0", "profile %{fld3->} with action %{disposition}."); + + var all364 = all_match({ + processors: [ + part1773, + dup406, + part1774, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + dup282, + ]), + }); + + var msg1133 = msg("00556:15", all364); + + var part1775 = match("MESSAGE#1118:00556:16/0", "nwparser.payload", "UF-MGR: The %{p0}"); + + var part1776 = match("MESSAGE#1118:00556:16/1_0", "nwparser.p0", "profile %{p0}"); + + var part1777 = match("MESSAGE#1118:00556:16/1_1", "nwparser.p0", "category %{p0}"); + + var select396 = linear_select([ + part1776, + part1777, + ]); + + var part1778 = match("MESSAGE#1118:00556:16/2", "nwparser.p0", "%{fld2->} was %{p0}"); + + var select397 = linear_select([ + dup104, + dup120, + ]); + + var all365 = all_match({ + processors: [ + part1775, + select396, + part1778, + select397, + dup116, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1134 = msg("00556:16", all365); + + var part1779 = match("MESSAGE#1119:00556:17/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was set in profile %{profile->} as the %{p0}"); + + var part1780 = match("MESSAGE#1119:00556:17/1_0", "nwparser.p0", "black %{p0}"); + + var part1781 = match("MESSAGE#1119:00556:17/1_1", "nwparser.p0", "white %{p0}"); + + var select398 = linear_select([ + part1780, + part1781, + ]); + + var part1782 = match("MESSAGE#1119:00556:17/2", "nwparser.p0", "list.%{}"); + + var all366 = all_match({ + processors: [ + part1779, + select398, + part1782, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1135 = msg("00556:17", all366); + + var part1783 = match("MESSAGE#1120:00556:18/0", "nwparser.payload", "UF-MGR: The action for %{fld2->} in profile %{profile->} was %{p0}"); + + var part1784 = match("MESSAGE#1120:00556:18/1_1", "nwparser.p0", "changed %{p0}"); + + var select399 = linear_select([ + dup101, + part1784, + ]); + + var part1785 = match("MESSAGE#1120:00556:18/2", "nwparser.p0", "to %{fld3}."); + + var all367 = all_match({ + processors: [ + part1783, + select399, + part1785, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1136 = msg("00556:18", all367); + + var part1786 = match("MESSAGE#1121:00556:20/0", "nwparser.payload", "UF-MGR: The category list from the CPA server %{p0}"); + + var part1787 = match("MESSAGE#1121:00556:20/2", "nwparser.p0", "updated on%{p0}"); + + var select400 = linear_select([ + dup103, + dup96, + ]); + + var part1788 = match("MESSAGE#1121:00556:20/4", "nwparser.p0", "the device.%{}"); + + var all368 = all_match({ + processors: [ + part1786, + dup355, + part1787, + select400, + part1788, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1137 = msg("00556:20", all368); + + var part1789 = match("MESSAGE#1122:00556:21", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} action: %{disposition}, category: %{category}, reason: %{result->} (%{fld1})", processor_chain([ + dup232, + dup2, + dup3, + dup9, + dup4, + dup5, + dup282, + ])); + + var msg1138 = msg("00556:21", part1789); + + var part1790 = match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} (%{fld1})", processor_chain([ + dup232, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1139 = msg("00556:22", part1790); + + var select401 = linear_select([ + msg1118, + msg1119, + msg1120, + msg1121, + msg1122, + msg1123, + msg1124, + msg1125, + msg1126, + msg1127, + msg1128, + msg1129, + msg1130, + msg1131, + msg1132, + msg1133, + msg1134, + msg1135, + msg1136, + msg1137, + msg1138, + msg1139, + ]); + + var part1791 = match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interface->} is %{fld2}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1140 = msg("00572", part1791); + + var part1792 = match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on interface %{interface}: %{result}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1141 = msg("00572:01", part1792); + + var part1793 = match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface->} is %{disposition->} by receiving Terminate-Request. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1142 = msg("00572:03", part1793); + + var select402 = linear_select([ + msg1140, + msg1141, + msg1142, + ]); + + var part1794 = match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" rebuilding lookup tree for virtual router \"%{node}\". (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg1143 = msg("00615", part1794); + + var part1795 = match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" lookup tree rebuilt successfully in virtual router \"%{node}\". (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg1144 = msg("00615:01", part1795); + + var select403 = linear_select([ + msg1143, + msg1144, + ]); + + var part1796 = match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}, through policy %{policyname}. Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup9, + dup4, + dup5, + dup61, + ])); + + var msg1145 = msg("00601", part1796); + + var part1797 = match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detected from %{saddr}/%{sport->} to %{daddr}/%{dport->} through policy %{policyname->} %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup9, + dup4, + dup5, + dup61, + ])); + + var msg1146 = msg("00601:01", part1797); + + var part1798 = match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multicast.%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1147 = msg("00601:18", part1798); + + var select404 = linear_select([ + msg1145, + msg1146, + msg1147, + ]); + + var part1799 = match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing interface state change%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1148 = msg("00602", part1799); + + var part1800 = match("MESSAGE#1133:00612/0", "nwparser.payload", "Switch event: the status of ethernet port %{fld2->} changed to link %{p0}"); + + var part1801 = match("MESSAGE#1133:00612/2", "nwparser.p0", ", duplex %{p0}"); + + var part1802 = match("MESSAGE#1133:00612/3_0", "nwparser.p0", "full %{p0}"); + + var part1803 = match("MESSAGE#1133:00612/3_1", "nwparser.p0", "half %{p0}"); + + var select405 = linear_select([ + part1802, + part1803, + ]); + + var part1804 = match("MESSAGE#1133:00612/4", "nwparser.p0", ", speed 10%{p0}"); + + var part1805 = match("MESSAGE#1133:00612/5_0", "nwparser.p0", "0 %{p0}"); + + var select406 = linear_select([ + part1805, + dup96, + ]); + + var part1806 = match("MESSAGE#1133:00612/6", "nwparser.p0", "M. (%{fld1})"); + + var all369 = all_match({ + processors: [ + part1800, + dup353, + part1801, + select405, + part1804, + select406, + part1806, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1149 = msg("00612", all369); + + var part1807 = match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send all the DRP routes to backup device. (%{fld1})", processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1150 = msg("00620", part1807); + + var part1808 = match("MESSAGE#1135:00620:01/0", "nwparser.payload", "RTSYNC: %{p0}"); + + var part1809 = match("MESSAGE#1135:00620:01/1_0", "nwparser.p0", "Serviced%{p0}"); + + var part1810 = match("MESSAGE#1135:00620:01/1_1", "nwparser.p0", "Recieved%{p0}"); + + var select407 = linear_select([ + part1809, + part1810, + ]); + + var part1811 = match("MESSAGE#1135:00620:01/2", "nwparser.p0", "%{}coldstart request for route synchronization from NSRP peer. (%{fld1})"); + + var all370 = all_match({ + processors: [ + part1808, + select407, + part1811, + ], + on_success: processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1151 = msg("00620:01", all370); + + var part1812 = match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to purge all the DRP backup routes - %{fld2->} (%{fld1})", processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1152 = msg("00620:02", part1812); + + var part1813 = match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purge backup routes in all vrouters. (%{fld1})", processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1153 = msg("00620:03", part1813); + + var part1814 = match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the DRP backup routes is stopped. (%{fld1})", processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1154 = msg("00620:04", part1814); + + var select408 = linear_select([ + msg1150, + msg1151, + msg1152, + msg1153, + msg1154, + ]); + + var part1815 = match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual router %{node->} is created. (%{fld1})", processor_chain([ + dup273, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1155 = msg("00622", part1815); + + var part1816 = match("MESSAGE#1140:00625/0", "nwparser.payload", "Session (id %{sessionid->} src-ip %{saddr->} dst-ip %{daddr->} dst port %{dport}) route is %{p0}"); + + var part1817 = match("MESSAGE#1140:00625/1_0", "nwparser.p0", "invalid%{p0}"); + + var part1818 = match("MESSAGE#1140:00625/1_1", "nwparser.p0", "valid%{p0}"); + + var select409 = linear_select([ + part1817, + part1818, + ]); + + var all371 = all_match({ + processors: [ + part1816, + select409, + dup49, + ], + on_success: processor_chain([ + dup273, + dup2, + dup4, + dup5, + dup9, + ]), + }); + + var msg1156 = msg("00625", all371); + + var part1819 = match("MESSAGE#1141:00628/0", "nwparser.payload", "audit log queue %{p0}"); + + var part1820 = match("MESSAGE#1141:00628/1_0", "nwparser.p0", "Traffic Log %{p0}"); + + var part1821 = match("MESSAGE#1141:00628/1_1", "nwparser.p0", "Event Alarm Log %{p0}"); + + var part1822 = match("MESSAGE#1141:00628/1_2", "nwparser.p0", "Event Log %{p0}"); + + var select410 = linear_select([ + part1820, + part1821, + part1822, + ]); + + var part1823 = match("MESSAGE#1141:00628/2", "nwparser.p0", "is overwritten (%{fld1})"); + + var all372 = all_match({ + processors: [ + part1819, + select410, + part1823, + ], + on_success: processor_chain([ + dup223, + dup2, + dup4, + dup5, + dup9, + ]), + }); + + var msg1157 = msg("00628", all372); + + var part1824 = match("MESSAGE#1142:00767:50", "nwparser.payload", "Log setting was modified to %{disposition->} %{fld2->} level by admin %{administrator->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, + dup282, + ])); + + var msg1158 = msg("00767:50", part1824); + + var part1825 = match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg1159 = msg("00767:51", part1825); + + var part1826 = match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg1160 = msg("00767:52", part1826); + + var part1827 = match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is added to attack group %{group->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg1161 = msg("00767:53", part1827); + + var part1828 = match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID server%{}", processor_chain([ + dup27, + setc("ec_theme","Communication"), + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1162 = msg("00767", part1828); + + var part1829 = match("MESSAGE#1147:00767:01/0", "nwparser.payload", "System auto-config of file %{fld2->} from TFTP server %{hostip->} has %{p0}"); + + var part1830 = match("MESSAGE#1147:00767:01/1_0", "nwparser.p0", "been loaded successfully%{}"); + + var part1831 = match("MESSAGE#1147:00767:01/1_1", "nwparser.p0", "failed%{}"); + + var select411 = linear_select([ + part1830, + part1831, + ]); + + var all373 = all_match({ + processors: [ + part1829, + select411, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1163 = msg("00767:01", all373); + + var part1832 = match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config saved from host %{saddr}", processor_chain([ + setc("eventcategory","1702000000"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1164 = msg("00767:02", part1832); + + var part1833 = match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filename %{filename}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1165 = msg("00767:03", part1833); + + var part1834 = match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1166 = msg("00767:04", part1834); + + var part1835 = match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact the SecurID server%{}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1167 = msg("00767:05", part1835); + + var part1836 = match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data to the SecurID server%{}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1168 = msg("00767:06", part1836); + + var part1837 = match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was saved from peer unit by admin%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1169 = msg("00767:07", part1837); + + var part1838 = match("MESSAGE#1154:00767:08/0", "nwparser.payload", "The system configuration was saved by admin %{p0}"); + + var all374 = all_match({ + processors: [ + part1838, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1170 = msg("00767:08", all374); + + var part1839 = match("MESSAGE#1155:00767:09/0", "nwparser.payload", "traffic shaping is turned O%{p0}"); + + var part1840 = match("MESSAGE#1155:00767:09/1_0", "nwparser.p0", "N%{}"); + + var part1841 = match("MESSAGE#1155:00767:09/1_1", "nwparser.p0", "FF%{}"); + + var select412 = linear_select([ + part1840, + part1841, + ]); + + var all375 = all_match({ + processors: [ + part1839, + select412, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1171 = msg("00767:09", all375); + + var part1842 = match("MESSAGE#1156:00767:10/0", "nwparser.payload", "The system configuration was saved from host %{saddr->} by admin %{p0}"); + + var all376 = all_match({ + processors: [ + part1842, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1172 = msg("00767:10", all376); + + var part1843 = match("MESSAGE#1157:00767:11/0", "nwparser.payload", "Fatal error. The NetScreen device was unable to upgrade the %{p0}"); + + var part1844 = match("MESSAGE#1157:00767:11/1_1", "nwparser.p0", "file system %{p0}"); + + var select413 = linear_select([ + dup331, + part1844, + ]); + + var part1845 = match("MESSAGE#1157:00767:11/2", "nwparser.p0", ", and the %{p0}"); + + var part1846 = match("MESSAGE#1157:00767:11/3_1", "nwparser.p0", "old file system %{p0}"); + + var select414 = linear_select([ + dup331, + part1846, + ]); + + var part1847 = match("MESSAGE#1157:00767:11/4", "nwparser.p0", "is damaged.%{}"); + + var all377 = all_match({ + processors: [ + part1843, + select413, + part1845, + select414, + part1847, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1173 = msg("00767:11", all377); + + var part1848 = match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1174 = msg("00767:12", part1848); + + var part1849 = match("MESSAGE#1159:00767:13/0", "nwparser.payload", "%{fld2}Environment variable %{fld3->} is changed to %{fld4->} by admin %{p0}"); + + var all378 = all_match({ + processors: [ + part1849, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1175 = msg("00767:13", all378); + + var part1850 = match("MESSAGE#1160:00767:14/0", "nwparser.payload", "System was %{p0}"); + + var part1851 = match("MESSAGE#1160:00767:14/1_0", "nwparser.p0", "reset %{p0}"); + + var select415 = linear_select([ + part1851, + dup262, + ]); + + var part1852 = match("MESSAGE#1160:00767:14/2", "nwparser.p0", "at %{fld2->} by %{p0}"); + + var part1853 = match("MESSAGE#1160:00767:14/3_0", "nwparser.p0", "admin %{administrator}"); + + var part1854 = match_copy("MESSAGE#1160:00767:14/3_1", "nwparser.p0", "username"); + + var select416 = linear_select([ + part1853, + part1854, + ]); + + var all379 = all_match({ + processors: [ + part1850, + select415, + part1852, + select416, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1176 = msg("00767:14", all379); + + var part1855 = match("MESSAGE#1161:00767:15/1_0", "nwparser.p0", "System %{p0}"); + + var part1856 = match("MESSAGE#1161:00767:15/1_1", "nwparser.p0", "Event %{p0}"); + + var part1857 = match("MESSAGE#1161:00767:15/1_2", "nwparser.p0", "Traffic %{p0}"); + + var select417 = linear_select([ + part1855, + part1856, + part1857, + ]); + + var part1858 = match("MESSAGE#1161:00767:15/2", "nwparser.p0", "log was reviewed by %{p0}"); + + var part1859 = match("MESSAGE#1161:00767:15/4", "nwparser.p0", "%{} %{username}."); + + var all380 = all_match({ + processors: [ + dup183, + select417, + part1858, + dup336, + part1859, + ], + on_success: processor_chain([ + dup223, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1177 = msg("00767:15", all380); + + var part1860 = match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administrator->} issued command %{info->} to redirect output.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1178 = msg("00767:16", part1860); + + var part1861 = match("MESSAGE#1163:00767:17/0", "nwparser.payload", "%{fld2->} Save new software from %{fld3->} to flash by admin %{p0}"); + + var all381 = all_match({ + processors: [ + part1861, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1179 = msg("00767:17", all381); + + var part1862 = match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{version->} has been %{fld2->} saved to flash.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1180 = msg("00767:18", part1862); + + var part1863 = match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{version->} was rejected because the authentication check failed.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1181 = msg("00767:19", part1863); + + var part1864 = match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version of the RADIUS server %{hostname->} does not match %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1182 = msg("00767:20", part1864); + + var part1865 = match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, %{fld4}) cleared %{fld5}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1183 = msg("00767:21", part1865); + + var part1866 = match("MESSAGE#1168:00767:22/0", "nwparser.payload", "The system configuration was not saved %{p0}"); + + var part1867 = match("MESSAGE#1168:00767:22/1_0", "nwparser.p0", "%{fld2->} by admin %{administrator->} via NSRP Peer %{p0}"); + + var part1868 = match("MESSAGE#1168:00767:22/1_1", "nwparser.p0", "%{fld2->} %{p0}"); + + var select418 = linear_select([ + part1867, + part1868, + ]); + + var part1869 = match("MESSAGE#1168:00767:22/2", "nwparser.p0", "by administrator %{fld3}. %{p0}"); + + var part1870 = match("MESSAGE#1168:00767:22/3_0", "nwparser.p0", "It was locked %{p0}"); + + var part1871 = match("MESSAGE#1168:00767:22/3_1", "nwparser.p0", "Locked %{p0}"); + + var select419 = linear_select([ + part1870, + part1871, + ]); + + var part1872 = match("MESSAGE#1168:00767:22/4", "nwparser.p0", "by administrator %{fld4->} %{p0}"); + + var all382 = all_match({ + processors: [ + part1866, + select418, + part1869, + select419, + part1872, + dup354, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1184 = msg("00767:22", all382); + + var part1873 = match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot filename %{filename->} to flash memory by administrator %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1185 = msg("00767:23", part1873); + + var part1874 = match("MESSAGE#1170:00767:25/0", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from %{p0}"); + + var select420 = linear_select([ + dup169, + dup16, + ]); + + var part1875 = match("MESSAGE#1170:00767:25/3_0", "nwparser.p0", "%{saddr}:%{sport->} by %{p0}"); + + var part1876 = match("MESSAGE#1170:00767:25/3_1", "nwparser.p0", "%{saddr->} by %{p0}"); + + var select421 = linear_select([ + part1875, + part1876, + ]); + + var all383 = all_match({ + processors: [ + part1874, + select420, + dup23, + select421, + dup108, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1186 = msg("00767:25", all383); + + var part1877 = match("MESSAGE#1171:00767:26/0", "nwparser.payload", "Lock configuration %{p0}"); + + var part1878 = match("MESSAGE#1171:00767:26/1_0", "nwparser.p0", "started%{p0}"); + + var part1879 = match("MESSAGE#1171:00767:26/1_1", "nwparser.p0", "ended%{p0}"); + + var select422 = linear_select([ + part1878, + part1879, + ]); + + var part1880 = match("MESSAGE#1171:00767:26/2", "nwparser.p0", "%{}by task %{p0}"); + + var part1881 = match("MESSAGE#1171:00767:26/3_0", "nwparser.p0", "%{fld3}, with a timeout value of %{fld2}"); + + var part1882 = match("MESSAGE#1171:00767:26/3_1", "nwparser.p0", "%{fld2->} (%{fld1})"); + + var select423 = linear_select([ + part1881, + part1882, + ]); + + var all384 = all_match({ + processors: [ + part1877, + select422, + part1880, + select423, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1187 = msg("00767:26", all384); + + var part1883 = match("MESSAGE#1172:00767:27/0", "nwparser.payload", "Environment variable %{fld2->} changed to %{p0}"); + + var part1884 = match("MESSAGE#1172:00767:27/1_0", "nwparser.p0", "%{fld3->} by %{username->} (%{fld1})"); + + var part1885 = match_copy("MESSAGE#1172:00767:27/1_1", "nwparser.p0", "fld3"); + + var select424 = linear_select([ + part1884, + part1885, + ]); + + var all385 = all_match({ + processors: [ + part1883, + select424, + ], + on_success: processor_chain([ + dup223, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1188 = msg("00767:27", all385); + + var part1886 = match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was loaded from IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1189 = msg("00767:28", part1886); + + var part1887 = match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1190 = msg("00767:29", part1887); + + var part1888 = match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configuration was saved from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1191 = msg("00767:30", part1888); + + var part1889 = match("MESSAGE#1176:00767:31/1_0", "nwparser.p0", "logged events or alarms %{p0}"); + + var part1890 = match("MESSAGE#1176:00767:31/1_1", "nwparser.p0", "traffic logs %{p0}"); + + var select425 = linear_select([ + part1889, + part1890, + ]); + + var part1891 = match("MESSAGE#1176:00767:31/2", "nwparser.p0", "were cleared by admin %{p0}"); + + var all386 = all_match({ + processors: [ + dup186, + select425, + part1891, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1192 = msg("00767:31", all386); + + var part1892 = match("MESSAGE#1177:00767:32/0", "nwparser.payload", "SIP parser error %{p0}"); + + var part1893 = match("MESSAGE#1177:00767:32/1_0", "nwparser.p0", "SIP-field%{p0}"); + + var part1894 = match("MESSAGE#1177:00767:32/1_1", "nwparser.p0", "Message%{p0}"); + + var select426 = linear_select([ + part1893, + part1894, + ]); + + var part1895 = match("MESSAGE#1177:00767:32/2", "nwparser.p0", ": %{result}(%{fld1})"); + + var all387 = all_match({ + processors: [ + part1892, + select426, + part1895, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1193 = msg("00767:32", all387); + + var part1896 = match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has started. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1194 = msg("00767:33", part1896); + + var part1897 = match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not support multiple IP addresses %{hostip->} or ports %{network_port->} in SIP headers RESPONSE (%{fld1})", processor_chain([ + dup313, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1195 = msg("00767:34", part1897); + + var part1898 = match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2->} set to %{fld3->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1196 = msg("00767:35", part1898); + + var part1899 = match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved from %{fld2->} by %{username->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1197 = msg("00767:36", part1899); + + var part1900 = match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to download to enable advanced features. %{space->} To find out, please visit %{url->} (%{fld1})", processor_chain([ + dup254, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1198 = msg("00767:37", part1900); + + var part1901 = match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and remaining messages were sent to external destination. %{fld2->} packets were dropped. (%{fld1})", processor_chain([ + setc("eventcategory","1602000000"), + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1199 = msg("00767:38", part1901); + + var part1902 = match("MESSAGE#1184:00767:39/0", "nwparser.payload", "Cannot %{p0}"); + + var part1903 = match("MESSAGE#1184:00767:39/1_0", "nwparser.p0", "download %{p0}"); + + var part1904 = match("MESSAGE#1184:00767:39/1_1", "nwparser.p0", "parse %{p0}"); + + var select427 = linear_select([ + part1903, + part1904, + ]); + + var part1905 = match("MESSAGE#1184:00767:39/2", "nwparser.p0", "attack database %{p0}"); + + var part1906 = match("MESSAGE#1184:00767:39/3_0", "nwparser.p0", "from %{url->} (%{result}). %{p0}"); + + var part1907 = match("MESSAGE#1184:00767:39/3_1", "nwparser.p0", "%{fld2->} %{p0}"); + + var select428 = linear_select([ + part1906, + part1907, + ]); + + var all388 = all_match({ + processors: [ + part1902, + select427, + part1905, + select428, + dup10, + ], + on_success: processor_chain([ + dup324, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1200 = msg("00767:39", all388); + + var part1908 = match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key is %{disposition}. (%{fld1})", processor_chain([ + dup62, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1201 = msg("00767:40", part1908); + + var part1909 = match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1202 = msg("00767:42", part1909); + + var part1910 = match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1203 = msg("00767:43", part1910); + + var part1911 = match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind by %{fld2->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1204 = msg("00767:44", part1911); + + var part1912 = match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{version->} is saved to flash. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1205 = msg("00767:45", part1912); + + var part1913 = match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved by netscreen via %{logon_type->} by netscreen. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1206 = msg("00767:46", part1913); + + var part1914 = match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs to a different group in the RADIUS server than that allowed in the device. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup9, + ])); + + var msg1207 = msg("00767:47", part1914); + + var part1915 = match("MESSAGE#1192:00767:24/0", "nwparser.payload", "System configuration saved by %{p0}"); + + var part1916 = match("MESSAGE#1192:00767:24/2", "nwparser.p0", "%{logon_type->} by %{fld2->} (%{fld1})"); + + var all389 = all_match({ + processors: [ + part1915, + dup364, + part1916, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1208 = msg("00767:24", all389); + + var part1917 = match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. (%{fld1})", processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1209 = msg("00767:48", part1917); + + var part1918 = match("MESSAGE#1194:00767:49/0", "nwparser.payload", "%{fld2->} turn o%{p0}"); + + var part1919 = match("MESSAGE#1194:00767:49/1_0", "nwparser.p0", "n%{p0}"); + + var part1920 = match("MESSAGE#1194:00767:49/1_1", "nwparser.p0", "ff%{p0}"); + + var select429 = linear_select([ + part1919, + part1920, + ]); + + var part1921 = match("MESSAGE#1194:00767:49/2", "nwparser.p0", "%{}debug switch for %{fld3->} (%{fld1})"); + + var all390 = all_match({ + processors: [ + part1918, + select429, + part1921, + ], + on_success: processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, + ]), + }); + + var msg1210 = msg("00767:49", all390); + + var select430 = linear_select([ + msg1158, + msg1159, + msg1160, + msg1161, + msg1162, + msg1163, + msg1164, + msg1165, + msg1166, + msg1167, + msg1168, + msg1169, + msg1170, + msg1171, + msg1172, + msg1173, + msg1174, + msg1175, + msg1176, + msg1177, + msg1178, + msg1179, + msg1180, + msg1181, + msg1182, + msg1183, + msg1184, + msg1185, + msg1186, + msg1187, + msg1188, + msg1189, + msg1190, + msg1191, + msg1192, + msg1193, + msg1194, + msg1195, + msg1196, + msg1197, + msg1198, + msg1199, + msg1200, + msg1201, + msg1202, + msg1203, + msg1204, + msg1205, + msg1206, + msg1207, + msg1208, + msg1209, + msg1210, + ]); + + var part1922 = match("MESSAGE#1195:01269", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup277, + dup3, + dup275, + dup60, + ])); + + var msg1211 = msg("01269", part1922); + + var msg1212 = msg("01269:01", dup407); + + var msg1213 = msg("01269:02", dup408); + + var msg1214 = msg("01269:03", dup409); + + var select431 = linear_select([ + msg1211, + msg1212, + msg1213, + msg1214, + ]); + + var part1923 = match("MESSAGE#1199:17852", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup276, + dup277, + dup275, + dup332, + ])); + + var msg1215 = msg("17852", part1923); + + var part1924 = match("MESSAGE#1200:17852:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup332, + dup282, + ])); + + var msg1216 = msg("17852:01", part1924); + + var part1925 = match("MESSAGE#1201:17852:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup276, + dup277, + dup61, + ])); + + var msg1217 = msg("17852:02", part1925); + + var part1926 = match("MESSAGE#1202:17852:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup332, + dup282, + ])); + + var msg1218 = msg("17852:03", part1926); + + var select432 = linear_select([ + msg1215, + msg1216, + msg1217, + msg1218, + ]); + + var msg1219 = msg("23184", dup410); + + var part1927 = match("MESSAGE#1204:23184:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup61, + dup282, + ])); + + var msg1220 = msg("23184:01", part1927); + + var part1928 = match("MESSAGE#1205:23184:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup276, + dup277, + dup275, + dup61, + ])); + + var msg1221 = msg("23184:02", part1928); + + var part1929 = match("MESSAGE#1206:23184:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup332, + dup282, + ])); + + var msg1222 = msg("23184:03", part1929); + + var select433 = linear_select([ + msg1219, + msg1220, + msg1221, + msg1222, + ]); + + var msg1223 = msg("27052", dup410); + + var part1930 = match("MESSAGE#1208:27052:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol}direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup61, + dup282, + ])); + + var msg1224 = msg("27052:01", part1930); + + var select434 = linear_select([ + msg1223, + msg1224, + ]); + + var part1931 = match("MESSAGE#1209:39568", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, + dup2, + dup4, + dup277, + dup5, + dup274, + dup3, + dup275, + dup276, + dup60, + ])); + + var msg1225 = msg("39568", part1931); + + var msg1226 = msg("39568:01", dup407); + + var msg1227 = msg("39568:02", dup408); + + var msg1228 = msg("39568:03", dup409); + + var select435 = linear_select([ + msg1225, + msg1226, + msg1227, + msg1228, + ]); + + var chain1 = processor_chain([ + select2, + msgid_select({ + "00001": select6, + "00002": select29, + "00003": select31, + "00004": select33, + "00005": select39, + "00006": select40, + "00007": select63, + "00008": select66, + "00009": select83, + "00010": select86, + "00011": select100, + "00012": select101, + "00013": select102, + "00014": select104, + "00015": select114, + "00016": select115, + "00017": select125, + "00018": select138, + "00019": select147, + "00020": select150, + "00021": select151, + "00022": select163, + "00023": select164, + "00024": select170, + "00025": select171, + "00026": select176, + "00027": select184, + "00028": msg469, + "00029": select188, + "00030": select197, + "00031": select205, + "00032": select207, + "00033": select214, + "00034": select225, + "00035": select232, + "00036": select234, + "00037": select241, + "00038": msg660, + "00039": msg661, + "00040": select244, + "00041": select245, + "00042": select246, + "00043": msg668, + "00044": select248, + "00045": msg671, + "00047": msg672, + "00048": select257, + "00049": select258, + "00050": msg682, + "00051": msg683, + "00052": msg684, + "00055": select265, + "00056": msg696, + "00057": msg697, + "00058": msg698, + "00059": select272, + "00062": select273, + "00063": msg713, + "00064": select274, + "00070": select276, + "00071": select277, + "00072": select278, + "00073": select279, + "00074": msg726, + "00075": select280, + "00076": select281, + "00077": select282, + "00084": msg735, + "00090": msg736, + "00200": msg737, + "00201": msg738, + "00202": msg739, + "00203": msg740, + "00206": select285, + "00207": select286, + "00257": select291, + "00259": select294, + "00262": msg778, + "00263": msg779, + "00400": msg780, + "00401": msg781, + "00402": select296, + "00403": msg784, + "00404": msg785, + "00405": msg786, + "00406": msg787, + "00407": msg788, + "00408": msg789, + "00409": msg790, + "00410": select297, + "00411": msg793, + "00413": select298, + "00414": select299, + "00415": msg799, + "00423": msg800, + "00429": select300, + "00430": select301, + "00431": msg805, + "00432": msg806, + "00433": msg807, + "00434": msg808, + "00435": select302, + "00436": select303, + "00437": select304, + "00438": select305, + "00440": select306, + "00441": msg823, + "00442": msg824, + "00443": msg825, + "00511": select307, + "00513": msg841, + "00515": select328, + "00518": select331, + "00519": select336, + "00520": select339, + "00521": msg890, + "00522": msg891, + "00523": msg892, + "00524": select340, + "00525": select341, + "00526": msg912, + "00527": select348, + "00528": select354, + "00529": select357, + "00530": select358, + "00531": select362, + "00533": msg973, + "00534": msg974, + "00535": select363, + "00536": select365, + "00537": select366, + "00538": select372, + "00539": select373, + "00541": select375, + "00542": msg1062, + "00543": msg1063, + "00544": msg1064, + "00546": msg1065, + "00547": select379, + "00549": msg1070, + "00551": select381, + "00553": select385, + "00554": select391, + "00555": msg1117, + "00556": select401, + "00572": select402, + "00601": select404, + "00602": msg1148, + "00612": msg1149, + "00615": select403, + "00620": select408, + "00622": msg1155, + "00625": msg1156, + "00628": msg1157, + "00767": select430, + "01269": select431, + "17852": select432, + "23184": select433, + "27052": select434, + "39568": select435, + }), + ]); + + var part1932 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); + + var part1933 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); + + var part1934 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); + + var part1935 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); + + var part1936 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); + + var part1937 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); + + var part1938 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); + + var part1939 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); + + var part1940 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); + + var part1941 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); + + var part1942 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); + + var part1943 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); + + var part1944 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); + + var part1945 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); + + var part1946 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); + + var part1947 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); + + var part1948 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); + + var part1949 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); + + var part1950 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); + + var part1951 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); + + var part1952 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); + + var part1953 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); + + var part1954 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); + + var part1955 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); + + var part1956 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); + + var part1957 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); + + var part1958 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); + + var part1959 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); + + var part1960 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); + + var part1961 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); + + var part1962 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); + + var part1963 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); + + var part1964 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); + + var part1965 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); + + var part1966 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); + + var part1967 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); + + var part1968 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); + + var part1969 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); + + var part1970 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); + + var part1971 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); + + var part1972 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); + + var part1973 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); + + var part1974 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); + + var part1975 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); + + var part1976 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); + + var part1977 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var part1978 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); + + var part1979 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); + + var part1980 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); + + var part1981 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); + + var part1982 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); + + var part1983 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); + + var part1984 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); + + var part1985 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); + + var part1986 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); + + var part1987 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); + + var part1988 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); + + var part1989 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); + + var part1990 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); + + var part1991 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); + + var part1992 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); + + var part1993 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); + + var part1994 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); + + var part1995 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); + + var part1996 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); + + var part1997 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); + + var part1998 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); + + var part1999 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); + + var part2000 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); + + var part2001 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); + + var part2002 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); + + var part2003 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); + + var part2004 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); + + var part2005 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); + + var part2006 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); + + var part2007 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); + + var part2008 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); + + var part2009 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); + + var part2010 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); + + var part2011 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); + + var part2012 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); + + var part2013 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); + + var part2014 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); + + var part2015 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); + + var part2016 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); + + var part2017 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); + + var part2018 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); + + var part2019 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); + + var part2020 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); + + var part2021 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); + + var part2022 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var part2023 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); + + var part2024 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); + + var part2025 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); + + var part2026 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); + + var part2027 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); + + var part2028 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); + + var part2029 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); + + var part2030 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); + + var part2031 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); + + var part2032 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); + + var part2033 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); + + var part2034 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); + + var part2035 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); + + var part2036 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); + + var part2037 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); + + var part2038 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); + + var part2039 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); + + var part2040 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); + + var part2041 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); + + var part2042 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); + + var part2043 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); + + var part2044 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); + + var part2045 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); + + var part2046 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); + + var part2047 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); + + var part2048 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); + + var part2049 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); + + var part2050 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); + + var part2051 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); + + var part2052 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); + + var part2053 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); + + var part2054 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); + + var part2055 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); + + var part2056 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); + + var part2057 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); + + var part2058 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); + + var part2059 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); + + var part2060 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); + + var part2061 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); + + var part2062 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); + + var part2063 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); + + var part2064 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); + + var part2065 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); + + var part2066 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); + + var part2067 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); + + var part2068 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); + + var part2069 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); + + var part2070 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); + + var part2071 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); + + var part2072 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); + + var part2073 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); + + var part2074 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); + + var part2075 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); + + var part2076 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); + + var part2077 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); + + var part2078 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); + + var part2079 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); + + var part2080 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); + + var part2081 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); + + var part2082 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); + + var part2083 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); + + var part2084 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); + + var part2085 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); + + var part2086 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); + + var part2087 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); + + var part2088 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); + + var part2089 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); + + var part2090 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); + + var part2091 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); + + var part2092 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); + + var part2093 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); + + var part2094 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); + + var part2095 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); + + var part2096 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); + + var part2097 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); + + var part2098 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); + + var part2099 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); + + var part2100 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); + + var part2101 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); + + var part2102 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); + + var part2103 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); + + var part2104 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); + + var part2105 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); + + var part2106 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var part2107 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); + + var part2108 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); + + var part2109 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); + + var part2110 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); + + var part2111 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); + + var part2112 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); + + var part2113 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); + + var part2114 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); + + var part2115 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); + + var part2116 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); + + var part2117 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); + + var part2118 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); + + var part2119 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); + + var part2120 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); + + var part2121 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); + + var part2122 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); + + var part2123 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); + + var part2124 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); + + var part2125 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); + + var part2126 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); + + var part2127 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); + + var part2128 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); + + var part2129 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); + + var part2130 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); + + var part2131 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); + + var part2132 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); + + var part2133 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); + + var part2134 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); + + var part2135 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); + + var part2136 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); + + var part2137 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); + + var part2138 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); + + var part2139 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); + + var part2140 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); + + var part2141 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); + + var part2142 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); + + var part2143 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); + + var part2144 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); + + var part2145 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); + + var part2146 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); + + var part2147 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var part2148 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var part2149 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); + + var part2150 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); + + var part2151 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); + + var part2152 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); + + var part2153 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); + + var part2154 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); + + var part2155 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); + + var part2156 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); + + var part2157 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); + + var part2158 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); + + var part2159 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); + + var part2160 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); + + var part2161 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); + + var part2162 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); + + var part2163 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); + + var part2164 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); + + var part2165 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); + + var part2166 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); + + var part2167 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); + + var part2168 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); + + var part2169 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); + + var part2170 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); + + var part2171 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); + + var part2172 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); + + var part2173 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); + + var part2174 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); + + var part2175 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); + + var select436 = linear_select([ + dup10, + dup11, + ]); + + var part2176 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var select437 = linear_select([ + dup13, + dup14, + ]); + + var select438 = linear_select([ + dup15, + dup16, + ]); + + var select439 = linear_select([ + dup56, + dup57, + ]); + + var select440 = linear_select([ + dup65, + dup66, + ]); + + var select441 = linear_select([ + dup68, + dup69, + ]); + + var select442 = linear_select([ + dup71, + dup72, + ]); + + var part2177 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, + ])); + + var select443 = linear_select([ + dup74, + dup75, + ]); + + var select444 = linear_select([ + dup81, + dup82, + ]); + + var select445 = linear_select([ + dup24, + dup90, + ]); + + var select446 = linear_select([ + dup94, + dup95, + ]); + + var select447 = linear_select([ + dup98, + dup99, + ]); + + var select448 = linear_select([ + dup100, + dup101, + dup102, + ]); + + var select449 = linear_select([ + dup113, + dup114, + ]); + + var select450 = linear_select([ + dup111, + dup16, + ]); + + var select451 = linear_select([ + dup127, + dup107, + ]); + + var select452 = linear_select([ + dup8, + dup21, + ]); + + var select453 = linear_select([ + dup122, + dup133, + ]); + + var select454 = linear_select([ + dup142, + dup143, + ]); + + var select455 = linear_select([ + dup145, + dup21, + ]); + + var select456 = linear_select([ + dup127, + dup106, + ]); + + var select457 = linear_select([ + dup152, + dup96, + ]); + + var select458 = linear_select([ + dup154, + dup155, + ]); + + var select459 = linear_select([ + dup156, + dup157, + ]); + + var select460 = linear_select([ + dup99, + dup134, + ]); + + var select461 = linear_select([ + dup158, + dup159, + ]); + + var select462 = linear_select([ + dup161, + dup162, + ]); + + var select463 = linear_select([ + dup163, + dup103, + ]); + + var select464 = linear_select([ + dup162, + dup161, + ]); + + var select465 = linear_select([ + dup46, + dup47, + ]); + + var select466 = linear_select([ + dup166, + dup167, + ]); + + var select467 = linear_select([ + dup172, + dup173, + ]); + + var select468 = linear_select([ + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + ]); + + var select469 = linear_select([ + dup49, + dup21, + ]); + + var select470 = linear_select([ + dup189, + dup190, + ]); + + var select471 = linear_select([ + dup96, + dup152, + ]); + + var select472 = linear_select([ + dup196, + dup197, + ]); + + var select473 = linear_select([ + dup24, + dup200, + ]); + + var select474 = linear_select([ + dup103, + dup163, + ]); + + var select475 = linear_select([ + dup205, + dup118, + ]); + + var part2178 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var select476 = linear_select([ + dup212, + dup213, + ]); + + var select477 = linear_select([ + dup215, + dup216, + ]); + + var select478 = linear_select([ + dup222, + dup215, + ]); + + var select479 = linear_select([ + dup224, + dup225, + ]); + + var select480 = linear_select([ + dup231, + dup124, + ]); + + var select481 = linear_select([ + dup229, + dup230, + ]); + + var select482 = linear_select([ + dup233, + dup234, + ]); + + var select483 = linear_select([ + dup236, + dup237, + ]); + + var select484 = linear_select([ + dup242, + dup243, + ]); + + var select485 = linear_select([ + dup245, + dup246, + ]); + + var select486 = linear_select([ + dup247, + dup248, + ]); + + var select487 = linear_select([ + dup249, + dup250, + ]); + + var select488 = linear_select([ + dup251, + dup252, + ]); + + var select489 = linear_select([ + dup260, + dup261, + ]); + + var select490 = linear_select([ + dup264, + dup265, + ]); + + var select491 = linear_select([ + dup268, + dup269, + ]); + + var part2179 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var select492 = linear_select([ + dup284, + dup285, + ]); + + var select493 = linear_select([ + dup287, + dup288, + ]); + + var part2180 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup60, + ])); + + var part2181 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup4, + dup59, + dup5, + dup9, + dup2, + dup3, + dup60, + ])); + + var select494 = linear_select([ + dup300, + dup26, + ]); + + var select495 = linear_select([ + dup115, + dup303, + ]); + + var select496 = linear_select([ + dup125, + dup96, + ]); + + var select497 = linear_select([ + dup189, + dup308, + dup309, + ]); + + var select498 = linear_select([ + dup310, + dup16, + ]); + + var select499 = linear_select([ + dup317, + dup318, + ]); + + var select500 = linear_select([ + dup319, + dup315, + ]); + + var select501 = linear_select([ + dup322, + dup250, + ]); + + var select502 = linear_select([ + dup327, + dup329, + ]); + + var select503 = linear_select([ + dup330, + dup129, + ]); + + var part2182 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup60, + dup282, + ])); + + var part2183 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup276, + dup277, + dup60, + ])); + + var part2184 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup60, + dup282, + ])); + + var part2185 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup276, + dup277, + dup61, + ])); + + var all391 = all_match({ + processors: [ + dup263, + dup390, + dup266, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var all392 = all_match({ + processors: [ + dup267, + dup391, + dup270, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var all393 = all_match({ + processors: [ + dup80, + dup343, + dup293, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var all394 = all_match({ + processors: [ + dup296, + dup343, + dup131, + ], + on_success: processor_chain([ + dup297, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup61, + ]), + }); + + var all395 = all_match({ + processors: [ + dup298, + dup343, + dup131, + ], + on_success: processor_chain([ + dup297, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup61, + ]), + }); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/juniper/1.1.1/data_stream/netscreen/agent/stream/udp.yml.hbs b/packages/juniper/1.1.1/data_stream/netscreen/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..63a0c266a8 --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/netscreen/agent/stream/udp.yml.hbs @@ -0,0 +1,26354 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Juniper" + product: "Netscreen" + type: "Firewall" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} for %{p0}"); + + var dup7 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); + + var dup8 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); + + var dup9 = date_time({ + dest: "event_time", + args: ["fld1"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup10 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); + + var dup11 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); + + var dup12 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); + + var dup13 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); + + var dup14 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); + + var dup15 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); + + var dup16 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); + + var dup17 = setc("eventcategory","1502000000"); + + var dup18 = setc("eventcategory","1703000000"); + + var dup19 = setc("eventcategory","1603000000"); + + var dup20 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); + + var dup21 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); + + var dup22 = setc("eventcategory","1502050000"); + + var dup23 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); + + var dup24 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); + + var dup25 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); + + var dup26 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); + + var dup27 = setc("eventcategory","1801010000"); + + var dup28 = setc("eventcategory","1401060000"); + + var dup29 = setc("ec_subject","User"); + + var dup30 = setc("ec_activity","Logon"); + + var dup31 = setc("ec_theme","Authentication"); + + var dup32 = setc("ec_outcome","Success"); + + var dup33 = setc("eventcategory","1401070000"); + + var dup34 = setc("ec_activity","Logoff"); + + var dup35 = setc("eventcategory","1303000000"); + + var dup36 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); + + var dup37 = setc("eventcategory","1402020200"); + + var dup38 = setc("ec_theme","UserGroup"); + + var dup39 = setc("ec_outcome","Error"); + + var dup40 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); + + var dup41 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); + + var dup42 = setc("eventcategory","1402020300"); + + var dup43 = setc("ec_activity","Modify"); + + var dup44 = setc("eventcategory","1605000000"); + + var dup45 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); + + var dup46 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); + + var dup47 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); + + var dup48 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); + + var dup49 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); + + var dup50 = setc("eventcategory","1701020000"); + + var dup51 = setc("ec_theme","Configuration"); + + var dup52 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); + + var dup53 = setc("eventcategory","1301000000"); + + var dup54 = setc("ec_outcome","Failure"); + + var dup55 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); + + var dup56 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); + + var dup57 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); + + var dup58 = setc("eventcategory","1001000000"); + + var dup59 = setc("dclass_counter1_string","Number of times the attack occurred"); + + var dup60 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$OUT"), + field("saddr"), + field("daddr"), + ], + }); + + var dup61 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$OUT"), + field("saddr"), + field("daddr"), + field("sport"), + field("dport"), + ], + }); + + var dup62 = setc("eventcategory","1608010000"); + + var dup63 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); + + var dup64 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); + + var dup65 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); + + var dup66 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); + + var dup67 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); + + var dup68 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); + + var dup69 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); + + var dup70 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); + + var dup71 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); + + var dup72 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); + + var dup73 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); + + var dup74 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); + + var dup75 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); + + var dup76 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); + + var dup77 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); + + var dup78 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); + + var dup79 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); + + var dup80 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var dup81 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); + + var dup82 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); + + var dup83 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); + + var dup84 = setc("eventcategory","1002020000"); + + var dup85 = setc("eventcategory","1002000000"); + + var dup86 = setc("eventcategory","1603110000"); + + var dup87 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); + + var dup88 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); + + var dup89 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); + + var dup90 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); + + var dup91 = setc("eventcategory","1613040200"); + + var dup92 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); + + var dup93 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); + + var dup94 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); + + var dup95 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); + + var dup96 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); + + var dup97 = setc("eventcategory","1613050200"); + + var dup98 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); + + var dup99 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); + + var dup100 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); + + var dup101 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); + + var dup102 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); + + var dup103 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); + + var dup104 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); + + var dup105 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); + + var dup106 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); + + var dup107 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); + + var dup108 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); + + var dup109 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); + + var dup110 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); + + var dup111 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); + + var dup112 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); + + var dup113 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); + + var dup114 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); + + var dup115 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); + + var dup116 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); + + var dup117 = setc("eventcategory","1603090000"); + + var dup118 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); + + var dup119 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); + + var dup120 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); + + var dup121 = setc("eventcategory","1603030000"); + + var dup122 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); + + var dup123 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); + + var dup124 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); + + var dup125 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); + + var dup126 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); + + var dup127 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); + + var dup128 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); + + var dup129 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); + + var dup130 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); + + var dup131 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); + + var dup132 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var dup133 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); + + var dup134 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); + + var dup135 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); + + var dup136 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); + + var dup137 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); + + var dup138 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); + + var dup139 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); + + var dup140 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); + + var dup141 = setc("eventcategory","1702030000"); + + var dup142 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); + + var dup143 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); + + var dup144 = setc("eventcategory","1601000000"); + + var dup145 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); + + var dup146 = date_time({ + dest: "event_time", + args: ["fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup147 = setc("eventcategory","1103000000"); + + var dup148 = setc("ec_subject","NetworkComm"); + + var dup149 = setc("ec_activity","Scan"); + + var dup150 = setc("ec_theme","TEV"); + + var dup151 = setc("eventcategory","1103010000"); + + var dup152 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); + + var dup153 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); + + var dup154 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); + + var dup155 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); + + var dup156 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); + + var dup157 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); + + var dup158 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); + + var dup159 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); + + var dup160 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); + + var dup161 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); + + var dup162 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); + + var dup163 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); + + var dup164 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); + + var dup165 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); + + var dup166 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); + + var dup167 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); + + var dup168 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); + + var dup169 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); + + var dup170 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); + + var dup171 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); + + var dup172 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); + + var dup173 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); + + var dup174 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); + + var dup175 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); + + var dup176 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); + + var dup177 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); + + var dup178 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); + + var dup179 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); + + var dup180 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); + + var dup181 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); + + var dup182 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); + + var dup183 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); + + var dup184 = setc("eventcategory","1603020000"); + + var dup185 = setc("eventcategory","1803000000"); + + var dup186 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); + + var dup187 = setc("eventcategory","1603010000"); + + var dup188 = setc("eventcategory","1603100000"); + + var dup189 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); + + var dup190 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); + + var dup191 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); + + var dup192 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); + + var dup193 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); + + var dup194 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); + + var dup195 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); + + var dup196 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); + + var dup197 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); + + var dup198 = setc("eventcategory","1801030000"); + + var dup199 = setc("eventcategory","1302010200"); + + var dup200 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); + + var dup201 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); + + var dup202 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); + + var dup203 = setc("eventcategory","1304000000"); + + var dup204 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); + + var dup205 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); + + var dup206 = setc("eventcategory","1401030000"); + + var dup207 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); + + var dup208 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); + + var dup209 = setc("eventcategory","1605020000"); + + var dup210 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); + + var dup211 = setc("ec_subject","Certificate"); + + var dup212 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); + + var dup213 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); + + var dup214 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); + + var dup215 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); + + var dup216 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); + + var dup217 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); + + var dup218 = setc("ec_subject","CryptoKey"); + + var dup219 = setc("ec_subject","Configuration"); + + var dup220 = setc("ec_activity","Request"); + + var dup221 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); + + var dup222 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); + + var dup223 = setc("eventcategory","1612000000"); + + var dup224 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); + + var dup225 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); + + var dup226 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); + + var dup227 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); + + var dup228 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); + + var dup229 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); + + var dup230 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); + + var dup231 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); + + var dup232 = setc("eventcategory","1201000000"); + + var dup233 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); + + var dup234 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); + + var dup235 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); + + var dup236 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); + + var dup237 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); + + var dup238 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); + + var dup239 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var dup240 = setc("eventcategory","1401000000"); + + var dup241 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); + + var dup242 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); + + var dup243 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); + + var dup244 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); + + var dup245 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); + + var dup246 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); + + var dup247 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); + + var dup248 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); + + var dup249 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); + + var dup250 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); + + var dup251 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); + + var dup252 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); + + var dup253 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); + + var dup254 = setc("eventcategory","1608000000"); + + var dup255 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); + + var dup256 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); + + var dup257 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); + + var dup258 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); + + var dup259 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); + + var dup260 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); + + var dup261 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); + + var dup262 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); + + var dup263 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); + + var dup264 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); + + var dup265 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); + + var dup266 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); + + var dup267 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); + + var dup268 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); + + var dup269 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); + + var dup270 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); + + var dup271 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); + + var dup272 = setc("eventcategory","1805010000"); + + var dup273 = setc("eventcategory","1805000000"); + + var dup274 = date_time({ + dest: "starttime", + args: ["fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup275 = call({ + dest: "nwparser.bytes", + fn: CALC, + args: [ + field("sbytes"), + constant("+"), + field("rbytes"), + ], + }); + + var dup276 = setc("action","Deny"); + + var dup277 = setc("disposition","Deny"); + + var dup278 = setc("direction","outgoing"); + + var dup279 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$IN"), + field("saddr"), + field("daddr"), + field("sport"), + field("dport"), + ], + }); + + var dup280 = setc("direction","incoming"); + + var dup281 = setc("eventcategory","1801000000"); + + var dup282 = setf("action","disposition"); + + var dup283 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); + + var dup284 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); + + var dup285 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); + + var dup286 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); + + var dup287 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); + + var dup288 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); + + var dup289 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); + + var dup290 = setc("eventcategory","1401050200"); + + var dup291 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$IN"), + field("daddr"), + field("saddr"), + ], + }); + + var dup292 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$IN"), + field("daddr"), + field("saddr"), + field("dport"), + field("sport"), + ], + }); + + var dup293 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); + + var dup294 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); + + var dup295 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); + + var dup296 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var dup297 = setc("eventcategory","1204000000"); + + var dup298 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var dup299 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); + + var dup300 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); + + var dup301 = setc("eventcategory","1801020000"); + + var dup302 = setc("disposition","failed"); + + var dup303 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); + + var dup304 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); + + var dup305 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); + + var dup306 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); + + var dup307 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); + + var dup308 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); + + var dup309 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); + + var dup310 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); + + var dup311 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); + + var dup312 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); + + var dup313 = setc("eventcategory","1803020000"); + + var dup314 = setc("eventcategory","1613030000"); + + var dup315 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); + + var dup316 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); + + var dup317 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); + + var dup318 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); + + var dup319 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); + + var dup320 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); + + var dup321 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); + + var dup322 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); + + var dup323 = setc("event_description","Cannot connect to NSM server"); + + var dup324 = setc("eventcategory","1603040000"); + + var dup325 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); + + var dup326 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); + + var dup327 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); + + var dup328 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); + + var dup329 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); + + var dup330 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); + + var dup331 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); + + var dup332 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$OUT"), + field("daddr"), + field("saddr"), + field("dport"), + field("sport"), + ], + }); + + var dup333 = linear_select([ + dup10, + dup11, + ]); + + var dup334 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var dup335 = linear_select([ + dup13, + dup14, + ]); + + var dup336 = linear_select([ + dup15, + dup16, + ]); + + var dup337 = linear_select([ + dup56, + dup57, + ]); + + var dup338 = linear_select([ + dup65, + dup66, + ]); + + var dup339 = linear_select([ + dup68, + dup69, + ]); + + var dup340 = linear_select([ + dup71, + dup72, + ]); + + var dup341 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, + ])); + + var dup342 = linear_select([ + dup74, + dup75, + ]); + + var dup343 = linear_select([ + dup81, + dup82, + ]); + + var dup344 = linear_select([ + dup24, + dup90, + ]); + + var dup345 = linear_select([ + dup94, + dup95, + ]); + + var dup346 = linear_select([ + dup98, + dup99, + ]); + + var dup347 = linear_select([ + dup100, + dup101, + dup102, + ]); + + var dup348 = linear_select([ + dup113, + dup114, + ]); + + var dup349 = linear_select([ + dup111, + dup16, + ]); + + var dup350 = linear_select([ + dup127, + dup107, + ]); + + var dup351 = linear_select([ + dup8, + dup21, + ]); + + var dup352 = linear_select([ + dup122, + dup133, + ]); + + var dup353 = linear_select([ + dup142, + dup143, + ]); + + var dup354 = linear_select([ + dup145, + dup21, + ]); + + var dup355 = linear_select([ + dup127, + dup106, + ]); + + var dup356 = linear_select([ + dup152, + dup96, + ]); + + var dup357 = linear_select([ + dup154, + dup155, + ]); + + var dup358 = linear_select([ + dup156, + dup157, + ]); + + var dup359 = linear_select([ + dup99, + dup134, + ]); + + var dup360 = linear_select([ + dup158, + dup159, + ]); + + var dup361 = linear_select([ + dup161, + dup162, + ]); + + var dup362 = linear_select([ + dup163, + dup103, + ]); + + var dup363 = linear_select([ + dup162, + dup161, + ]); + + var dup364 = linear_select([ + dup46, + dup47, + ]); + + var dup365 = linear_select([ + dup166, + dup167, + ]); + + var dup366 = linear_select([ + dup172, + dup173, + ]); + + var dup367 = linear_select([ + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + ]); + + var dup368 = linear_select([ + dup49, + dup21, + ]); + + var dup369 = linear_select([ + dup189, + dup190, + ]); + + var dup370 = linear_select([ + dup96, + dup152, + ]); + + var dup371 = linear_select([ + dup196, + dup197, + ]); + + var dup372 = linear_select([ + dup24, + dup200, + ]); + + var dup373 = linear_select([ + dup103, + dup163, + ]); + + var dup374 = linear_select([ + dup205, + dup118, + ]); + + var dup375 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var dup376 = linear_select([ + dup212, + dup213, + ]); + + var dup377 = linear_select([ + dup215, + dup216, + ]); + + var dup378 = linear_select([ + dup222, + dup215, + ]); + + var dup379 = linear_select([ + dup224, + dup225, + ]); + + var dup380 = linear_select([ + dup231, + dup124, + ]); + + var dup381 = linear_select([ + dup229, + dup230, + ]); + + var dup382 = linear_select([ + dup233, + dup234, + ]); + + var dup383 = linear_select([ + dup236, + dup237, + ]); + + var dup384 = linear_select([ + dup242, + dup243, + ]); + + var dup385 = linear_select([ + dup245, + dup246, + ]); + + var dup386 = linear_select([ + dup247, + dup248, + ]); + + var dup387 = linear_select([ + dup249, + dup250, + ]); + + var dup388 = linear_select([ + dup251, + dup252, + ]); + + var dup389 = linear_select([ + dup260, + dup261, + ]); + + var dup390 = linear_select([ + dup264, + dup265, + ]); + + var dup391 = linear_select([ + dup268, + dup269, + ]); + + var dup392 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var dup393 = linear_select([ + dup284, + dup285, + ]); + + var dup394 = linear_select([ + dup287, + dup288, + ]); + + var dup395 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup60, + ])); + + var dup396 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup4, + dup59, + dup5, + dup9, + dup2, + dup3, + dup60, + ])); + + var dup397 = linear_select([ + dup300, + dup26, + ]); + + var dup398 = linear_select([ + dup115, + dup303, + ]); + + var dup399 = linear_select([ + dup125, + dup96, + ]); + + var dup400 = linear_select([ + dup189, + dup308, + dup309, + ]); + + var dup401 = linear_select([ + dup310, + dup16, + ]); + + var dup402 = linear_select([ + dup317, + dup318, + ]); + + var dup403 = linear_select([ + dup319, + dup315, + ]); + + var dup404 = linear_select([ + dup322, + dup250, + ]); + + var dup405 = linear_select([ + dup327, + dup329, + ]); + + var dup406 = linear_select([ + dup330, + dup129, + ]); + + var dup407 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup60, + dup282, + ])); + + var dup408 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup276, + dup277, + dup60, + ])); + + var dup409 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup60, + dup282, + ])); + + var dup410 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup276, + dup277, + dup61, + ])); + + var dup411 = all_match({ + processors: [ + dup263, + dup390, + dup266, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var dup412 = all_match({ + processors: [ + dup267, + dup391, + dup270, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var dup413 = all_match({ + processors: [ + dup80, + dup343, + dup293, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var dup414 = all_match({ + processors: [ + dup296, + dup343, + dup131, + ], + on_success: processor_chain([ + dup297, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup61, + ]), + }); + + var dup415 = all_match({ + processors: [ + dup298, + dup343, + dup131, + ], + on_success: processor_chain([ + dup297, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup61, + ]), + }); + + var hdr1 = match("HEADER#0:0001", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [No Name]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0003", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [%{hvsys}]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr3 = match("HEADER#2:0004", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var hdr4 = match("HEADER#3:0002/0", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} %{p0}"); + + var part1 = match("HEADER#3:0002/1_0", "nwparser.p0", "[No Name]system%{p0}"); + + var part2 = match("HEADER#3:0002/1_1", "nwparser.p0", "[%{hvsys}]system%{p0}"); + + var part3 = match("HEADER#3:0002/1_2", "nwparser.p0", "system%{p0}"); + + var select1 = linear_select([ + part1, + part2, + part3, + ]); + + var part4 = match("HEADER#3:0002/2", "nwparser.p0", "-%{hseverity}-%{messageid}: %{payload}"); + + var all1 = all_match({ + processors: [ + hdr4, + select1, + part4, + ], + on_success: processor_chain([ + setc("header_id","0002"), + ]), + }); + + var select2 = linear_select([ + hdr1, + hdr2, + hdr3, + all1, + ]); + + var part5 = match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} with ip address %{hostip->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1 = msg("00001", part5); + + var part6 = match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface->} with domain name %{domain->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg2 = msg("00001:01", part6); + + var part7 = match("MESSAGE#2:00001:02/1_0", "nwparser.p0", "ip address %{hostip->} in zone %{p0}"); + + var select3 = linear_select([ + part7, + dup7, + ]); + + var part8 = match("MESSAGE#2:00001:02/2", "nwparser.p0", "%{zone->} has been %{disposition}"); + + var all2 = all_match({ + processors: [ + dup6, + select3, + part8, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg3 = msg("00001:02", all2); + + var part9 = match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface changed!", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg4 = msg("00001:03", part9); + + var part10 = match("MESSAGE#4:00001:04/1_0", "nwparser.p0", "IP address %{hostip->} in zone %{p0}"); + + var select4 = linear_select([ + part10, + dup7, + ]); + + var part11 = match("MESSAGE#4:00001:04/2", "nwparser.p0", "%{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} session%{p0}"); + + var part12 = match("MESSAGE#4:00001:04/3_1", "nwparser.p0", ".%{fld1}"); + + var select5 = linear_select([ + dup8, + part12, + ]); + + var all3 = all_match({ + processors: [ + dup6, + select4, + part11, + select5, + ], + on_success: processor_chain([ + dup1, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg5 = msg("00001:04", all3); + + var part13 = match("MESSAGE#5:00001:05/0", "nwparser.payload", "%{fld2}: Address %{group_object->} for ip address %{hostip->} in zone %{zone->} has been %{disposition->} from host %{saddr->} session %{p0}"); + + var all4 = all_match({ + processors: [ + part13, + dup333, + ], + on_success: processor_chain([ + dup1, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg6 = msg("00001:05", all4); + + var part14 = match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg7 = msg("00001:06", part14); + + var msg8 = msg("00001:07", dup334); + + var part15 = match("MESSAGE#8:00001:08/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{p0}"); + + var part16 = match("MESSAGE#8:00001:08/4", "nwparser.p0", "%{} %{username}via NSRP Peer session. (%{fld1})"); + + var all5 = all_match({ + processors: [ + dup12, + dup335, + part15, + dup336, + part16, + ], + on_success: processor_chain([ + dup1, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg9 = msg("00001:08", all5); + + var part17 = match("MESSAGE#9:00001:09/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} session. (%{fld1})"); + + var all6 = all_match({ + processors: [ + dup12, + dup335, + part17, + ], + on_success: processor_chain([ + dup1, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg10 = msg("00001:09", all6); + + var select6 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + ]); + + var part18 = match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg11 = msg("00002:03", part18); + + var part19 = match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg12 = msg("00002:04", part19); + + var part20 = match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg13 = msg("00002:05", part20); + + var part21 = match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with e-mail notification of event alarms has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg14 = msg("00002:06", part21); + + var part22 = match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action->} and the LCD control keys have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg15 = msg("00002:07", part22); + + var part23 = match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{fld2->} is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg16 = msg("00002:55", part23); + + var part24 = match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg17 = msg("00002:08", part24); + + var part25 = match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg18 = msg("00002:09", part25); + + var part26 = match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg19 = msg("00002:10", part26); + + var part27 = match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg20 = msg("00002:11", part27); + + var part28 = match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg21 = msg("00002:12", part28); + + var part29 = match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been %{disposition}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg22 = msg("00002:15", part29); + + var msg23 = msg("00002:17", dup334); + + var part30 = match("MESSAGE#23:00002:18/0", "nwparser.payload", "Unexpected error from e%{p0}"); + + var part31 = match("MESSAGE#23:00002:18/1_0", "nwparser.p0", "-mail %{p0}"); + + var part32 = match("MESSAGE#23:00002:18/1_1", "nwparser.p0", "mail %{p0}"); + + var select7 = linear_select([ + part31, + part32, + ]); + + var part33 = match("MESSAGE#23:00002:18/2", "nwparser.p0", "server(%{fld2}):"); + + var all7 = all_match({ + processors: [ + part30, + select7, + part33, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg24 = msg("00002:18", all7); + + var part34 = match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute->} value has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg25 = msg("00002:19", part34); + + var part35 = match("MESSAGE#25:00002:20/0", "nwparser.payload", "Root admin password restriction of minimum %{fld2->} characters has been %{disposition->} by admin %{administrator->} %{p0}"); + + var part36 = match("MESSAGE#25:00002:20/1_0", "nwparser.p0", "from Console %{}"); + + var select8 = linear_select([ + part36, + dup20, + dup21, + ]); + + var all8 = all_match({ + processors: [ + part35, + select8, + ], + on_success: processor_chain([ + dup22, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg26 = msg("00002:20", all8); + + var part37 = match("MESSAGE#26:00002:21/0_0", "nwparser.payload", "Root admin %{p0}"); + + var part38 = match("MESSAGE#26:00002:21/0_1", "nwparser.payload", "%{fld2->} admin %{p0}"); + + var select9 = linear_select([ + part37, + part38, + ]); + + var select10 = linear_select([ + dup24, + dup25, + ]); + + var part39 = match("MESSAGE#26:00002:21/3", "nwparser.p0", "has been changed by admin %{administrator}"); + + var all9 = all_match({ + processors: [ + select9, + dup23, + select10, + part39, + ], + on_success: processor_chain([ + dup22, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg27 = msg("00002:21", all9); + + var part40 = match("MESSAGE#27:00002:22/0", "nwparser.payload", "%{change_attribute->} from %{protocol->} before administrative session disconnects has been changed from %{change_old->} to %{change_new->} by admin %{p0}"); + + var part41 = match("MESSAGE#27:00002:22/1_0", "nwparser.p0", "%{administrator->} from Console"); + + var part42 = match("MESSAGE#27:00002:22/1_1", "nwparser.p0", "%{administrator->} from host %{saddr}"); + + var select11 = linear_select([ + part41, + part42, + dup26, + ]); + + var all10 = all_match({ + processors: [ + part40, + select11, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg28 = msg("00002:22", all10); + + var part43 = match("MESSAGE#28:00002:23/0", "nwparser.payload", "Root admin access restriction through console only has been %{disposition->} by admin %{administrator->} %{p0}"); + + var part44 = match("MESSAGE#28:00002:23/1_1", "nwparser.p0", "from Console%{}"); + + var select12 = linear_select([ + dup20, + part44, + dup21, + ]); + + var all11 = all_match({ + processors: [ + part43, + select12, + ], + on_success: processor_chain([ + dup22, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg29 = msg("00002:23", all11); + + var part45 = match("MESSAGE#29:00002:24/0", "nwparser.payload", "Admin access restriction of %{protocol->} administration through tunnel only has been %{disposition->} by admin %{administrator->} from %{p0}"); + + var part46 = match("MESSAGE#29:00002:24/1_0", "nwparser.p0", "host %{saddr}"); + + var part47 = match("MESSAGE#29:00002:24/1_1", "nwparser.p0", "Console%{}"); + + var select13 = linear_select([ + part46, + part47, + ]); + + var all12 = all_match({ + processors: [ + part45, + select13, + ], + on_success: processor_chain([ + dup22, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg30 = msg("00002:24", all12); + + var part48 = match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of an %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + setc("eventcategory","1402000000"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg31 = msg("00002:25", part48); + + var part49 = match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail server %{hostip}.", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg32 = msg("00002:26", part49); + + var part50 = match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg33 = msg("00002:27", part50); + + var part51 = match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not configured.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg34 = msg("00002:28", part51); + + var part52 = match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restriction for read-write administrators has been %{disposition->} by admin %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg35 = msg("00002:29", part52); + + var part53 = match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ + dup28, + dup29, + dup30, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg36 = msg("00002:30", part53); + + var part54 = match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ + dup33, + dup29, + dup34, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg37 = msg("00002:41", part54); + + var part55 = match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} %{space->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ + dup35, + dup29, + dup30, + dup31, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg38 = msg("00002:31", part55); + + var part56 = match("MESSAGE#38:00002:32/0_0", "nwparser.payload", "E-mail notification %{p0}"); + + var part57 = match("MESSAGE#38:00002:32/0_1", "nwparser.payload", "Transparent virutal %{p0}"); + + var select14 = linear_select([ + part56, + part57, + ]); + + var part58 = match("MESSAGE#38:00002:32/1", "nwparser.p0", "wire mode has been %{disposition}"); + + var all13 = all_match({ + processors: [ + select14, + part58, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg39 = msg("00002:32", all13); + + var part59 = match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has been %{disposition->} for zone %{zone}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg40 = msg("00002:35", part59); + + var part60 = match("MESSAGE#40:00002:36/0", "nwparser.payload", "Bypass%{p0}"); + + var part61 = match("MESSAGE#40:00002:36/1_0", "nwparser.p0", "-others-IPSec %{p0}"); + + var part62 = match("MESSAGE#40:00002:36/1_1", "nwparser.p0", " non-IP traffic %{p0}"); + + var select15 = linear_select([ + part61, + part62, + ]); + + var part63 = match("MESSAGE#40:00002:36/2", "nwparser.p0", "option has been %{disposition}"); + + var all14 = all_match({ + processors: [ + part60, + select15, + part63, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg41 = msg("00002:36", all14); + + var part64 = match("MESSAGE#41:00002:37/0", "nwparser.payload", "Logging of %{p0}"); + + var part65 = match("MESSAGE#41:00002:37/1_0", "nwparser.p0", "dropped %{p0}"); + + var part66 = match("MESSAGE#41:00002:37/1_1", "nwparser.p0", "IKE %{p0}"); + + var part67 = match("MESSAGE#41:00002:37/1_2", "nwparser.p0", "SNMP %{p0}"); + + var part68 = match("MESSAGE#41:00002:37/1_3", "nwparser.p0", "ICMP %{p0}"); + + var select16 = linear_select([ + part65, + part66, + part67, + part68, + ]); + + var part69 = match("MESSAGE#41:00002:37/2", "nwparser.p0", "traffic to self has been %{disposition}"); + + var all15 = all_match({ + processors: [ + part64, + select16, + part69, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg42 = msg("00002:37", all15); + + var part70 = match("MESSAGE#42:00002:38/0", "nwparser.payload", "Logging of dropped traffic to self (excluding multicast) has been %{p0}"); + + var part71 = match("MESSAGE#42:00002:38/1_0", "nwparser.p0", "%{disposition->} on %{zone}"); + + var select17 = linear_select([ + part71, + dup36, + ]); + + var all16 = all_match({ + processors: [ + part70, + select17, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg43 = msg("00002:38", all16); + + var part72 = match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg44 = msg("00002:39", part72); + + var part73 = match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{username}' by %{administrator->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ + dup37, + dup29, + setc("ec_activity","Create"), + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg45 = msg("00002:40", part73); + + var part74 = match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requested for unknown user %{username}. Possible HA syncronization problem.", processor_chain([ + dup35, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg46 = msg("00002:44", part74); + + var part75 = match("MESSAGE#46:00002:42/0", "nwparser.payload", "%{change_attribute->} for account '%{change_old}' has been %{disposition->} to '%{change_new}' %{p0}"); + + var part76 = match("MESSAGE#46:00002:42/1_0", "nwparser.p0", "by %{administrator->} via %{p0}"); + + var select18 = linear_select([ + part76, + dup40, + ]); + + var part77 = match("MESSAGE#46:00002:42/2", "nwparser.p0", "%{logon_type->} from host %{p0}"); + + var part78 = match("MESSAGE#46:00002:42/3_0", "nwparser.p0", "%{saddr->} to %{daddr}:%{dport->} (%{p0}"); + + var part79 = match("MESSAGE#46:00002:42/3_1", "nwparser.p0", "%{saddr}:%{sport->} (%{p0}"); + + var select19 = linear_select([ + part78, + part79, + ]); + + var all17 = all_match({ + processors: [ + part75, + select18, + part77, + select19, + dup41, + ], + on_success: processor_chain([ + dup42, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg47 = msg("00002:42", all17); + + var part80 = match("MESSAGE#47:00002:43/0", "nwparser.payload", "Admin account %{disposition->} for %{p0}"); + + var part81 = match("MESSAGE#47:00002:43/1_0", "nwparser.p0", "'%{username}'%{p0}"); + + var part82 = match("MESSAGE#47:00002:43/1_1", "nwparser.p0", "\"%{username}\"%{p0}"); + + var select20 = linear_select([ + part81, + part82, + ]); + + var part83 = match("MESSAGE#47:00002:43/2", "nwparser.p0", "%{}by %{administrator->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); + + var all18 = all_match({ + processors: [ + part80, + select20, + part83, + ], + on_success: processor_chain([ + dup42, + dup29, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg48 = msg("00002:43", all18); + + var part84 = match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ + dup42, + dup29, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg49 = msg("00002:50", part84); + + var part85 = match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} %{fld2->} via %{logon_type->} (%{fld1})", processor_chain([ + dup42, + dup29, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg50 = msg("00002:51", part85); + + var part86 = match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg51 = msg("00002:45", part86); + + var part87 = match("MESSAGE#51:00002:47/0_0", "nwparser.payload", "Ping of Death attack protection %{p0}"); + + var part88 = match("MESSAGE#51:00002:47/0_1", "nwparser.payload", "Src Route IP option filtering %{p0}"); + + var part89 = match("MESSAGE#51:00002:47/0_2", "nwparser.payload", "Teardrop attack protection %{p0}"); + + var part90 = match("MESSAGE#51:00002:47/0_3", "nwparser.payload", "Land attack protection %{p0}"); + + var part91 = match("MESSAGE#51:00002:47/0_4", "nwparser.payload", "SYN flood protection %{p0}"); + + var select21 = linear_select([ + part87, + part88, + part89, + part90, + part91, + ]); + + var part92 = match("MESSAGE#51:00002:47/1", "nwparser.p0", "is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})"); + + var all19 = all_match({ + processors: [ + select21, + part92, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg52 = msg("00002:47", all19); + + var part93 = match("MESSAGE#52:00002:48/0", "nwparser.payload", "Dropping pkts if not %{p0}"); + + var part94 = match("MESSAGE#52:00002:48/1_0", "nwparser.p0", "exactly same with incoming if %{p0}"); + + var part95 = match("MESSAGE#52:00002:48/1_1", "nwparser.p0", "in route table %{p0}"); + + var select22 = linear_select([ + part94, + part95, + ]); + + var part96 = match("MESSAGE#52:00002:48/2", "nwparser.p0", "(IP spoof protection) is %{disposition->} on zone %{zone->} by %{username->} via %{p0}"); + + var part97 = match("MESSAGE#52:00002:48/3_0", "nwparser.p0", "NSRP Peer. (%{p0}"); + + var select23 = linear_select([ + part97, + dup45, + ]); + + var all20 = all_match({ + processors: [ + part93, + select22, + part96, + select23, + dup41, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg53 = msg("00002:48", all20); + + var part98 = match("MESSAGE#53:00002:52/0", "nwparser.payload", "%{signame->} %{p0}"); + + var part99 = match("MESSAGE#53:00002:52/1_0", "nwparser.p0", "protection%{p0}"); + + var part100 = match("MESSAGE#53:00002:52/1_1", "nwparser.p0", "limiting%{p0}"); + + var part101 = match("MESSAGE#53:00002:52/1_2", "nwparser.p0", "detection%{p0}"); + + var part102 = match("MESSAGE#53:00002:52/1_3", "nwparser.p0", "filtering %{p0}"); + + var select24 = linear_select([ + part99, + part100, + part101, + part102, + ]); + + var part103 = match("MESSAGE#53:00002:52/2", "nwparser.p0", "%{}is %{disposition->} on zone %{zone->} by %{p0}"); + + var part104 = match("MESSAGE#53:00002:52/3_1", "nwparser.p0", "admin via %{p0}"); + + var select25 = linear_select([ + dup46, + part104, + dup47, + ]); + + var select26 = linear_select([ + dup48, + dup45, + ]); + + var all21 = all_match({ + processors: [ + part98, + select24, + part103, + select25, + select26, + dup41, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg54 = msg("00002:52", all21); + + var part105 = match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"%{username}\" has been %{disposition->} by %{administrator->} via %{logon_type->} (%{fld1})", processor_chain([ + dup42, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg55 = msg("00002:53", part105); + + var part106 = match("MESSAGE#55:00002:54/0", "nwparser.payload", "Traffic shaping clearing DSCP selector is turned O%{p0}"); + + var part107 = match("MESSAGE#55:00002:54/1_0", "nwparser.p0", "FF%{p0}"); + + var part108 = match("MESSAGE#55:00002:54/1_1", "nwparser.p0", "N%{p0}"); + + var select27 = linear_select([ + part107, + part108, + ]); + + var all22 = all_match({ + processors: [ + part106, + select27, + dup49, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + dup9, + ]), + }); + + var msg56 = msg("00002:54", all22); + + var part109 = match("MESSAGE#56:00002/0", "nwparser.payload", "%{change_attribute->} %{p0}"); + + var part110 = match("MESSAGE#56:00002/1_0", "nwparser.p0", "has been changed%{p0}"); + + var select28 = linear_select([ + part110, + dup52, + ]); + + var part111 = match("MESSAGE#56:00002/2", "nwparser.p0", "%{}from %{change_old->} to %{change_new}"); + + var all23 = all_match({ + processors: [ + part109, + select28, + part111, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg57 = msg("00002", all23); + + var part112 = match("MESSAGE#1215:00002:56", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed. (%{fld1})", processor_chain([ + dup53, + dup9, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg58 = msg("00002:56", part112); + + var select29 = linear_select([ + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, + msg58, + ]); + + var part113 = match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ + dup53, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg59 = msg("00003", part113); + + var part114 = match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failures have been detected!%{}", processor_chain([ + dup53, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg60 = msg("00003:01", part114); + + var part115 = match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has been %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg61 = msg("00003:02", part115); + + var part116 = match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed from %{change_old->} to %{change_new}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg62 = msg("00003:03", part116); + + var part117 = match("MESSAGE#61:00003:05/1_0", "nwparser.p0", "serial%{p0}"); + + var part118 = match("MESSAGE#61:00003:05/1_1", "nwparser.p0", "local%{p0}"); + + var select30 = linear_select([ + part117, + part118, + ]); + + var part119 = match("MESSAGE#61:00003:05/2", "nwparser.p0", "%{}console has been %{disposition->} by admin %{administrator}."); + + var all24 = all_match({ + processors: [ + dup55, + select30, + part119, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg63 = msg("00003:05", all24); + + var select31 = linear_select([ + msg59, + msg60, + msg61, + msg62, + msg63, + ]); + + var part120 = match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been changed", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg64 = msg("00004", part120); + + var part121 = match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg65 = msg("00004:01", part121); + + var part122 = match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg66 = msg("00004:02", part122); + + var part123 = match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg67 = msg("00004:03", part123); + + var part124 = match("MESSAGE#66:00004:04/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on %{p0}"); + + var part125 = match("MESSAGE#66:00004:04/2", "nwparser.p0", "%{} %{interface->} %{space}The attack occurred %{dclass_counter1->} times"); + + var all25 = all_match({ + processors: [ + part124, + dup337, + part125, + ], + on_success: processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup59, + dup3, + dup60, + ]), + }); + + var msg68 = msg("00004:04", all25); + + var part126 = match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol}", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup3, + dup61, + ])); + + var msg69 = msg("00004:05", part126); + + var part127 = match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been changed to start at %{fld2}:%{fld3->} with an interval of %{fld4}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg70 = msg("00004:06", part127); + + var part128 = match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have been refreshed as result of external event.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg71 = msg("00004:07", part128); + + var part129 = match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg72 = msg("00004:08", part129); + + var part130 = match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more concurrent client requests than allowed.%{}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg73 = msg("00004:09", part130); + + var part131 = match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table entries exceeded maximum limit.%{}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg74 = msg("00004:10", part131); + + var part132 = match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table added with domain %{domain}, interface %{interface}, primary-ip %{fld2}, secondary-ip %{fld3}, tertiary-ip %{fld4}, failover %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg75 = msg("00004:11", part132); + + var part133 = match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table entry %{disposition->} with domain %{domain}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg76 = msg("00004:12", part133); + + var part134 = match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} returned incorrect ip %{fld2}, local-ip should be %{fld3}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg77 = msg("00004:13", part134); + + var part135 = match("MESSAGE#76:00004:14/1_0", "nwparser.p0", "automatically refreshed %{p0}"); + + var part136 = match("MESSAGE#76:00004:14/1_1", "nwparser.p0", "refreshed by HA %{p0}"); + + var select32 = linear_select([ + part135, + part136, + ]); + + var all26 = all_match({ + processors: [ + dup63, + select32, + dup49, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg78 = msg("00004:14", all26); + + var part137 = match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshed as result of DNS server address change. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg79 = msg("00004:15", part137); + + var part138 = match("MESSAGE#78:00004:16", "nwparser.payload", "DNS entries have been manually refreshed. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg80 = msg("00004:16", part138); + + var all27 = all_match({ + processors: [ + dup64, + dup338, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup4, + dup59, + dup9, + dup5, + dup3, + dup60, + ]), + }); + + var msg81 = msg("00004:17", all27); + + var select33 = linear_select([ + msg64, + msg65, + msg66, + msg67, + msg68, + msg69, + msg70, + msg71, + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + ]); + + var part139 = match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from the same source has been changed to %{trigger_val}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg82 = msg("00005", part139); + + var part140 = match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic to self has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg83 = msg("00005:01", part140); + + var part141 = match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been changed to %{fld3}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg84 = msg("00005:02", part141); + + var part142 = match("MESSAGE#83:00005:03/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); + + var part143 = match("MESSAGE#83:00005:03/4", "nwparser.p0", "%{fld99}interface %{interface->} %{p0}"); + + var part144 = match("MESSAGE#83:00005:03/5_0", "nwparser.p0", "in zone %{zone}. %{p0}"); + + var select34 = linear_select([ + part144, + dup73, + ]); + + var part145 = match("MESSAGE#83:00005:03/6", "nwparser.p0", "%{space}The attack occurred %{dclass_counter1->} times"); + + var all28 = all_match({ + processors: [ + part142, + dup339, + dup70, + dup340, + part143, + select34, + part145, + ], + on_success: processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup61, + ]), + }); + + var msg85 = msg("00005:03", all28); + + var msg86 = msg("00005:04", dup341); + + var part146 = match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2->} mode when receiving unknown dst mac has been %{disposition->} on %{zone}.", processor_chain([ + setc("eventcategory","1001020100"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg87 = msg("00005:05", part146); + + var part147 = match("MESSAGE#86:00005:06/1", "nwparser.p0", "flood timeout has been set to %{trigger_val->} on %{zone}."); + + var all29 = all_match({ + processors: [ + dup342, + part147, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg88 = msg("00005:06", all29); + + var part148 = match("MESSAGE#87:00005:07/0", "nwparser.payload", "SYN flood %{p0}"); + + var part149 = match("MESSAGE#87:00005:07/1_0", "nwparser.p0", "alarm threshold %{p0}"); + + var part150 = match("MESSAGE#87:00005:07/1_1", "nwparser.p0", "packet queue size %{p0}"); + + var part151 = match("MESSAGE#87:00005:07/1_3", "nwparser.p0", "attack threshold %{p0}"); + + var part152 = match("MESSAGE#87:00005:07/1_4", "nwparser.p0", "same source IP threshold %{p0}"); + + var select35 = linear_select([ + part149, + part150, + dup76, + part151, + part152, + ]); + + var part153 = match("MESSAGE#87:00005:07/2", "nwparser.p0", "is set to %{trigger_val}."); + + var all30 = all_match({ + processors: [ + part148, + select35, + part153, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg89 = msg("00005:07", all30); + + var part154 = match("MESSAGE#88:00005:08/1", "nwparser.p0", "flood same %{p0}"); + + var select36 = linear_select([ + dup77, + dup78, + ]); + + var part155 = match("MESSAGE#88:00005:08/3", "nwparser.p0", "ip threshold has been set to %{trigger_val->} on %{zone}."); + + var all31 = all_match({ + processors: [ + dup342, + part154, + select36, + part155, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg90 = msg("00005:08", all31); + + var part156 = match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is %{disposition->} on interface %{interface}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg91 = msg("00005:09", part156); + + var part157 = match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is %{disposition->} on %{zone}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg92 = msg("00005:10", part157); + + var part158 = match("MESSAGE#91:00005:11/0", "nwparser.payload", "The SYN flood %{p0}"); + + var part159 = match("MESSAGE#91:00005:11/1_0", "nwparser.p0", "alarm threshold%{}"); + + var part160 = match("MESSAGE#91:00005:11/1_1", "nwparser.p0", "packet queue size%{}"); + + var part161 = match("MESSAGE#91:00005:11/1_2", "nwparser.p0", "timeout value%{}"); + + var part162 = match("MESSAGE#91:00005:11/1_3", "nwparser.p0", "attack threshold%{}"); + + var part163 = match("MESSAGE#91:00005:11/1_4", "nwparser.p0", "same source IP%{}"); + + var select37 = linear_select([ + part159, + part160, + part161, + part162, + part163, + ]); + + var all32 = all_match({ + processors: [ + part158, + select37, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg93 = msg("00005:11", all32); + + var part164 = match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshold value has been set to %{trigger_val->} on %{interface}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg94 = msg("00005:12", part164); + + var part165 = match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg95 = msg("00005:13", part165); + + var part166 = match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unknown mac!%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg96 = msg("00005:14", part166); + + var part167 = match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold has been changed to %{trigger_val}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg97 = msg("00005:15", part167); + + var part168 = match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg98 = msg("00005:16", part168); + + var part169 = match("MESSAGE#97:00005:17/1_0", "nwparser.p0", "destination-based %{p0}"); + + var part170 = match("MESSAGE#97:00005:17/1_1", "nwparser.p0", "source-based %{p0}"); + + var select38 = linear_select([ + part169, + part170, + ]); + + var part171 = match("MESSAGE#97:00005:17/2", "nwparser.p0", "session-limit threshold has been set at %{trigger_val->} in zone %{zone}."); + + var all33 = all_match({ + processors: [ + dup79, + select38, + part171, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg99 = msg("00005:17", all33); + + var all34 = all_match({ + processors: [ + dup80, + dup343, + dup83, + ], + on_success: processor_chain([ + dup84, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg100 = msg("00005:18", all34); + + var part172 = match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup84, + dup2, + dup3, + dup4, + dup5, + dup59, + dup61, + ])); + + var msg101 = msg("00005:19", part172); + + var part173 = match("MESSAGE#100:00005:20", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} int %{interface}).%{space->} Occurred %{fld2->} times. (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ + dup84, + dup9, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg102 = msg("00005:20", part173); + + var select39 = linear_select([ + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, + msg89, + msg90, + msg91, + msg92, + msg93, + msg94, + msg95, + msg96, + msg97, + msg98, + msg99, + msg100, + msg101, + msg102, + ]); + + var part174 = match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup85, + dup2, + dup3, + dup4, + dup59, + dup5, + dup61, + ])); + + var msg103 = msg("00006", part174); + + var part175 = match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname}\"", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg104 = msg("00006:01", part175); + + var part176 = match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg105 = msg("00006:02", part176); + + var part177 = match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg106 = msg("00006:03", part177); + + var part178 = match("MESSAGE#105:00006:04/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); + + var all35 = all_match({ + processors: [ + part178, + dup338, + dup67, + ], + on_success: processor_chain([ + dup84, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg107 = msg("00006:04", all35); + + var all36 = all_match({ + processors: [ + dup64, + dup338, + dup67, + ], + on_success: processor_chain([ + dup84, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + dup60, + ]), + }); + + var msg108 = msg("00006:05", all36); + + var select40 = linear_select([ + msg103, + msg104, + msg105, + msg106, + msg107, + msg108, + ]); + + var part179 = match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg109 = msg("00007", part179); + + var part180 = match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the local NetScreen device has changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg110 = msg("00007:01", part180); + + var part181 = match("MESSAGE#109:00007:02/0", "nwparser.payload", "HA state of the local device has changed to backup because a device with a %{p0}"); + + var part182 = match("MESSAGE#109:00007:02/1_0", "nwparser.p0", "higher priority has been detected%{}"); + + var part183 = match("MESSAGE#109:00007:02/1_1", "nwparser.p0", "lower MAC value has been detected%{}"); + + var select41 = linear_select([ + part182, + part183, + ]); + + var all37 = all_match({ + processors: [ + part181, + select41, + ], + on_success: processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg111 = msg("00007:02", all37); + + var part184 = match("MESSAGE#110:00007:03", "nwparser.payload", "HA state of the local device has changed to init because IP tracking has failed%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg112 = msg("00007:03", part184); + + var select42 = linear_select([ + dup88, + dup89, + ]); + + var part185 = match("MESSAGE#111:00007:04/4", "nwparser.p0", "has been changed%{}"); + + var all38 = all_match({ + processors: [ + dup87, + select42, + dup23, + dup344, + part185, + ], + on_success: processor_chain([ + dup91, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg113 = msg("00007:04", all38); + + var part186 = match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device has been elected backup because a master already exists%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg114 = msg("00007:05", part186); + + var part187 = match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg115 = msg("00007:06", part187); + + var part188 = match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg116 = msg("00007:07", part188); + + var part189 = match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been elected master because no other master exists%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg117 = msg("00007:08", part189); + + var part190 = match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg118 = msg("00007:09", part190); + + var part191 = match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promoted the local NetScreen device to master%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg119 = msg("00007:10", part191); + + var part192 = match("MESSAGE#118:00007:11/0", "nwparser.payload", "IP tracking device failover threshold has been %{p0}"); + + var select43 = linear_select([ + dup92, + dup93, + ]); + + var all39 = all_match({ + processors: [ + part192, + select43, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg120 = msg("00007:11", all39); + + var part193 = match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg121 = msg("00007:12", part193); + + var part194 = match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} with interval %{fld2->} threshold %{trigger_val->} weight %{fld4->} interface %{interface->} method %{fld5->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg122 = msg("00007:13", part194); + + var part195 = match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup85, + dup2, + dup3, + dup4, + dup59, + dup5, + dup60, + ])); + + var msg123 = msg("00007:14", part195); + + var part196 = match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been changed to %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg124 = msg("00007:15", part196); + + var part197 = match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration and status changes to NetScreen-Global Manager has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg125 = msg("00007:16", part197); + + var part198 = match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg126 = msg("00007:17", part198); + + var part199 = match("MESSAGE#125:00007:18/0", "nwparser.payload", "Tracked IP %{hostip->} options have been changed from int %{fld2->} thr %{fld3->} wgt %{fld4->} inf %{fld5->} %{p0}"); + + var part200 = match("MESSAGE#125:00007:18/1_0", "nwparser.p0", "ping %{p0}"); + + var part201 = match("MESSAGE#125:00007:18/1_1", "nwparser.p0", "ARP %{p0}"); + + var select44 = linear_select([ + part200, + part201, + ]); + + var part202 = match("MESSAGE#125:00007:18/2", "nwparser.p0", "to %{fld6->} %{p0}"); + + var part203 = match("MESSAGE#125:00007:18/3_0", "nwparser.p0", "ping%{}"); + + var part204 = match("MESSAGE#125:00007:18/3_1", "nwparser.p0", "ARP%{}"); + + var select45 = linear_select([ + part203, + part204, + ]); + + var all40 = all_match({ + processors: [ + part199, + select44, + part202, + select45, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg127 = msg("00007:18", all40); + + var part205 = match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} path from %{change_old->} to %{change_new}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg128 = msg("00007:20", part205); + + var part206 = match("MESSAGE#127:00007:21/0", "nwparser.payload", "HA Slave is %{p0}"); + + var all41 = all_match({ + processors: [ + part206, + dup345, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg129 = msg("00007:21", all41); + + var part207 = match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{groupid}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg130 = msg("00007:22", part207); + + var part208 = match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg131 = msg("00007:23", part208); + + var part209 = match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg132 = msg("00007:24", part209); + + var part210 = match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial state.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg133 = msg("00007:25", part210); + + var part211 = match("MESSAGE#132:00007:26/0", "nwparser.payload", "HA: Change state to slave for %{p0}"); + + var part212 = match("MESSAGE#132:00007:26/1_0", "nwparser.p0", "tracking ip failed%{}"); + + var part213 = match("MESSAGE#132:00007:26/1_1", "nwparser.p0", "linkdown%{}"); + + var select46 = linear_select([ + part212, + part213, + ]); + + var all42 = all_match({ + processors: [ + part211, + select46, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg134 = msg("00007:26", all42); + + var part214 = match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command issued from original master to change state%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg135 = msg("00007:27", part214); + + var part215 = match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other master%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg136 = msg("00007:28", part215); + + var part216 = match("MESSAGE#135:00007:29/0", "nwparser.payload", "HA: Elected slave %{p0}"); + + var part217 = match("MESSAGE#135:00007:29/1_0", "nwparser.p0", "lower priority%{}"); + + var part218 = match("MESSAGE#135:00007:29/1_1", "nwparser.p0", "MAC value is larger%{}"); + + var part219 = match("MESSAGE#135:00007:29/1_2", "nwparser.p0", "master already exists%{}"); + + var part220 = match("MESSAGE#135:00007:29/1_3", "nwparser.p0", "detect new master with higher priority%{}"); + + var part221 = match("MESSAGE#135:00007:29/1_4", "nwparser.p0", "detect new master with smaller MAC value%{}"); + + var select47 = linear_select([ + part217, + part218, + part219, + part220, + part221, + ]); + + var all43 = all_match({ + processors: [ + part216, + select47, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg137 = msg("00007:29", all43); + + var part222 = match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command issued from original master to change state%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg138 = msg("00007:30", part222); + + var part223 = match("MESSAGE#137:00007:31/0", "nwparser.payload", "HA: ha link %{p0}"); + + var all44 = all_match({ + processors: [ + part223, + dup345, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg139 = msg("00007:31", all44); + + var part224 = match("MESSAGE#138:00007:32/0", "nwparser.payload", "NSRP %{fld2->} %{p0}"); + + var select48 = linear_select([ + dup89, + dup88, + ]); + + var part225 = match("MESSAGE#138:00007:32/4", "nwparser.p0", "changed.%{}"); + + var all45 = all_match({ + processors: [ + part224, + select48, + dup23, + dup344, + part225, + ], + on_success: processor_chain([ + dup91, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg140 = msg("00007:32", all45); + + var part226 = match("MESSAGE#139:00007:33/0_0", "nwparser.payload", "NSRP: VSD %{p0}"); + + var part227 = match("MESSAGE#139:00007:33/0_1", "nwparser.payload", "Virtual Security Device group %{p0}"); + + var select49 = linear_select([ + part226, + part227, + ]); + + var part228 = match("MESSAGE#139:00007:33/1", "nwparser.p0", "%{fld2->} change%{p0}"); + + var part229 = match("MESSAGE#139:00007:33/2_0", "nwparser.p0", "d %{p0}"); + + var select50 = linear_select([ + part229, + dup96, + ]); + + var part230 = match("MESSAGE#139:00007:33/3", "nwparser.p0", "to %{fld3->} mode."); + + var all46 = all_match({ + processors: [ + select49, + part228, + select50, + part230, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg141 = msg("00007:33", all46); + + var part231 = match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropped: invalid encryption password.", processor_chain([ + dup97, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg142 = msg("00007:34", part231); + + var part232 = match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change to %{interface}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg143 = msg("00007:35", part232); + + var part233 = match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} local unit=%{fld3->} duplicate from unit=%{fld4}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg144 = msg("00007:36", part233); + + var part234 = match("MESSAGE#143:00007:37/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} is %{p0}"); + + var all47 = all_match({ + processors: [ + part234, + dup346, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg145 = msg("00007:37", all47); + + var part235 = match("MESSAGE#144:00007:38/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} peer=%{fld3->} from %{p0}"); + + var part236 = match("MESSAGE#144:00007:38/4", "nwparser.p0", "state %{p0}"); + + var part237 = match("MESSAGE#144:00007:38/5_0", "nwparser.p0", "missed heartbeat%{}"); + + var part238 = match("MESSAGE#144:00007:38/5_1", "nwparser.p0", "group detached%{}"); + + var select51 = linear_select([ + part237, + part238, + ]); + + var all48 = all_match({ + processors: [ + part235, + dup347, + dup103, + dup347, + part236, + select51, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg146 = msg("00007:38", all48); + + var part239 = match("MESSAGE#145:00007:39/0", "nwparser.payload", "RTO mirror group id=%{groupid->} is %{p0}"); + + var all49 = all_match({ + processors: [ + part239, + dup346, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg147 = msg("00007:39", all49); + + var part240 = match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (ifnum=%{fld3}) as secondary HA path", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg148 = msg("00007:40", part240); + + var part241 = match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg149 = msg("00007:41", part241); + + var part242 = match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fld2->} (ifnum=%{fld3})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg150 = msg("00007:42", part242); + + var part243 = match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg151 = msg("00007:43", part243); + + var part244 = match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is %{disposition->} total number=%{fld3}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg152 = msg("00007:44", part244); + + var part245 = match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local unit %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg153 = msg("00007:45", part245); + + var part246 = match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup85, + dup2, + dup3, + dup4, + dup59, + dup5, + dup60, + ])); + + var msg154 = msg("00007:46", part246); + + var part247 = match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to interface %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg155 = msg("00007:47", part247); + + var part248 = match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped because it contained an invalid encryption password.", processor_chain([ + dup97, + dup2, + dup3, + dup4, + setc("disposition","dropped"), + setc("result","Invalid encryption Password"), + ])); + + var msg156 = msg("00007:48", part248); + + var part249 = match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of all Virtual Security Device groups changed from %{change_old->} to %{change_new}", processor_chain([ + setc("eventcategory","1604000000"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg157 = msg("00007:49", part249); + + var part250 = match("MESSAGE#156:00007:50/0", "nwparser.payload", "Device %{fld2->} %{p0}"); + + var part251 = match("MESSAGE#156:00007:50/1_0", "nwparser.p0", "has joined %{p0}"); + + var part252 = match("MESSAGE#156:00007:50/1_1", "nwparser.p0", "quit current %{p0}"); + + var select52 = linear_select([ + part251, + part252, + ]); + + var part253 = match("MESSAGE#156:00007:50/2", "nwparser.p0", "NSRP cluster %{fld3}"); + + var all50 = all_match({ + processors: [ + part250, + select52, + part253, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg158 = msg("00007:50", all50); + + var part254 = match("MESSAGE#157:00007:51/0", "nwparser.payload", "Virtual Security Device group %{group->} was %{p0}"); + + var part255 = match("MESSAGE#157:00007:51/1_1", "nwparser.p0", "deleted %{p0}"); + + var select53 = linear_select([ + dup104, + part255, + ]); + + var select54 = linear_select([ + dup105, + dup73, + ]); + + var part256 = match("MESSAGE#157:00007:51/4", "nwparser.p0", "The total number of members in the group %{p0}"); + + var select55 = linear_select([ + dup106, + dup107, + ]); + + var all51 = all_match({ + processors: [ + part254, + select53, + dup23, + select54, + part256, + select55, + dup108, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg159 = msg("00007:51", all51); + + var part257 = match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group %{group->} %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg160 = msg("00007:52", part257); + + var part258 = match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the devices was set to interface %{interface->} with ifnum %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg161 = msg("00007:53", part258); + + var part259 = match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of the devices changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg162 = msg("00007:54", part259); + + var part260 = match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} with ifnum %{fld2->} was removed from the secondary HA path of the devices.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg163 = msg("00007:55", part260); + + var part261 = match("MESSAGE#162:00007:56", "nwparser.payload", "The probe that detects the status of High Availability link %{fld2->} was %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg164 = msg("00007:56", part261); + + var select56 = linear_select([ + dup109, + dup110, + ]); + + var select57 = linear_select([ + dup111, + dup112, + ]); + + var part262 = match("MESSAGE#163:00007:57/4", "nwparser.p0", "the probe detecting the status of High Availability link %{fld2->} was set to %{fld3}"); + + var all52 = all_match({ + processors: [ + dup55, + select56, + dup23, + select57, + part262, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg165 = msg("00007:57", all52); + + var part263 = match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} for session synchronization(s) was accepted.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg166 = msg("00007:58", part263); + + var part264 = match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchronization by device %{fld2->} completed.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg167 = msg("00007:59", part264); + + var part265 = match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group %{group->} direction was set to %{direction}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg168 = msg("00007:60", part265); + + var part266 = match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group %{group->} was set.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg169 = msg("00007:61", part266); + + var part267 = match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group %{group->} with direction %{direction->} was unset.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg170 = msg("00007:62", part267); + + var part268 = match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} was unset.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg171 = msg("00007:63", part268); + + var part269 = match("MESSAGE#170:00007:64/1", "nwparser.p0", "%{fld2->} was removed from the monitoring list %{p0}"); + + var part270 = match("MESSAGE#170:00007:64/3", "nwparser.p0", "%{fld3}"); + + var all53 = all_match({ + processors: [ + dup348, + part269, + dup349, + part270, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg172 = msg("00007:64", all53); + + var part271 = match("MESSAGE#171:00007:65/1", "nwparser.p0", "%{fld2->} with weight %{fld3->} was added%{p0}"); + + var part272 = match("MESSAGE#171:00007:65/2_0", "nwparser.p0", " to or updated on %{p0}"); + + var part273 = match("MESSAGE#171:00007:65/2_1", "nwparser.p0", "/updated to %{p0}"); + + var select58 = linear_select([ + part272, + part273, + ]); + + var part274 = match("MESSAGE#171:00007:65/3", "nwparser.p0", "the monitoring list %{p0}"); + + var part275 = match("MESSAGE#171:00007:65/5", "nwparser.p0", "%{fld4}"); + + var all54 = all_match({ + processors: [ + dup348, + part271, + select58, + part274, + dup349, + part275, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg173 = msg("00007:65", all54); + + var part276 = match("MESSAGE#172:00007:66/0_0", "nwparser.payload", "The monitoring %{p0}"); + + var part277 = match("MESSAGE#172:00007:66/0_1", "nwparser.payload", "Monitoring %{p0}"); + + var select59 = linear_select([ + part276, + part277, + ]); + + var part278 = match("MESSAGE#172:00007:66/1", "nwparser.p0", "threshold was modified to %{trigger_val->} o%{p0}"); + + var part279 = match("MESSAGE#172:00007:66/2_0", "nwparser.p0", "f %{p0}"); + + var select60 = linear_select([ + part279, + dup115, + ]); + + var all55 = all_match({ + processors: [ + select59, + part278, + select60, + dup108, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg174 = msg("00007:66", all55); + + var part280 = match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg175 = msg("00007:67", part280); + + var part281 = match("MESSAGE#174:00007:68/0", "nwparser.payload", "NSRP b%{p0}"); + + var part282 = match("MESSAGE#174:00007:68/1_0", "nwparser.p0", "lack %{p0}"); + + var part283 = match("MESSAGE#174:00007:68/1_1", "nwparser.p0", "ack %{p0}"); + + var select61 = linear_select([ + part282, + part283, + ]); + + var part284 = match("MESSAGE#174:00007:68/2", "nwparser.p0", "hole prevention %{disposition}. Master(s) of Virtual Security Device groups %{p0}"); + + var part285 = match("MESSAGE#174:00007:68/3_0", "nwparser.p0", "may not exist %{p0}"); + + var part286 = match("MESSAGE#174:00007:68/3_1", "nwparser.p0", "always exists %{p0}"); + + var select62 = linear_select([ + part285, + part286, + ]); + + var all56 = all_match({ + processors: [ + part281, + select61, + part284, + select62, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg176 = msg("00007:68", all56); + + var part287 = match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchronization between devices was %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg177 = msg("00007:69", part287); + + var part288 = match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was changed.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg178 = msg("00007:70", part288); + + var part289 = match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Active mode was %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg179 = msg("00007:71", part289); + + var part290 = match("MESSAGE#178:00007:72", "nwparser.payload", "NSRP: nsrp link probe enable on %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg180 = msg("00007:72", part290); + + var select63 = linear_select([ + msg109, + msg110, + msg111, + msg112, + msg113, + msg114, + msg115, + msg116, + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, + msg123, + msg124, + msg125, + msg126, + msg127, + msg128, + msg129, + msg130, + msg131, + msg132, + msg133, + msg134, + msg135, + msg136, + msg137, + msg138, + msg139, + msg140, + msg141, + msg142, + msg143, + msg144, + msg145, + msg146, + msg147, + msg148, + msg149, + msg150, + msg151, + msg152, + msg153, + msg154, + msg155, + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, + msg175, + msg176, + msg177, + msg178, + msg179, + msg180, + ]); + + var part291 = match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup59, + dup5, + dup61, + ])); + + var msg181 = msg("00008", part291); + + var msg182 = msg("00008:01", dup341); + + var part292 = match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg183 = msg("00008:02", part292); + + var part293 = match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been updated through NTP%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg184 = msg("00008:03", part293); + + var part294 = match("MESSAGE#183:00008:04/0", "nwparser.payload", "System clock %{p0}"); + + var part295 = match("MESSAGE#183:00008:04/1_0", "nwparser.p0", "configurations have been%{p0}"); + + var part296 = match("MESSAGE#183:00008:04/1_1", "nwparser.p0", "was%{p0}"); + + var part297 = match("MESSAGE#183:00008:04/1_2", "nwparser.p0", "is%{p0}"); + + var select64 = linear_select([ + part295, + part296, + part297, + ]); + + var part298 = match("MESSAGE#183:00008:04/2", "nwparser.p0", "%{}changed%{p0}"); + + var part299 = match("MESSAGE#183:00008:04/3_0", "nwparser.p0", " by admin %{administrator}"); + + var part300 = match("MESSAGE#183:00008:04/3_1", "nwparser.p0", " by %{username->} (%{fld1})"); + + var part301 = match("MESSAGE#183:00008:04/3_2", "nwparser.p0", " by %{username}"); + + var part302 = match("MESSAGE#183:00008:04/3_3", "nwparser.p0", " manually.%{}"); + + var part303 = match("MESSAGE#183:00008:04/3_4", "nwparser.p0", " manually%{}"); + + var select65 = linear_select([ + part299, + part300, + part301, + part302, + part303, + dup21, + ]); + + var all57 = all_match({ + processors: [ + part294, + select64, + part298, + select65, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup9, + ]), + }); + + var msg185 = msg("00008:04", all57); + + var part304 = match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg186 = msg("00008:05", part304); + + var part305 = match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup61, + ])); + + var msg187 = msg("00008:06", part305); + + var part306 = match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup60, + ])); + + var msg188 = msg("00008:07", part306); + + var part307 = match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup60, + ])); + + var msg189 = msg("00008:08", part307); + + var part308 = match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manually%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg190 = msg("00008:09", part308); + + var part309 = match("MESSAGE#189:00008:10/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol}(zone %{p0}"); + + var all58 = all_match({ + processors: [ + part309, + dup338, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup60, + ]), + }); + + var msg191 = msg("00008:10", all58); + + var select66 = linear_select([ + msg181, + msg182, + msg183, + msg184, + msg185, + msg186, + msg187, + msg188, + msg189, + msg190, + msg191, + ]); + + var part310 = match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the interface %{interface->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg192 = msg("00009", part310); + + var part311 = match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg193 = msg("00009:01", part311); + + var part312 = match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{interface->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg194 = msg("00009:02", part312); + + var part313 = match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for interface %{interface->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg195 = msg("00009:03", part313); + + var part314 = match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg196 = msg("00009:05", part314); + + var part315 = match("MESSAGE#195:00009:06/0_0", "nwparser.payload", "%{fld2}: The 802.1Q tag %{p0}"); + + var part316 = match("MESSAGE#195:00009:06/0_1", "nwparser.payload", "The 802.1Q tag %{p0}"); + + var select67 = linear_select([ + part315, + part316, + ]); + + var select68 = linear_select([ + dup119, + dup16, + ]); + + var part317 = match("MESSAGE#195:00009:06/3", "nwparser.p0", "interface %{interface->} has been %{p0}"); + + var part318 = match("MESSAGE#195:00009:06/4_1", "nwparser.p0", "changed to %{p0}"); + + var select69 = linear_select([ + dup120, + part318, + ]); + + var part319 = match("MESSAGE#195:00009:06/6_0", "nwparser.p0", "%{info->} from host %{saddr}"); + + var part320 = match_copy("MESSAGE#195:00009:06/6_1", "nwparser.p0", "info"); + + var select70 = linear_select([ + part319, + part320, + ]); + + var all59 = all_match({ + processors: [ + select67, + dup118, + select68, + part317, + select69, + dup23, + select70, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg197 = msg("00009:06", all59); + + var part321 = match("MESSAGE#196:00009:07/0", "nwparser.payload", "Maximum bandwidth %{fld2->} on %{p0}"); + + var part322 = match("MESSAGE#196:00009:07/2", "nwparser.p0", "%{} %{interface->} is less than t%{p0}"); + + var part323 = match("MESSAGE#196:00009:07/3_0", "nwparser.p0", "he total %{p0}"); + + var part324 = match("MESSAGE#196:00009:07/3_1", "nwparser.p0", "otal %{p0}"); + + var select71 = linear_select([ + part323, + part324, + ]); + + var part325 = match("MESSAGE#196:00009:07/4", "nwparser.p0", "guaranteed bandwidth %{fld3}"); + + var all60 = all_match({ + processors: [ + part321, + dup337, + part322, + select71, + part325, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg198 = msg("00009:07", all60); + + var part326 = match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth setting on the interface %{interface->} has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg199 = msg("00009:09", part326); + + var part327 = match("MESSAGE#198:00009:10/0", "nwparser.payload", "The operational mode for the interface %{interface->} has been changed to %{p0}"); + + var part328 = match("MESSAGE#198:00009:10/1_0", "nwparser.p0", "Route%{}"); + + var part329 = match("MESSAGE#198:00009:10/1_1", "nwparser.p0", "NAT%{}"); + + var select72 = linear_select([ + part328, + part329, + ]); + + var all61 = all_match({ + processors: [ + part327, + select72, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg200 = msg("00009:10", all61); + + var part330 = match("MESSAGE#199:00009:11/0_0", "nwparser.payload", "%{fld1}: VLAN %{p0}"); + + var part331 = match("MESSAGE#199:00009:11/0_1", "nwparser.payload", "VLAN %{p0}"); + + var select73 = linear_select([ + part330, + part331, + ]); + + var part332 = match("MESSAGE#199:00009:11/1", "nwparser.p0", "tag %{fld2->} has been %{disposition}"); + + var all62 = all_match({ + processors: [ + select73, + part332, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg201 = msg("00009:11", all62); + + var part333 = match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{disposition->} on interface %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg202 = msg("00009:12", part333); + + var part334 = match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on %{interface->} have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg203 = msg("00009:13", part334); + + var part335 = match("MESSAGE#202:00009:14/0_0", "nwparser.payload", "Global-PRO has been %{p0}"); + + var part336 = match("MESSAGE#202:00009:14/0_1", "nwparser.payload", "Global PRO has been %{p0}"); + + var part337 = match("MESSAGE#202:00009:14/0_2", "nwparser.payload", "DNS proxy was %{p0}"); + + var select74 = linear_select([ + part335, + part336, + part337, + ]); + + var part338 = match("MESSAGE#202:00009:14/1", "nwparser.p0", "%{disposition->} on %{p0}"); + + var select75 = linear_select([ + dup122, + dup123, + ]); + + var part339 = match("MESSAGE#202:00009:14/4_0", "nwparser.p0", "%{interface->} (%{fld2})"); + + var select76 = linear_select([ + part339, + dup124, + ]); + + var all63 = all_match({ + processors: [ + select74, + part338, + select75, + dup23, + select76, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg204 = msg("00009:14", all63); + + var part340 = match("MESSAGE#203:00009:15/0", "nwparser.payload", "Route between secondary IP%{p0}"); + + var part341 = match("MESSAGE#203:00009:15/1_0", "nwparser.p0", " addresses %{p0}"); + + var select77 = linear_select([ + part341, + dup125, + ]); + + var all64 = all_match({ + processors: [ + part340, + select77, + dup126, + dup350, + dup128, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg205 = msg("00009:15", all64); + + var part342 = match("MESSAGE#204:00009:16/0", "nwparser.payload", "Secondary IP address %{hostip}/%{mask->} %{p0}"); + + var part343 = match("MESSAGE#204:00009:16/3_2", "nwparser.p0", "deleted from %{p0}"); + + var select78 = linear_select([ + dup129, + dup130, + part343, + ]); + + var part344 = match("MESSAGE#204:00009:16/4", "nwparser.p0", "interface %{interface}."); + + var all65 = all_match({ + processors: [ + part342, + dup350, + dup23, + select78, + part344, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg206 = msg("00009:16", all65); + + var part345 = match("MESSAGE#205:00009:17/0", "nwparser.payload", "Secondary IP address %{p0}"); + + var part346 = match("MESSAGE#205:00009:17/1_0", "nwparser.p0", "%{hostip}/%{mask->} was added to interface %{p0}"); + + var part347 = match("MESSAGE#205:00009:17/1_1", "nwparser.p0", "%{hostip->} was added to interface %{p0}"); + + var select79 = linear_select([ + part346, + part347, + ]); + + var part348 = match("MESSAGE#205:00009:17/2", "nwparser.p0", "%{interface}."); + + var all66 = all_match({ + processors: [ + part345, + select79, + part348, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg207 = msg("00009:17", all66); + + var part349 = match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on the interface %{interface->} has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg208 = msg("00009:18", part349); + + var part350 = match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg209 = msg("00009:19", part350); + + var part351 = match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg210 = msg("00009:27", part351); + + var part352 = match("MESSAGE#209:00009:20/0_0", "nwparser.payload", "%{fld2}: %{service->} has been %{p0}"); + + var part353 = match("MESSAGE#209:00009:20/0_1", "nwparser.payload", "%{service->} has been %{p0}"); + + var select80 = linear_select([ + part352, + part353, + ]); + + var part354 = match("MESSAGE#209:00009:20/1", "nwparser.p0", "%{disposition->} on interface %{interface->} %{p0}"); + + var part355 = match("MESSAGE#209:00009:20/2_0", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}"); + + var part356 = match("MESSAGE#209:00009:20/2_1", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}:%{sport}"); + + var part357 = match("MESSAGE#209:00009:20/2_2", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}"); + + var part358 = match("MESSAGE#209:00009:20/2_3", "nwparser.p0", "from host %{saddr->} (%{fld1})"); + + var select81 = linear_select([ + part355, + part356, + part357, + part358, + ]); + + var all67 = all_match({ + processors: [ + select80, + part354, + select81, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg211 = msg("00009:20", all67); + + var part359 = match("MESSAGE#210:00009:21/0", "nwparser.payload", "Source Route IP option! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var all68 = all_match({ + processors: [ + part359, + dup343, + dup131, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup60, + ]), + }); + + var msg212 = msg("00009:21", all68); + + var part360 = match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface->} has been changed to %{fld2->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg213 = msg("00009:22", part360); + + var part361 = match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip->} has been added to interface %{interface->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup9, + dup3, + dup4, + dup5, + ])); + + var msg214 = msg("00009:23", part361); + + var part362 = match("MESSAGE#213:00009:24/0", "nwparser.payload", "Web has been enabled on interface %{interface->} by admin %{administrator->} via %{p0}"); + + var part363 = match("MESSAGE#213:00009:24/1_0", "nwparser.p0", "%{logon_type->} %{space}(%{p0}"); + + var part364 = match("MESSAGE#213:00009:24/1_1", "nwparser.p0", "%{logon_type}. (%{p0}"); + + var select82 = linear_select([ + part363, + part364, + ]); + + var part365 = match("MESSAGE#213:00009:24/2", "nwparser.p0", ")%{fld1}"); + + var all69 = all_match({ + processors: [ + part362, + select82, + part365, + ], + on_success: processor_chain([ + dup1, + dup2, + dup9, + dup3, + dup4, + dup5, + ]), + }); + + var msg215 = msg("00009:24", all69); + + var part366 = match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on interface %{interface->} by %{username->} via %{logon_type}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup9, + dup3, + dup4, + dup5, + ])); + + var msg216 = msg("00009:25", part366); + + var part367 = match("MESSAGE#215:00009:26/0", "nwparser.payload", "%{protocol->} has been %{disposition->} on interface %{interface->} by %{username->} via NSRP Peer . %{p0}"); + + var all70 = all_match({ + processors: [ + part367, + dup333, + ], + on_success: processor_chain([ + dup1, + dup2, + dup9, + dup3, + dup4, + dup5, + ]), + }); + + var msg217 = msg("00009:26", all70); + + var select83 = linear_select([ + msg192, + msg193, + msg194, + msg195, + msg196, + msg197, + msg198, + msg199, + msg200, + msg201, + msg202, + msg203, + msg204, + msg205, + msg206, + msg207, + msg208, + msg209, + msg210, + msg211, + msg212, + msg213, + msg214, + msg215, + msg216, + msg217, + ]); + + var part368 = match("MESSAGE#216:00010/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} %{p0}"); + + var part369 = match("MESSAGE#216:00010/1_0", "nwparser.p0", "using protocol %{p0}"); + + var part370 = match("MESSAGE#216:00010/1_1", "nwparser.p0", "proto %{p0}"); + + var select84 = linear_select([ + part369, + part370, + ]); + + var part371 = match("MESSAGE#216:00010/2", "nwparser.p0", "%{protocol->} %{p0}"); + + var part372 = match("MESSAGE#216:00010/3_0", "nwparser.p0", "( zone %{zone}, int %{interface}) %{p0}"); + + var part373 = match("MESSAGE#216:00010/3_1", "nwparser.p0", "zone %{zone->} int %{interface}) %{p0}"); + + var select85 = linear_select([ + part372, + part373, + dup126, + ]); + + var part374 = match("MESSAGE#216:00010/4", "nwparser.p0", ".%{space}The attack occurred %{dclass_counter1->} times%{p0}"); + + var all71 = all_match({ + processors: [ + part368, + select84, + part371, + select85, + part374, + dup351, + ], + on_success: processor_chain([ + dup58, + dup2, + dup4, + dup59, + dup5, + dup9, + dup3, + dup61, + ]), + }); + + var msg218 = msg("00010", all71); + + var part375 = match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg219 = msg("00010:01", part375); + + var part376 = match("MESSAGE#218:00010:02", "nwparser.payload", "Mapped IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg220 = msg("00010:02", part376); + + var all72 = all_match({ + processors: [ + dup132, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup9, + dup3, + dup60, + ]), + }); + + var msg221 = msg("00010:03", all72); + + var select86 = linear_select([ + msg218, + msg219, + msg220, + msg221, + ]); + + var part377 = match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg222 = msg("00011", part377); + + var part378 = match("MESSAGE#221:00011:01/0", "nwparser.payload", "Route to %{daddr}/%{fld2->} [ %{p0}"); + + var select87 = linear_select([ + dup57, + dup56, + ]); + + var part379 = match("MESSAGE#221:00011:01/2", "nwparser.p0", "%{} %{interface->} gateway %{fld3->} ] has been %{disposition}"); + + var all73 = all_match({ + processors: [ + part378, + select87, + part379, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg223 = msg("00011:01", all73); + + var part380 = match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} to %{daddr->} protocol %{protocol->} (%{fld2})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg224 = msg("00011:02", part380); + + var part381 = match("MESSAGE#223:00011:03/0", "nwparser.payload", "An %{p0}"); + + var part382 = match("MESSAGE#223:00011:03/1_0", "nwparser.p0", "import %{p0}"); + + var part383 = match("MESSAGE#223:00011:03/1_1", "nwparser.p0", "export %{p0}"); + + var select88 = linear_select([ + part382, + part383, + ]); + + var part384 = match("MESSAGE#223:00011:03/2", "nwparser.p0", "rule in virtual router %{node->} to virtual router %{fld4->} with %{p0}"); + + var part385 = match("MESSAGE#223:00011:03/3_0", "nwparser.p0", "route-map %{fld3->} and protocol %{protocol->} has been %{p0}"); + + var part386 = match("MESSAGE#223:00011:03/3_1", "nwparser.p0", "IP-prefix %{hostip}/%{interface->} has been %{p0}"); + + var select89 = linear_select([ + part385, + part386, + ]); + + var all74 = all_match({ + processors: [ + part381, + select88, + part384, + select89, + dup36, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg225 = msg("00011:03", all74); + + var part387 = match("MESSAGE#224:00011:04/0", "nwparser.payload", "A route in virtual router %{node->} that has IP address %{hostip}/%{fld2->} through %{p0}"); + + var part388 = match("MESSAGE#224:00011:04/2", "nwparser.p0", "%{interface->} and gateway %{fld3->} with metric %{fld4->} has been %{disposition}"); + + var all75 = all_match({ + processors: [ + part387, + dup352, + part388, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg226 = msg("00011:04", all75); + + var part389 = match("MESSAGE#225:00011:05/1_0", "nwparser.p0", "sharable virtual router using name%{p0}"); + + var part390 = match("MESSAGE#225:00011:05/1_1", "nwparser.p0", "virtual router with name%{p0}"); + + var select90 = linear_select([ + part389, + part390, + ]); + + var part391 = match("MESSAGE#225:00011:05/2", "nwparser.p0", "%{} %{node->} and id %{fld2->} has been %{disposition}"); + + var all76 = all_match({ + processors: [ + dup79, + select90, + part391, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg227 = msg("00011:05", all76); + + var part392 = match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup59, + dup3, + dup60, + ])); + + var msg228 = msg("00011:07", part392); + + var part393 = match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{node->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg229 = msg("00011:08", part393); + + var part394 = match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature in virtual router %{node->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg230 = msg("00011:09", part394); + + var part395 = match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes that can be created in virtual router %{node->} is %{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg231 = msg("00011:10", part395); + + var part396 = match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in virtual router %{node->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg232 = msg("00011:11", part396); + + var part397 = match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual router %{node->} used by OSPF BGP routing instances id has been uninitialized", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg233 = msg("00011:12", part397); + + var part398 = match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be used by OSPF BGP routing instances in virtual router %{node->} has been set to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg234 = msg("00011:13", part398); + + var part399 = match("MESSAGE#233:00011:14/0", "nwparser.payload", "The routing preference for protocol %{protocol->} in virtual router %{node->} has been %{p0}"); + + var part400 = match("MESSAGE#233:00011:14/1_1", "nwparser.p0", "reset%{}"); + + var select91 = linear_select([ + dup134, + part400, + ]); + + var all77 = all_match({ + processors: [ + part399, + select91, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg235 = msg("00011:14", all77); + + var part401 = match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in virtual router %{node->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg236 = msg("00011:15", part401); + + var part402 = match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route through virtual router %{node->} has been added in virtual router %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg237 = msg("00011:16", part402); + + var part403 = match("MESSAGE#236:00011:17/0", "nwparser.payload", "The virtual router %{node->} has been made %{p0}"); + + var part404 = match("MESSAGE#236:00011:17/1_0", "nwparser.p0", "sharable%{}"); + + var part405 = match("MESSAGE#236:00011:17/1_1", "nwparser.p0", "unsharable%{}"); + + var part406 = match("MESSAGE#236:00011:17/1_2", "nwparser.p0", "default virtual router for virtual system %{fld2}"); + + var select92 = linear_select([ + part404, + part405, + part406, + ]); + + var all78 = all_match({ + processors: [ + part403, + select92, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg238 = msg("00011:17", all78); + + var part407 = match("MESSAGE#237:00011:18/0_0", "nwparser.payload", "Source route(s) %{p0}"); + + var part408 = match("MESSAGE#237:00011:18/0_1", "nwparser.payload", "A source route %{p0}"); + + var select93 = linear_select([ + part407, + part408, + ]); + + var part409 = match("MESSAGE#237:00011:18/1", "nwparser.p0", "in virtual router %{node->} %{p0}"); + + var part410 = match("MESSAGE#237:00011:18/2_0", "nwparser.p0", "with route addresses of %{p0}"); + + var part411 = match("MESSAGE#237:00011:18/2_1", "nwparser.p0", "that has IP address %{p0}"); + + var select94 = linear_select([ + part410, + part411, + ]); + + var part412 = match("MESSAGE#237:00011:18/3", "nwparser.p0", "%{hostip}/%{fld2->} through interface %{interface->} and %{p0}"); + + var part413 = match("MESSAGE#237:00011:18/4_0", "nwparser.p0", "a default gateway address %{p0}"); + + var select95 = linear_select([ + part413, + dup135, + ]); + + var part414 = match("MESSAGE#237:00011:18/5", "nwparser.p0", "%{fld3->} with metric %{fld4->} %{p0}"); + + var all79 = all_match({ + processors: [ + select93, + part409, + select94, + part412, + select95, + part414, + dup350, + dup128, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg239 = msg("00011:18", all79); + + var part415 = match("MESSAGE#238:00011:19/0", "nwparser.payload", "Source Route(s) in virtual router %{node->} with %{p0}"); + + var part416 = match("MESSAGE#238:00011:19/1_0", "nwparser.p0", "route addresses of %{p0}"); + + var part417 = match("MESSAGE#238:00011:19/1_1", "nwparser.p0", "an IP address %{p0}"); + + var select96 = linear_select([ + part416, + part417, + ]); + + var part418 = match("MESSAGE#238:00011:19/2", "nwparser.p0", "%{hostip}/%{fld3->} and %{p0}"); + + var part419 = match("MESSAGE#238:00011:19/3_0", "nwparser.p0", "a default gateway address of %{p0}"); + + var select97 = linear_select([ + part419, + dup135, + ]); + + var part420 = match("MESSAGE#238:00011:19/4", "nwparser.p0", "%{fld4->} %{p0}"); + + var part421 = match("MESSAGE#238:00011:19/5_1", "nwparser.p0", "has been%{p0}"); + + var select98 = linear_select([ + dup107, + part421, + ]); + + var all80 = all_match({ + processors: [ + part415, + select96, + part418, + select97, + part420, + select98, + dup136, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg240 = msg("00011:19", all80); + + var part422 = match("MESSAGE#239:00011:20/0_0", "nwparser.payload", "%{fld2}: A %{p0}"); + + var select99 = linear_select([ + part422, + dup79, + ]); + + var part423 = match("MESSAGE#239:00011:20/1", "nwparser.p0", "route has been created in virtual router \"%{node}\"%{space}with an IP address %{hostip->} and next-hop as virtual router \"%{fld3}\""); + + var all81 = all_match({ + processors: [ + select99, + part423, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg241 = msg("00011:20", all81); + + var part424 = match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual router %{node->} for interface %{interface->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg242 = msg("00011:21", part424); + + var part425 = match("MESSAGE#241:00011:22", "nwparser.payload", "SIBR route in virtual router %{node->} for interface %{interface->} that has IP address %{hostip->} through interface %{fld3->} and gateway %{fld4->} with metric %{fld5->} was %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg243 = msg("00011:22", part425); + + var all82 = all_match({ + processors: [ + dup132, + dup343, + dup131, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$IN"), + field("saddr"), + field("daddr"), + ], + }), + ]), + }); + + var msg244 = msg("00011:23", all82); + + var part426 = match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{node}\" that has IP address %{hostip->} through interface %{interface->} and gateway %{fld2->} with metric %{fld3->} %{disposition}. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg245 = msg("00011:24", part426); + + var part427 = match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \"%{node}\" with an IP address %{hostip}/%{fld2->} and gateway %{fld3->} %{disposition}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg246 = msg("00011:25", part427); + + var part428 = match("MESSAGE#245:00011:26", "nwparser.payload", "Route in virtual router \"%{node}\" with IP address %{hostip}/%{fld2->} and next-hop as virtual router \"%{fld3}\" created. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg247 = msg("00011:26", part428); + + var select100 = linear_select([ + msg222, + msg223, + msg224, + msg225, + msg226, + msg227, + msg228, + msg229, + msg230, + msg231, + msg232, + msg233, + msg234, + msg235, + msg236, + msg237, + msg238, + msg239, + msg240, + msg241, + msg242, + msg243, + msg244, + msg245, + msg246, + msg247, + ]); + + var part429 = match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comments have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg248 = msg("00012:02", part429); + + var part430 = match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} %{change_attribute->} has been changed to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg249 = msg("00012:03", part430); + + var part431 = match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{group->} has %{disposition->} member %{username->} from host %{saddr}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg250 = msg("00012:04", part431); + + var part432 = match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2}) (%{fld3})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg251 = msg("00012:05", part432); + + var part433 = match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup61, + ])); + + var msg252 = msg("00012:06", part433); + + var part434 = match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, + dup59, + ])); + + var msg253 = msg("00012:07", part434); + + var part435 = match("MESSAGE#252:00012:08", "nwparser.payload", "%{fld2}: Service %{service->} has been %{disposition->} from host %{saddr->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg254 = msg("00012:08", part435); + + var all83 = all_match({ + processors: [ + dup80, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg255 = msg("00012:09", all83); + + var all84 = all_match({ + processors: [ + dup132, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + dup60, + ]), + }); + + var msg256 = msg("00012:10", all84); + + var part436 = match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup59, + dup5, + dup9, + dup61, + ])); + + var msg257 = msg("00012:11", part436); + + var part437 = match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{zone}) %{info->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg258 = msg("00012:12", part437); + + var part438 = match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg259 = msg("00012", part438); + + var part439 = match("MESSAGE#258:00012:01", "nwparser.payload", "Service %{service->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg260 = msg("00012:01", part439); + + var select101 = linear_select([ + msg248, + msg249, + msg250, + msg251, + msg252, + msg253, + msg254, + msg255, + msg256, + msg257, + msg258, + msg259, + msg260, + ]); + + var part440 = match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding bytes has been detected%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg261 = msg("00013", part440); + + var part441 = match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to connect to the NetScreen-Global Manager port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + setc("signame","An Attempt to connect to NetScreen-Global Manager Port."), + ])); + + var msg262 = msg("00013:01", part441); + + var part442 = match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has been changed to %{fld3}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg263 = msg("00013:02", part442); + + var part443 = match("MESSAGE#262:00013:03", "nwparser.payload", "Web Filtering has been %{disposition->} (%{fld1})", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg264 = msg("00013:03", part443); + + var select102 = linear_select([ + msg261, + msg262, + msg263, + msg264, + ]); + + var part444 = match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes has changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg265 = msg("00014", part444); + + var part445 = match("MESSAGE#264:00014:01/0", "nwparser.payload", "The group member %{username->} has been %{disposition->} %{p0}"); + + var part446 = match("MESSAGE#264:00014:01/1_0", "nwparser.p0", "to a group%{}"); + + var part447 = match("MESSAGE#264:00014:01/1_1", "nwparser.p0", "from a group%{}"); + + var select103 = linear_select([ + part446, + part447, + ]); + + var all85 = all_match({ + processors: [ + part445, + select103, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg266 = msg("00014:01", all85); + + var part448 = match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has been %{disposition->} by %{username}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg267 = msg("00014:02", part448); + + var part449 = match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has been %{disposition->} by %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg268 = msg("00014:03", part449); + + var part450 = match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{hostname->} server { %{hostip->} }: SrvErr (%{fld2}), SockErr (%{fld3}), Valid (%{fld4}),Connected (%{fld5})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg269 = msg("00014:04", part450); + + var part451 = match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations have been %{disposition->} by admin %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg270 = msg("00014:05", part451); + + var part452 = match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition->} manually.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg271 = msg("00014:06", part452); + + var part453 = match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{disposition->} by %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg272 = msg("00014:07", part453); + + var part454 = match("MESSAGE#271:00014:08", "nwparser.payload", "Communication error with %{hostname->} server[%{hostip}]: SrvErr(%{fld2}),SockErr(%{fld3}),Valid(%{fld4}),Connected(%{fld5}) (%{fld1})", processor_chain([ + dup27, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg273 = msg("00014:08", part454); + + var select104 = linear_select([ + msg265, + msg266, + msg267, + msg268, + msg269, + msg270, + msg271, + msg272, + msg273, + ]); + + var part455 = match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been changed to %{authmethod}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg274 = msg("00015", part455); + + var part456 = match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has %{disposition}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg275 = msg("00015:01", part456); + + var part457 = match("MESSAGE#274:00015:02/0", "nwparser.payload", "LDAP %{p0}"); + + var part458 = match("MESSAGE#274:00015:02/1_0", "nwparser.p0", "server name %{p0}"); + + var part459 = match("MESSAGE#274:00015:02/1_2", "nwparser.p0", "distinguished name %{p0}"); + + var part460 = match("MESSAGE#274:00015:02/1_3", "nwparser.p0", "common name %{p0}"); + + var select105 = linear_select([ + part458, + dup137, + part459, + part460, + ]); + + var all86 = all_match({ + processors: [ + part457, + select105, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg276 = msg("00015:02", all86); + + var part461 = match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg277 = msg("00015:03", part461); + + var part462 = match("MESSAGE#276:00015:04/0", "nwparser.payload", "RADIUS server %{p0}"); + + var part463 = match("MESSAGE#276:00015:04/1_2", "nwparser.p0", "secret %{p0}"); + + var select106 = linear_select([ + dup139, + dup140, + part463, + ]); + + var all87 = all_match({ + processors: [ + part462, + select106, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg278 = msg("00015:04", all87); + + var part464 = match("MESSAGE#277:00015:05/0", "nwparser.payload", "SecurID %{p0}"); + + var part465 = match("MESSAGE#277:00015:05/1_0", "nwparser.p0", "authentication port %{p0}"); + + var part466 = match("MESSAGE#277:00015:05/1_1", "nwparser.p0", "duress mode %{p0}"); + + var part467 = match("MESSAGE#277:00015:05/1_3", "nwparser.p0", "number of retries value %{p0}"); + + var select107 = linear_select([ + part465, + part466, + dup76, + part467, + ]); + + var all88 = all_match({ + processors: [ + part464, + select107, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg279 = msg("00015:05", all88); + + var part468 = match("MESSAGE#278:00015:06/0_0", "nwparser.payload", "Master %{p0}"); + + var part469 = match("MESSAGE#278:00015:06/0_1", "nwparser.payload", "Backup %{p0}"); + + var select108 = linear_select([ + part468, + part469, + ]); + + var part470 = match("MESSAGE#278:00015:06/1", "nwparser.p0", "SecurID server IP address has been %{disposition}"); + + var all89 = all_match({ + processors: [ + select108, + part470, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg280 = msg("00015:06", all89); + + var part471 = match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to master%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg281 = msg("00015:07", part471); + + var part472 = match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration between master and slave%{}", processor_chain([ + dup141, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg282 = msg("00015:08", part472); + + var part473 = match("MESSAGE#281:00015:09/0_0", "nwparser.payload", "configuration %{p0}"); + + var part474 = match("MESSAGE#281:00015:09/0_1", "nwparser.payload", "Configuration %{p0}"); + + var select109 = linear_select([ + part473, + part474, + ]); + + var part475 = match("MESSAGE#281:00015:09/1", "nwparser.p0", "out of sync between local unit and remote unit%{}"); + + var all90 = all_match({ + processors: [ + select109, + part475, + ], + on_success: processor_chain([ + dup141, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg283 = msg("00015:09", all90); + + var part476 = match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg284 = msg("00015:10", part476); + + var part477 = match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg285 = msg("00015:11", part477); + + var part478 = match("MESSAGE#284:00015:12/1_0", "nwparser.p0", "control %{p0}"); + + var part479 = match("MESSAGE#284:00015:12/1_1", "nwparser.p0", "data %{p0}"); + + var select110 = linear_select([ + part478, + part479, + ]); + + var part480 = match("MESSAGE#284:00015:12/2", "nwparser.p0", "channel moved from link %{p0}"); + + var part481 = match("MESSAGE#284:00015:12/6", "nwparser.p0", "(%{interface})"); + + var all91 = all_match({ + processors: [ + dup87, + select110, + part480, + dup353, + dup103, + dup353, + part481, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg286 = msg("00015:12", all91); + + var part482 = match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg287 = msg("00015:13", part482); + + var part483 = match("MESSAGE#286:00015:14/0", "nwparser.payload", "NSRP link %{p0}"); + + var all92 = all_match({ + processors: [ + part483, + dup353, + dup116, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg288 = msg("00015:14", all92); + + var part484 = match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel available (%{fld3->} used by other channel)", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg289 = msg("00015:15", part484); + + var part485 = match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out of synchronization between the local device and the peer device.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg290 = msg("00015:16", part485); + + var part486 = match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{change_old->} changed to link channel %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg291 = msg("00015:17", part486); + + var part487 = match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on peer device %{fld2->} changed from %{fld3->} to %{fld4->} state.", processor_chain([ + dup121, + dup2, + dup3, + dup4, + dup5, + setc("change_attribute","RTO mirror group"), + ])); + + var msg292 = msg("00015:18", part487); + + var part488 = match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on local device %{fld2}, detected a duplicate direction on the peer device %{fld3}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg293 = msg("00015:19", part488); + + var part489 = match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} changed on the local device from %{fld2->} to up state, it had peer device %{fld3}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg294 = msg("00015:20", part489); + + var part490 = match("MESSAGE#293:00015:21/0", "nwparser.payload", "Peer device %{fld2->} %{p0}"); + + var part491 = match("MESSAGE#293:00015:21/1_0", "nwparser.p0", "disappeared %{p0}"); + + var part492 = match("MESSAGE#293:00015:21/1_1", "nwparser.p0", "was discovered %{p0}"); + + var select111 = linear_select([ + part491, + part492, + ]); + + var all93 = all_match({ + processors: [ + part490, + select111, + dup116, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg295 = msg("00015:21", all93); + + var part493 = match("MESSAGE#294:00015:22/0_0", "nwparser.payload", "The local %{p0}"); + + var part494 = match("MESSAGE#294:00015:22/0_1", "nwparser.payload", "The peer %{p0}"); + + var part495 = match("MESSAGE#294:00015:22/0_2", "nwparser.payload", "Peer %{p0}"); + + var select112 = linear_select([ + part493, + part494, + part495, + ]); + + var part496 = match("MESSAGE#294:00015:22/1", "nwparser.p0", "device %{fld2->} in the Virtual Security Device group %{group->} changed %{change_attribute->} from %{change_old->} to %{change_new->} %{p0}"); + + var all94 = all_match({ + processors: [ + select112, + part496, + dup354, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg296 = msg("00015:22", all94); + + var part497 = match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg297 = msg("00015:23", part497); + + var part498 = match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authentication server has been changed to %{hostname}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg298 = msg("00015:24", part498); + + var part499 = match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification was successful", processor_chain([ + setc("eventcategory","1613050100"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg299 = msg("00015:25", part499); + + var part500 = match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification failed", processor_chain([ + dup97, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg300 = msg("00015:29", part500); + + var part501 = match("MESSAGE#299:00015:26/0", "nwparser.payload", "unit %{fld2->} just dis%{p0}"); + + var part502 = match("MESSAGE#299:00015:26/1_0", "nwparser.p0", "appeared%{}"); + + var part503 = match("MESSAGE#299:00015:26/1_1", "nwparser.p0", "covered%{}"); + + var select113 = linear_select([ + part502, + part503, + ]); + + var all95 = all_match({ + processors: [ + part501, + select113, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg301 = msg("00015:26", all95); + + var part504 = match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change to %{interface}. (%{fld2})", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + dup146, + ])); + + var msg302 = msg("00015:33", part504); + + var part505 = match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg303 = msg("00015:27", part505); + + var part506 = match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RADIUS retry timeout has been set to default of %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg304 = msg("00015:28", part506); + + var part507 = match("MESSAGE#303:00015:30/0", "nwparser.payload", "Number of RADIUS retries for auth server %{hostname->} %{p0}"); + + var part508 = match("MESSAGE#303:00015:30/2", "nwparser.p0", "set to %{fld2->} (%{fld1})"); + + var all96 = all_match({ + processors: [ + part507, + dup355, + part508, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg305 = msg("00015:30", all96); + + var part509 = match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth server %{hostname->} is unset to its default value, %{info->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg306 = msg("00015:31", part509); + + var part510 = match("MESSAGE#305:00015:32", "nwparser.payload", "Accounting port of server RADIUS is set to %{network_port}. (%{fld1})", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg307 = msg("00015:32", part510); + + var select114 = linear_select([ + msg274, + msg275, + msg276, + msg277, + msg278, + msg279, + msg280, + msg281, + msg282, + msg283, + msg284, + msg285, + msg286, + msg287, + msg288, + msg289, + msg290, + msg291, + msg292, + msg293, + msg294, + msg295, + msg296, + msg297, + msg298, + msg299, + msg300, + msg301, + msg302, + msg303, + msg304, + msg305, + msg306, + msg307, + ]); + + var part511 = match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg308 = msg("00016", part511); + + var part512 = match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{fld3->} has been %{disposition}.", processor_chain([ + dup1, + dup148, + dup149, + dup150, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg309 = msg("00016:01", part512); + + var part513 = match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disposition}", processor_chain([ + dup1, + dup148, + dup149, + dup150, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg310 = msg("00016:02", part513); + + var part514 = match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2})", processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg311 = msg("00016:03", part514); + + var part515 = match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg312 = msg("00016:05", part515); + + var part516 = match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg313 = msg("00016:06", part516); + + var part517 = match("MESSAGE#312:00016:07/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} ( zone %{p0}"); + + var all97 = all_match({ + processors: [ + part517, + dup338, + dup67, + ], + on_success: processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg314 = msg("00016:07", all97); + + var part518 = match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) Modify by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + setc("eventcategory","1001020305"), + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg315 = msg("00016:08", part518); + + var part519 = match("MESSAGE#314:00016:09", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) New by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + setc("eventcategory","1001030305"), + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg316 = msg("00016:09", part519); + + var select115 = linear_select([ + msg308, + msg309, + msg310, + msg311, + msg312, + msg313, + msg314, + msg315, + msg316, + ]); + + var part520 = match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup151, + dup2, + dup3, + dup59, + dup4, + dup5, + ])); + + var msg317 = msg("00017", part520); + + var part521 = match("MESSAGE#316:00017:23/0", "nwparser.payload", "Gateway %{fld2->} at %{fld3->} in %{fld5->} mode with ID %{p0}"); + + var part522 = match("MESSAGE#316:00017:23/1_0", "nwparser.p0", "[%{fld4}] %{p0}"); + + var part523 = match("MESSAGE#316:00017:23/1_1", "nwparser.p0", "%{fld4->} %{p0}"); + + var select116 = linear_select([ + part522, + part523, + ]); + + var part524 = match("MESSAGE#316:00017:23/2", "nwparser.p0", "has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} %{fld}"); + + var all98 = all_match({ + processors: [ + part521, + select116, + part524, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg318 = msg("00017:23", all98); + + var part525 = match("MESSAGE#317:00017:01/0_0", "nwparser.payload", "%{fld1}: Gateway %{p0}"); + + var part526 = match("MESSAGE#317:00017:01/0_1", "nwparser.payload", "Gateway %{p0}"); + + var select117 = linear_select([ + part525, + part526, + ]); + + var part527 = match("MESSAGE#317:00017:01/1", "nwparser.p0", "%{fld2->} at %{fld3->} in %{fld5->} mode with ID%{p0}"); + + var part528 = match("MESSAGE#317:00017:01/3", "nwparser.p0", "%{fld4->} has been %{disposition}"); + + var all99 = all_match({ + processors: [ + select117, + part527, + dup356, + part528, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg319 = msg("00017:01", all99); + + var part529 = match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settings have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg320 = msg("00017:02", part529); + + var part530 = match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg321 = msg("00017:03", part530); + + var part531 = match("MESSAGE#320:00017:04/2", "nwparser.p0", "%{group_object->} with range %{fld2->} has been %{disposition}"); + + var all100 = all_match({ + processors: [ + dup153, + dup357, + part531, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg322 = msg("00017:04", all100); + + var part532 = match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg323 = msg("00017:05", part532); + + var part533 = match("MESSAGE#322:00017:06/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been set to %{p0}"); + + var part534 = match("MESSAGE#322:00017:06/1_0", "nwparser.p0", "clear %{p0}"); + + var part535 = match("MESSAGE#322:00017:06/1_2", "nwparser.p0", "copy %{p0}"); + + var select118 = linear_select([ + part534, + dup101, + part535, + ]); + + var all101 = all_match({ + processors: [ + part533, + select118, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg324 = msg("00017:06", all101); + + var part536 = match("MESSAGE#323:00017:07/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been %{p0}"); + + var part537 = match("MESSAGE#323:00017:07/1_0", "nwparser.p0", "clear%{}"); + + var part538 = match("MESSAGE#323:00017:07/1_1", "nwparser.p0", "cleared%{}"); + + var part539 = match("MESSAGE#323:00017:07/1_3", "nwparser.p0", "copy%{}"); + + var part540 = match("MESSAGE#323:00017:07/1_4", "nwparser.p0", "copied%{}"); + + var select119 = linear_select([ + part537, + part538, + dup98, + part539, + part540, + ]); + + var all102 = all_match({ + processors: [ + part536, + select119, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg325 = msg("00017:07", all102); + + var part541 = match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and SPI %{fld3}/%{fld4->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg326 = msg("00017:08", part541); + + var part542 = match("MESSAGE#325:00017:09/0_0", "nwparser.payload", "%{fld1}: VPN %{p0}"); + + var part543 = match("MESSAGE#325:00017:09/0_1", "nwparser.payload", "VPN %{p0}"); + + var select120 = linear_select([ + part542, + part543, + ]); + + var part544 = match("MESSAGE#325:00017:09/1", "nwparser.p0", "%{group->} with gateway %{fld2->} %{p0}"); + + var part545 = match("MESSAGE#325:00017:09/2_0", "nwparser.p0", "no-rekey %{p0}"); + + var part546 = match("MESSAGE#325:00017:09/2_1", "nwparser.p0", "rekey, %{p0}"); + + var part547 = match("MESSAGE#325:00017:09/2_2", "nwparser.p0", "rekey %{p0}"); + + var select121 = linear_select([ + part545, + part546, + part547, + ]); + + var part548 = match("MESSAGE#325:00017:09/3", "nwparser.p0", "and p2-proposal %{fld3->} has been %{p0}"); + + var part549 = match("MESSAGE#325:00017:09/4_0", "nwparser.p0", "%{disposition->} from peer unit"); + + var part550 = match("MESSAGE#325:00017:09/4_1", "nwparser.p0", "%{disposition->} from host %{saddr}"); + + var select122 = linear_select([ + part549, + part550, + dup36, + ]); + + var all103 = all_match({ + processors: [ + select120, + part544, + select121, + part548, + select122, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg327 = msg("00017:09", all103); + + var part551 = match("MESSAGE#326:00017:10/0", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}. Src IF %{sinterface->} dst IP %{daddr->} with rekeying %{p0}"); + + var all104 = all_match({ + processors: [ + part551, + dup358, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg328 = msg("00017:10", all104); + + var part552 = match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg329 = msg("00017:11", part552); + + var part553 = match("MESSAGE#328:00017:12/0", "nwparser.payload", "VPN monitoring %{p0}"); + + var part554 = match("MESSAGE#328:00017:12/1_2", "nwparser.p0", "frequency %{p0}"); + + var select123 = linear_select([ + dup109, + dup110, + part554, + ]); + + var all105 = all_match({ + processors: [ + part553, + select123, + dup127, + dup359, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg330 = msg("00017:12", all105); + + var part555 = match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been added by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg331 = msg("00017:26", part555); + + var part556 = match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. You cannot allocate an IP address.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg332 = msg("00017:13", part556); + + var part557 = match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail}, DH group %{group}, ESP %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup9, + dup5, + ])); + + var msg333 = msg("00017:14", part557); + + var part558 = match("MESSAGE#332:00017:15/0", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group->} %{p0}"); + + var part559 = match("MESSAGE#332:00017:15/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime (%{fld3}) (%{fld4}) has been %{disposition}."); + + var all106 = all_match({ + processors: [ + part558, + dup360, + part559, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg334 = msg("00017:15", all106); + + var part560 = match("MESSAGE#333:00017:31/0", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail->} DH group %{group->} %{p0}"); + + var part561 = match("MESSAGE#333:00017:31/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime %{fld3->} has been %{disposition}."); + + var all107 = all_match({ + processors: [ + part560, + dup360, + part561, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg335 = msg("00017:31", all107); + + var part562 = match("MESSAGE#334:00017:16/0", "nwparser.payload", "vpnmonitor interval is %{p0}"); + + var all108 = all_match({ + processors: [ + part562, + dup359, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg336 = msg("00017:16", all108); + + var part563 = match("MESSAGE#335:00017:17/0", "nwparser.payload", "vpnmonitor threshold is %{p0}"); + + var select124 = linear_select([ + dup99, + dup93, + ]); + + var all109 = all_match({ + processors: [ + part563, + select124, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg337 = msg("00017:17", all109); + + var part564 = match("MESSAGE#336:00017:18/2", "nwparser.p0", "%{group_object->} with range %{fld2->} was %{disposition}"); + + var all110 = all_match({ + processors: [ + dup153, + dup357, + part564, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg338 = msg("00017:18", all110); + + var part565 = match("MESSAGE#337:00017:19/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at %{p0}"); + + var part566 = match("MESSAGE#337:00017:19/2", "nwparser.p0", "%{} %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times"); + + var all111 = all_match({ + processors: [ + part565, + dup337, + part566, + ], + on_success: processor_chain([ + dup151, + dup2, + dup3, + dup59, + dup4, + dup5, + ]), + }); + + var msg339 = msg("00017:19", all111); + + var all112 = all_match({ + processors: [ + dup64, + dup338, + dup67, + ], + on_success: processor_chain([ + dup151, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + ]), + }); + + var msg340 = msg("00017:20", all112); + + var part567 = match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup151, + dup2, + dup3, + dup59, + dup4, + dup5, + ])); + + var msg341 = msg("00017:21", part567); + + var part568 = match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg342 = msg("00017:22", part568); + + var part569 = match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bound to tunnel interface %{interface}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg343 = msg("00017:24", part569); + + var part570 = match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal standard has been added by admin %{administrator->} via NSRP Peer (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg344 = msg("00017:25", part570); + + var part571 = match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group}, ESP, enc %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg345 = msg("00017:28", part571); + + var part572 = match("MESSAGE#344:00017:29", "nwparser.payload", "L2TP \"%{fld2}\", all-L2TP-users secret \"%{fld3}\" keepalive %{fld4->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg346 = msg("00017:29", part572); + + var select125 = linear_select([ + msg317, + msg318, + msg319, + msg320, + msg321, + msg322, + msg323, + msg324, + msg325, + msg326, + msg327, + msg328, + msg329, + msg330, + msg331, + msg332, + msg333, + msg334, + msg335, + msg336, + msg337, + msg338, + msg339, + msg340, + msg341, + msg342, + msg343, + msg344, + msg345, + msg346, + ]); + + var part573 = match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} and %{fld3->} have been exchanged", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg347 = msg("00018", part573); + + var part574 = match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", processor_chain([ + setc("eventcategory","1502010000"), + dup2, + dup4, + dup5, + dup3, + ])); + + var msg348 = msg("00018:01", part574); + + var part575 = match("MESSAGE#347:00018:02", "nwparser.payload", "Device%{quote}s %{change_attribute->} has been changed from %{change_old->} to %{change_new->} by admin %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg349 = msg("00018:02", part575); + + var part576 = match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg350 = msg("00018:04", part576); + + var part577 = match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} by admin %{administrator->} via NSRP Peer", processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg351 = msg("00018:16", part577); + + var part578 = match("MESSAGE#350:00018:06/0", "nwparser.payload", "%{fld2->} Policy %{policy_id->} has been moved %{p0}"); + + var part579 = match("MESSAGE#350:00018:06/1_0", "nwparser.p0", "before %{p0}"); + + var part580 = match("MESSAGE#350:00018:06/1_1", "nwparser.p0", "after %{p0}"); + + var select126 = linear_select([ + part579, + part580, + ]); + + var part581 = match("MESSAGE#350:00018:06/2", "nwparser.p0", "%{fld3->} by admin %{administrator}"); + + var all113 = all_match({ + processors: [ + part578, + select126, + part581, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg352 = msg("00018:06", all113); + + var part582 = match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} application was modified to %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg353 = msg("00018:08", part582); + + var part583 = match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup3, + dup2, + dup9, + dup4, + dup5, + ])); + + var msg354 = msg("00018:09", part583); + + var part584 = match("MESSAGE#353:00018:10/0", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{p0}"); + + var part585 = match("MESSAGE#353:00018:10/1_0", "nwparser.p0", "%{disposition->} from peer unit by %{p0}"); + + var part586 = match("MESSAGE#353:00018:10/1_1", "nwparser.p0", "%{disposition->} by %{p0}"); + + var select127 = linear_select([ + part585, + part586, + ]); + + var part587 = match("MESSAGE#353:00018:10/2", "nwparser.p0", "%{username->} via %{interface->} from host %{saddr->} (%{fld1})"); + + var all114 = all_match({ + processors: [ + part584, + select127, + part587, + ], + on_success: processor_chain([ + dup17, + dup3, + dup2, + dup9, + dup4, + dup5, + ]), + }); + + var msg355 = msg("00018:10", all114); + + var part588 = match("MESSAGE#354:00018:11/1_0", "nwparser.p0", "Service %{service->} was %{p0}"); + + var part589 = match("MESSAGE#354:00018:11/1_1", "nwparser.p0", "Attack group %{signame->} was %{p0}"); + + var select128 = linear_select([ + part588, + part589, + ]); + + var part590 = match("MESSAGE#354:00018:11/2", "nwparser.p0", "%{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} %{p0}"); + + var part591 = match("MESSAGE#354:00018:11/3_0", "nwparser.p0", "to %{daddr}:%{dport}. %{p0}"); + + var select129 = linear_select([ + part591, + dup16, + ]); + + var all115 = all_match({ + processors: [ + dup160, + select128, + part590, + select129, + dup10, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg356 = msg("00018:11", all115); + + var part592 = match("MESSAGE#355:00018:12/0", "nwparser.payload", "In policy %{policy_id}, the %{p0}"); + + var part593 = match("MESSAGE#355:00018:12/1_0", "nwparser.p0", "application %{p0}"); + + var part594 = match("MESSAGE#355:00018:12/1_1", "nwparser.p0", "attack severity %{p0}"); + + var part595 = match("MESSAGE#355:00018:12/1_2", "nwparser.p0", "DI attack component %{p0}"); + + var select130 = linear_select([ + part593, + part594, + part595, + ]); + + var part596 = match("MESSAGE#355:00018:12/2", "nwparser.p0", "was modified by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); + + var all116 = all_match({ + processors: [ + part592, + select130, + part596, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg357 = msg("00018:12", all116); + + var part597 = match("MESSAGE#356:00018:32/1", "nwparser.p0", "%{}address %{dhost}(%{daddr}) was %{disposition->} %{p0}"); + + var all117 = all_match({ + processors: [ + dup361, + part597, + dup362, + dup164, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg358 = msg("00018:32", all117); + + var part598 = match("MESSAGE#357:00018:22/1", "nwparser.p0", "%{}address %{dhost->} was %{disposition->} %{p0}"); + + var all118 = all_match({ + processors: [ + dup361, + part598, + dup362, + dup164, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg359 = msg("00018:22", all118); + + var part599 = match("MESSAGE#358:00018:15/0", "nwparser.payload", "%{agent->} was %{disposition->} from policy %{policy_id->} %{p0}"); + + var select131 = linear_select([ + dup78, + dup77, + ]); + + var part600 = match("MESSAGE#358:00018:15/2", "nwparser.p0", "address by admin %{administrator->} via NSRP Peer"); + + var all119 = all_match({ + processors: [ + part599, + select131, + part600, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg360 = msg("00018:15", all119); + + var part601 = match("MESSAGE#359:00018:14/0", "nwparser.payload", "%{agent->} was %{disposition->} %{p0}"); + + var part602 = match("MESSAGE#359:00018:14/1_0", "nwparser.p0", "to%{p0}"); + + var part603 = match("MESSAGE#359:00018:14/1_1", "nwparser.p0", "from%{p0}"); + + var select132 = linear_select([ + part602, + part603, + ]); + + var part604 = match("MESSAGE#359:00018:14/2", "nwparser.p0", "%{}policy %{policy_id->} %{p0}"); + + var part605 = match("MESSAGE#359:00018:14/3_0", "nwparser.p0", "service %{p0}"); + + var part606 = match("MESSAGE#359:00018:14/3_1", "nwparser.p0", "source address %{p0}"); + + var part607 = match("MESSAGE#359:00018:14/3_2", "nwparser.p0", "destination address %{p0}"); + + var select133 = linear_select([ + part605, + part606, + part607, + ]); + + var part608 = match("MESSAGE#359:00018:14/4", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); + + var all120 = all_match({ + processors: [ + part601, + select132, + part604, + select133, + part608, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg361 = msg("00018:14", all120); + + var part609 = match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg362 = msg("00018:29", part609); + + var part610 = match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to policy %{policy_id->} %{rule_group->} by admin %{administrator->} via NSRP Peer %{space->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg363 = msg("00018:07", part610); + + var part611 = match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg364 = msg("00018:18", part611); + + var part612 = match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{disposition->} from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg365 = msg("00018:17", part612); + + var part613 = match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg366 = msg("00018:19", part613); + + var part614 = match("MESSAGE#365:00018:23/0_0", "nwparser.payload", "Destination %{p0}"); + + var part615 = match("MESSAGE#365:00018:23/0_1", "nwparser.payload", "Source %{p0}"); + + var select134 = linear_select([ + part614, + part615, + ]); + + var part616 = match("MESSAGE#365:00018:23/1", "nwparser.p0", "address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} %{p0}"); + + var part617 = match("MESSAGE#365:00018:23/2_0", "nwparser.p0", "from host %{p0}"); + + var select135 = linear_select([ + part617, + dup103, + ]); + + var part618 = match("MESSAGE#365:00018:23/4_0", "nwparser.p0", "%{saddr->} to %{daddr->} %{p0}"); + + var part619 = match("MESSAGE#365:00018:23/4_1", "nwparser.p0", "%{daddr->} %{p0}"); + + var select136 = linear_select([ + part618, + part619, + ]); + + var part620 = match("MESSAGE#365:00018:23/5", "nwparser.p0", "%{dport}:(%{fld1})"); + + var all121 = all_match({ + processors: [ + select134, + part616, + select135, + dup23, + select136, + part620, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg367 = msg("00018:23", all121); + + var part621 = match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg368 = msg("00018:21", part621); + + var part622 = match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{disposition->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg369 = msg("00018:24", part622); + + var part623 = match("MESSAGE#368:00018:25/1", "nwparser.p0", "%{}address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); + + var all122 = all_match({ + processors: [ + dup363, + part623, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg370 = msg("00018:25", all122); + + var part624 = match("MESSAGE#369:00018:30/1", "nwparser.p0", "%{}address %{info->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); + + var all123 = all_match({ + processors: [ + dup363, + part624, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg371 = msg("00018:30", all123); + + var part625 = match("MESSAGE#370:00018:26/0", "nwparser.payload", "In policy %{policy_id}, the application was modified to %{disposition->} by %{p0}"); + + var part626 = match("MESSAGE#370:00018:26/2_1", "nwparser.p0", "%{logon_type->} from host %{saddr}. (%{p0}"); + + var select137 = linear_select([ + dup48, + part626, + ]); + + var all124 = all_match({ + processors: [ + part625, + dup364, + select137, + dup41, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg372 = msg("00018:26", all124); + + var part627 = match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the DI attack component was modified by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg373 = msg("00018:27", part627); + + var part628 = match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the DI attack component was modified by admin %{administrator->} via %{logon_type}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup4, + dup5, + dup9, + setc("info","the DI attack component was modified"), + ])); + + var msg374 = msg("00018:28", part628); + + var part629 = match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition}", processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg375 = msg("00018:03", part629); + + var part630 = match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the option %{fld2->} was %{disposition}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg376 = msg("00018:31", part630); + + var select138 = linear_select([ + msg347, + msg348, + msg349, + msg350, + msg351, + msg352, + msg353, + msg354, + msg355, + msg356, + msg357, + msg358, + msg359, + msg360, + msg361, + msg362, + msg363, + msg364, + msg365, + msg366, + msg367, + msg368, + msg369, + msg370, + msg371, + msg372, + msg373, + msg374, + msg375, + msg376, + ]); + + var part631 = match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has %{disposition->} because WebTrends settings have not yet been configured", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg377 = msg("00019", part631); + + var part632 = match("MESSAGE#375:00019:01/2", "nwparser.p0", "has %{disposition->} because syslog settings have not yet been configured"); + + var all125 = all_match({ + processors: [ + dup165, + dup365, + part632, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg378 = msg("00019:01", all125); + + var part633 = match("MESSAGE#376:00019:02/0", "nwparser.payload", "Socket cannot be assigned for %{p0}"); + + var part634 = match("MESSAGE#376:00019:02/1_0", "nwparser.p0", "WebTrends%{}"); + + var part635 = match("MESSAGE#376:00019:02/1_1", "nwparser.p0", "syslog%{}"); + + var select139 = linear_select([ + part634, + part635, + ]); + + var all126 = all_match({ + processors: [ + part633, + select139, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg379 = msg("00019:02", all126); + + var part636 = match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has been %{disposition}", processor_chain([ + dup91, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg380 = msg("00019:03", part636); + + var select140 = linear_select([ + dup169, + dup78, + ]); + + var select141 = linear_select([ + dup139, + dup170, + dup137, + dup122, + ]); + + var all127 = all_match({ + processors: [ + dup168, + select140, + dup23, + select141, + dup171, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg381 = msg("00019:04", all127); + + var part637 = match("MESSAGE#379:00019:05/0", "nwparser.payload", "Syslog message level has been changed to %{p0}"); + + var part638 = match("MESSAGE#379:00019:05/1_0", "nwparser.p0", "debug%{}"); + + var part639 = match("MESSAGE#379:00019:05/1_1", "nwparser.p0", "information%{}"); + + var part640 = match("MESSAGE#379:00019:05/1_2", "nwparser.p0", "notification%{}"); + + var part641 = match("MESSAGE#379:00019:05/1_3", "nwparser.p0", "warning%{}"); + + var part642 = match("MESSAGE#379:00019:05/1_4", "nwparser.p0", "error%{}"); + + var part643 = match("MESSAGE#379:00019:05/1_5", "nwparser.p0", "critical%{}"); + + var part644 = match("MESSAGE#379:00019:05/1_6", "nwparser.p0", "alert%{}"); + + var part645 = match("MESSAGE#379:00019:05/1_7", "nwparser.p0", "emergency%{}"); + + var select142 = linear_select([ + part638, + part639, + part640, + part641, + part642, + part643, + part644, + part645, + ]); + + var all128 = all_match({ + processors: [ + part637, + select142, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg382 = msg("00019:05", all128); + + var part646 = match("MESSAGE#380:00019:06/2", "nwparser.p0", "has been changed to %{p0}"); + + var all129 = all_match({ + processors: [ + dup168, + dup366, + part646, + dup367, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg383 = msg("00019:06", all129); + + var part647 = match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has been %{disposition}", processor_chain([ + dup91, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg384 = msg("00019:07", part647); + + var part648 = match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg385 = msg("00019:08", part648); + + var part649 = match("MESSAGE#383:00019:09/0", "nwparser.payload", "WebTrends host %{p0}"); + + var select143 = linear_select([ + dup139, + dup170, + dup137, + ]); + + var all130 = all_match({ + processors: [ + part649, + select143, + dup171, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg386 = msg("00019:09", all130); + + var part650 = match("MESSAGE#384:00019:10/1_0", "nwparser.p0", "Traffic logging via syslog %{p0}"); + + var part651 = match("MESSAGE#384:00019:10/1_1", "nwparser.p0", "Syslog %{p0}"); + + var select144 = linear_select([ + part650, + part651, + ]); + + var all131 = all_match({ + processors: [ + dup183, + select144, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg387 = msg("00019:10", all131); + + var part652 = match("MESSAGE#385:00019:11/2", "nwparser.p0", "has %{disposition->} because there is no syslog server defined"); + + var all132 = all_match({ + processors: [ + dup165, + dup365, + part652, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg388 = msg("00019:11", all132); + + var part653 = match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg389 = msg("00019:12", part653); + + var part654 = match("MESSAGE#387:00019:13/0", "nwparser.payload", "Syslog server %{hostip->} %{p0}"); + + var select145 = linear_select([ + dup107, + dup106, + ]); + + var part655 = match("MESSAGE#387:00019:13/2", "nwparser.p0", "%{disposition}"); + + var all133 = all_match({ + processors: [ + part654, + select145, + part655, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg390 = msg("00019:13", all133); + + var part656 = match("MESSAGE#388:00019:14/2", "nwparser.p0", "for %{hostip->} has been changed to %{p0}"); + + var all134 = all_match({ + processors: [ + dup168, + dup366, + part656, + dup367, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg391 = msg("00019:14", all134); + + var part657 = match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the TCP server %{hostip}; the connection is closed.", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg392 = msg("00019:15", part657); + + var part658 = match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were removed.%{}", processor_chain([ + setc("eventcategory","1701030000"), + setc("ec_activity","Delete"), + dup51, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg393 = msg("00019:16", part658); + + var part659 = match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} host port number has been changed to %{network_port->} %{fld5}", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg394 = msg("00019:17", part659); + + var part660 = match("MESSAGE#392:00019:18/0", "nwparser.payload", "Traffic logging %{p0}"); + + var part661 = match("MESSAGE#392:00019:18/1_0", "nwparser.p0", "via syslog %{p0}"); + + var part662 = match("MESSAGE#392:00019:18/1_1", "nwparser.p0", "for syslog server %{hostip->} %{p0}"); + + var select146 = linear_select([ + part661, + part662, + ]); + + var all135 = all_match({ + processors: [ + part660, + select146, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg395 = msg("00019:18", all135); + + var part663 = match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog server %{hostip->} was changed to udp", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg396 = msg("00019:19", part663); + + var part664 = match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is enabled on backup device by netscreen via web from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg397 = msg("00019:20", part664); + + var select147 = linear_select([ + msg377, + msg378, + msg379, + msg380, + msg381, + msg382, + msg383, + msg384, + msg385, + msg386, + msg387, + msg388, + msg389, + msg390, + msg391, + msg392, + msg393, + msg394, + msg395, + msg396, + msg397, + ]); + + var part665 = match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg398 = msg("00020", part665); + + var part666 = match("MESSAGE#396:00020:01/0", "nwparser.payload", "System memory is low %{p0}"); + + var part667 = match("MESSAGE#396:00020:01/1_1", "nwparser.p0", "( %{p0}"); + + var select148 = linear_select([ + dup152, + part667, + ]); + + var part668 = match("MESSAGE#396:00020:01/2", "nwparser.p0", "%{fld2->} bytes allocated out of %{p0}"); + + var part669 = match("MESSAGE#396:00020:01/3_0", "nwparser.p0", "total %{fld3->} bytes"); + + var part670 = match("MESSAGE#396:00020:01/3_1", "nwparser.p0", "%{fld4->} bytes total"); + + var select149 = linear_select([ + part669, + part670, + ]); + + var all136 = all_match({ + processors: [ + part666, + select148, + part668, + select149, + ], + on_success: processor_chain([ + dup184, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg399 = msg("00020:01", all136); + + var part671 = match("MESSAGE#397:00020:02", "nwparser.payload", "System memory is low (%{fld2->} allocated out of %{fld3->} ) %{fld4->} times in %{fld5}", processor_chain([ + dup184, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg400 = msg("00020:02", part671); + + var select150 = linear_select([ + msg398, + msg399, + msg400, + ]); + + var part672 = match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg401 = msg("00021", part672); + + var part673 = match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range %{info->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg402 = msg("00021:01", part673); + + var part674 = match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg403 = msg("00021:02", part674); + + var part675 = match("MESSAGE#401:00021:03", "nwparser.payload", "Connection refused by the DNS server%{}", processor_chain([ + dup185, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg404 = msg("00021:03", part675); + + var part676 = match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg405 = msg("00021:04", part676); + + var part677 = match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg406 = msg("00021:05", part677); + + var part678 = match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, + setc("info","DIP port-translation stickiness was modified"), + ])); + + var msg407 = msg("00021:06", part678); + + var select151 = linear_select([ + msg401, + msg402, + msg403, + msg404, + msg405, + msg406, + msg407, + ]); + + var part679 = match("MESSAGE#405:00022/1_0", "nwparser.p0", "power supplies %{p0}"); + + var part680 = match("MESSAGE#405:00022/1_1", "nwparser.p0", "fans %{p0}"); + + var select152 = linear_select([ + part679, + part680, + ]); + + var part681 = match("MESSAGE#405:00022/2", "nwparser.p0", "are %{fld2->} functioning properly"); + + var all137 = all_match({ + processors: [ + dup186, + select152, + part681, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg408 = msg("00022", all137); + + var part682 = match("MESSAGE#406:00022:01/0_0", "nwparser.payload", "At least one power supply %{p0}"); + + var part683 = match("MESSAGE#406:00022:01/0_1", "nwparser.payload", "The power supply %{fld2->} %{p0}"); + + var part684 = match("MESSAGE#406:00022:01/0_2", "nwparser.payload", "At least one fan %{p0}"); + + var select153 = linear_select([ + part682, + part683, + part684, + ]); + + var part685 = match("MESSAGE#406:00022:01/1", "nwparser.p0", "is not functioning properly%{p0}"); + + var all138 = all_match({ + processors: [ + select153, + part685, + dup368, + ], + on_success: processor_chain([ + dup187, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg409 = msg("00022:01", all138); + + var part686 = match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management tunnel has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg410 = msg("00022:02", part686); + + var part687 = match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name has been defined as %{domain}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg411 = msg("00022:03", part687); + + var part688 = match("MESSAGE#409:00022:04/0", "nwparser.payload", "Reporting of the %{p0}"); + + var part689 = match("MESSAGE#409:00022:04/1_0", "nwparser.p0", "network activities %{p0}"); + + var part690 = match("MESSAGE#409:00022:04/1_1", "nwparser.p0", "device resources %{p0}"); + + var part691 = match("MESSAGE#409:00022:04/1_2", "nwparser.p0", "event logs %{p0}"); + + var part692 = match("MESSAGE#409:00022:04/1_3", "nwparser.p0", "summary logs %{p0}"); + + var select154 = linear_select([ + part689, + part690, + part691, + part692, + ]); + + var part693 = match("MESSAGE#409:00022:04/2", "nwparser.p0", "to Global Manager has been %{disposition}"); + + var all139 = all_match({ + processors: [ + part688, + select154, + part693, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg412 = msg("00022:04", all139); + + var part694 = match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg413 = msg("00022:05", part694); + + var part695 = match("MESSAGE#411:00022:06/0", "nwparser.payload", "Global Manager %{p0}"); + + var part696 = match("MESSAGE#411:00022:06/1_0", "nwparser.p0", "report %{p0}"); + + var part697 = match("MESSAGE#411:00022:06/1_1", "nwparser.p0", "listen %{p0}"); + + var select155 = linear_select([ + part696, + part697, + ]); + + var part698 = match("MESSAGE#411:00022:06/2", "nwparser.p0", "port has been set to %{interface}"); + + var all140 = all_match({ + processors: [ + part695, + select155, + part698, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg414 = msg("00022:06", all140); + + var part699 = match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive value has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg415 = msg("00022:07", part699); + + var part700 = match("MESSAGE#413:00022:08/0_0", "nwparser.payload", "System temperature %{p0}"); + + var part701 = match("MESSAGE#413:00022:08/0_1", "nwparser.payload", "System's temperature: %{p0}"); + + var part702 = match("MESSAGE#413:00022:08/0_2", "nwparser.payload", "The system temperature %{p0}"); + + var select156 = linear_select([ + part700, + part701, + part702, + ]); + + var part703 = match("MESSAGE#413:00022:08/1", "nwparser.p0", "(%{fld2->} C%{p0}"); + + var part704 = match("MESSAGE#413:00022:08/2_0", "nwparser.p0", "entigrade, %{p0}"); + + var select157 = linear_select([ + part704, + dup96, + ]); + + var part705 = match("MESSAGE#413:00022:08/3", "nwparser.p0", "%{fld3->} F%{p0}"); + + var part706 = match("MESSAGE#413:00022:08/4_0", "nwparser.p0", "ahrenheit %{p0}"); + + var select158 = linear_select([ + part706, + dup96, + ]); + + var part707 = match("MESSAGE#413:00022:08/5", "nwparser.p0", ") is too high%{}"); + + var all141 = all_match({ + processors: [ + select156, + part703, + select157, + part705, + select158, + part707, + ], + on_success: processor_chain([ + dup188, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg416 = msg("00022:08", all141); + + var part708 = match("MESSAGE#414:00022:09/2", "nwparser.p0", "power supply is no%{p0}"); + + var select159 = linear_select([ + dup191, + dup192, + ]); + + var part709 = match("MESSAGE#414:00022:09/4", "nwparser.p0", "functioning properly%{}"); + + var all142 = all_match({ + processors: [ + dup55, + dup369, + part708, + select159, + part709, + ], + on_success: processor_chain([ + dup188, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg417 = msg("00022:09", all142); + + var part710 = match("MESSAGE#415:00022:10/0", "nwparser.payload", "The NetScreen device was unable to upgrade the file system%{p0}"); + + var part711 = match("MESSAGE#415:00022:10/1_0", "nwparser.p0", " due to an internal conflict%{}"); + + var part712 = match("MESSAGE#415:00022:10/1_1", "nwparser.p0", ", but the old file system is intact%{}"); + + var select160 = linear_select([ + part711, + part712, + ]); + + var all143 = all_match({ + processors: [ + part710, + select160, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg418 = msg("00022:10", all143); + + var part713 = match("MESSAGE#416:00022:11/0", "nwparser.payload", "The NetScreen device was unable to upgrade %{p0}"); + + var part714 = match("MESSAGE#416:00022:11/1_0", "nwparser.p0", "due to an internal conflict%{}"); + + var part715 = match("MESSAGE#416:00022:11/1_1", "nwparser.p0", "the loader, but the loader is intact%{}"); + + var select161 = linear_select([ + part714, + part715, + ]); + + var all144 = all_match({ + processors: [ + part713, + select161, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg419 = msg("00022:11", all144); + + var part716 = match("MESSAGE#417:00022:12/0", "nwparser.payload", "Battery is no%{p0}"); + + var select162 = linear_select([ + dup192, + dup191, + ]); + + var part717 = match("MESSAGE#417:00022:12/2", "nwparser.p0", "functioning properly.%{}"); + + var all145 = all_match({ + processors: [ + part716, + select162, + part717, + ], + on_success: processor_chain([ + dup188, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg420 = msg("00022:12", all145); + + var part718 = match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2->} Centigrade, %{fld3->} Fahrenheit) is OK now.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg421 = msg("00022:13", part718); + + var part719 = match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is functioning properly. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg422 = msg("00022:14", part719); + + var select163 = linear_select([ + msg408, + msg409, + msg410, + msg411, + msg412, + msg413, + msg414, + msg415, + msg416, + msg417, + msg418, + msg419, + msg420, + msg421, + msg422, + ]); + + var part720 = match("MESSAGE#420:00023", "nwparser.payload", "VIP server %{hostip->} is not responding", processor_chain([ + dup187, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg423 = msg("00023", part720); + + var part721 = match("MESSAGE#421:00023:01", "nwparser.payload", "VIP/load balance server %{hostip->} cannot be contacted", processor_chain([ + dup187, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg424 = msg("00023:01", part721); + + var part722 = match("MESSAGE#422:00023:02", "nwparser.payload", "VIP server %{hostip->} cannot be contacted", processor_chain([ + dup187, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg425 = msg("00023:02", part722); + + var select164 = linear_select([ + msg423, + msg424, + msg425, + ]); + + var part723 = match("MESSAGE#423:00024/0_0", "nwparser.payload", "The DHCP %{p0}"); + + var part724 = match("MESSAGE#423:00024/0_1", "nwparser.payload", " DHCP %{p0}"); + + var select165 = linear_select([ + part723, + part724, + ]); + + var part725 = match("MESSAGE#423:00024/2_0", "nwparser.p0", "IP address pool has %{p0}"); + + var part726 = match("MESSAGE#423:00024/2_1", "nwparser.p0", "options have been %{p0}"); + + var select166 = linear_select([ + part725, + part726, + ]); + + var all146 = all_match({ + processors: [ + select165, + dup193, + select166, + dup52, + dup368, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg426 = msg("00024", all146); + + var part727 = match("MESSAGE#424:00024:01/0_0", "nwparser.payload", "Traffic log %{p0}"); + + var part728 = match("MESSAGE#424:00024:01/0_1", "nwparser.payload", "Alarm log %{p0}"); + + var part729 = match("MESSAGE#424:00024:01/0_2", "nwparser.payload", "Event log %{p0}"); + + var part730 = match("MESSAGE#424:00024:01/0_3", "nwparser.payload", "Self log %{p0}"); + + var part731 = match("MESSAGE#424:00024:01/0_4", "nwparser.payload", "Asset Recovery log %{p0}"); + + var select167 = linear_select([ + part727, + part728, + part729, + part730, + part731, + ]); + + var part732 = match("MESSAGE#424:00024:01/1", "nwparser.p0", "has overflowed%{}"); + + var all147 = all_match({ + processors: [ + select167, + part732, + ], + on_success: processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg427 = msg("00024:01", all147); + + var part733 = match("MESSAGE#425:00024:02/0", "nwparser.payload", "DHCP relay agent settings on %{fld2->} %{p0}"); + + var part734 = match("MESSAGE#425:00024:02/1_0", "nwparser.p0", "are %{p0}"); + + var part735 = match("MESSAGE#425:00024:02/1_1", "nwparser.p0", "have been %{p0}"); + + var select168 = linear_select([ + part734, + part735, + ]); + + var part736 = match("MESSAGE#425:00024:02/2", "nwparser.p0", "%{disposition->} (%{fld1})"); + + var all148 = all_match({ + processors: [ + part733, + select168, + part736, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg428 = msg("00024:02", all148); + + var part737 = match("MESSAGE#426:00024:03/0", "nwparser.payload", "DHCP server IP address pool %{p0}"); + + var select169 = linear_select([ + dup194, + dup106, + ]); + + var part738 = match("MESSAGE#426:00024:03/2", "nwparser.p0", "changed. (%{fld1})"); + + var all149 = all_match({ + processors: [ + part737, + select169, + part738, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg429 = msg("00024:03", all149); + + var select170 = linear_select([ + msg426, + msg427, + msg428, + msg429, + ]); + + var part739 = match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool has changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg430 = msg("00025", part739); + + var part740 = match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{disposition->} to save the certificate authority configuration.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg431 = msg("00025:01", part740); + + var part741 = match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the X509 request file via e-mail", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg432 = msg("00025:02", part741); + + var part742 = match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the CA configuration", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg433 = msg("00025:03", part742); + + var part743 = match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certificates. The %{result}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg434 = msg("00025:04", part743); + + var select171 = linear_select([ + msg430, + msg431, + msg432, + msg433, + msg434, + ]); + + var part744 = match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg435 = msg("00026", part744); + + var part745 = match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on interface %{interface}", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg436 = msg("00026:13", part745); + + var part746 = match("MESSAGE#434:00026:01/2", "nwparser.p0", "PKA key has been %{p0}"); + + var part747 = match("MESSAGE#434:00026:01/4", "nwparser.p0", "admin user %{administrator}. (Key ID = %{fld2})"); + + var all150 = all_match({ + processors: [ + dup195, + dup370, + part746, + dup371, + part747, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg437 = msg("00026:01", all150); + + var part748 = match("MESSAGE#435:00026:02/1_0", "nwparser.p0", ": SCS %{p0}"); + + var select172 = linear_select([ + part748, + dup96, + ]); + + var part749 = match("MESSAGE#435:00026:02/2", "nwparser.p0", "has been %{disposition->} for %{p0}"); + + var part750 = match("MESSAGE#435:00026:02/3_0", "nwparser.p0", "root system %{p0}"); + + var part751 = match("MESSAGE#435:00026:02/3_1", "nwparser.p0", "%{interface->} %{p0}"); + + var select173 = linear_select([ + part750, + part751, + ]); + + var all151 = all_match({ + processors: [ + dup195, + select172, + part749, + select173, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg438 = msg("00026:02", all151); + + var part752 = match("MESSAGE#436:00026:03/2", "nwparser.p0", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}"); + + var all152 = all_match({ + processors: [ + dup195, + dup370, + part752, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg439 = msg("00026:03", all152); + + var part753 = match("MESSAGE#437:00026:04", "nwparser.payload", "SCS: Connection has been terminated for admin user %{administrator->} at %{hostip}:%{network_port}", processor_chain([ + dup198, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg440 = msg("00026:04", part753); + + var part754 = match("MESSAGE#438:00026:05", "nwparser.payload", "SCS: Host client has requested NO cipher from %{interface}", processor_chain([ + dup198, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg441 = msg("00026:05", part754); + + var part755 = match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using PKA RSA from %{saddr}:%{sport}. (key-ID=%{fld2}", processor_chain([ + dup199, + dup29, + dup30, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg442 = msg("00026:06", part755); + + var part756 = match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using password from %{saddr}:%{sport}.", processor_chain([ + dup199, + dup29, + dup30, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg443 = msg("00026:07", part756); + + var part757 = match("MESSAGE#441:00026:08/0", "nwparser.payload", "SSH user %{username->} has been authenticated using %{p0}"); + + var part758 = match("MESSAGE#441:00026:08/2", "nwparser.p0", "from %{saddr}:%{sport->} [ with key ID %{fld2->} ]"); + + var all153 = all_match({ + processors: [ + part757, + dup372, + part758, + ], + on_success: processor_chain([ + dup199, + dup29, + dup30, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg444 = msg("00026:08", all153); + + var part759 = match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interface->} with tunnel ID %{fld2->} received a packet with a bad SPI.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg445 = msg("00026:09", part759); + + var part760 = match("MESSAGE#443:00026:10/0", "nwparser.payload", "SSH: %{p0}"); + + var part761 = match("MESSAGE#443:00026:10/1_0", "nwparser.p0", "Failed %{p0}"); + + var part762 = match("MESSAGE#443:00026:10/1_1", "nwparser.p0", "Attempt %{p0}"); + + var select174 = linear_select([ + part761, + part762, + ]); + + var part763 = match("MESSAGE#443:00026:10/3_0", "nwparser.p0", "bind duplicate %{p0}"); + + var select175 = linear_select([ + part763, + dup201, + ]); + + var part764 = match("MESSAGE#443:00026:10/6", "nwparser.p0", "admin user '%{administrator}' (Key ID %{fld2})"); + + var all154 = all_match({ + processors: [ + part760, + select174, + dup103, + select175, + dup202, + dup373, + part764, + ], + on_success: processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg446 = msg("00026:10", all154); + + var part765 = match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA keys (%{fld2}) has been bound to user '%{username}' Key not bound. (Key ID %{fld3})", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg447 = msg("00026:11", part765); + + var part766 = match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg448 = msg("00026:12", part766); + + var select176 = linear_select([ + msg435, + msg436, + msg437, + msg438, + msg439, + msg440, + msg441, + msg442, + msg443, + msg444, + msg445, + msg446, + msg447, + msg448, + ]); + + var part767 = match("MESSAGE#446:00027/2", "nwparser.p0", "user %{username->} from %{p0}"); + + var part768 = match("MESSAGE#446:00027/3_0", "nwparser.p0", "IP address %{saddr}:%{sport}"); + + var part769 = match("MESSAGE#446:00027/3_1", "nwparser.p0", "%{saddr}:%{sport}"); + + var part770 = match("MESSAGE#446:00027/3_2", "nwparser.p0", "console%{}"); + + var select177 = linear_select([ + part768, + part769, + part770, + ]); + + var all155 = all_match({ + processors: [ + dup204, + dup374, + part767, + select177, + ], + on_success: processor_chain([ + dup206, + dup30, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg449 = msg("00027", all155); + + var part771 = match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg450 = msg("00027:01", part771); + + var part772 = match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to %{change_new}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg451 = msg("00027:02", part772); + + var part773 = match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg452 = msg("00027:03", part773); + + var part774 = match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg453 = msg("00027:04", part774); + + var part775 = match("MESSAGE#451:00027:05/0", "nwparser.payload", "ScreenOS %{version->} %{p0}"); + + var part776 = match("MESSAGE#451:00027:05/1_0", "nwparser.p0", "Serial %{p0}"); + + var part777 = match("MESSAGE#451:00027:05/1_1", "nwparser.p0", "serial %{p0}"); + + var select178 = linear_select([ + part776, + part777, + ]); + + var part778 = match("MESSAGE#451:00027:05/2", "nwparser.p0", "# %{fld2}: Asset recovery %{p0}"); + + var part779 = match("MESSAGE#451:00027:05/3_0", "nwparser.p0", "performed %{p0}"); + + var select179 = linear_select([ + part779, + dup127, + ]); + + var select180 = linear_select([ + dup207, + dup208, + ]); + + var all156 = all_match({ + processors: [ + part775, + select178, + part778, + select179, + dup23, + select180, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg454 = msg("00027:05", all156); + + var part780 = match("MESSAGE#452:00027:06/0", "nwparser.payload", "Device Reset (Asset Recovery) has been %{p0}"); + + var select181 = linear_select([ + dup208, + dup207, + ]); + + var all157 = all_match({ + processors: [ + part780, + select181, + ], + on_success: processor_chain([ + setc("eventcategory","1606000000"), + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg455 = msg("00027:06", all157); + + var part781 = match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg456 = msg("00027:07", part781); + + var part782 = match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been erased%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg457 = msg("00027:08", part782); + + var part783 = match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due to expire in %{fld3}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg458 = msg("00027:09", part783); + + var part784 = match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has expired.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg459 = msg("00027:10", part784); + + var part785 = match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired after 30-day grace period.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg460 = msg("00027:11", part785); + + var part786 = match("MESSAGE#458:00027:12/0", "nwparser.payload", "Request to retrieve license key failed to reach %{p0}"); + + var part787 = match("MESSAGE#458:00027:12/1_0", "nwparser.p0", "the server %{p0}"); + + var select182 = linear_select([ + part787, + dup193, + ]); + + var part788 = match("MESSAGE#458:00027:12/2", "nwparser.p0", "by %{fld2}. Server url: %{url}"); + + var all158 = all_match({ + processors: [ + part786, + select182, + part788, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg461 = msg("00027:12", all158); + + var part789 = match("MESSAGE#459:00027:13/2", "nwparser.p0", "user %{username}"); + + var all159 = all_match({ + processors: [ + dup204, + dup374, + part789, + ], + on_success: processor_chain([ + dup206, + dup30, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg462 = msg("00027:13", all159); + + var part790 = match("MESSAGE#460:00027:14/0", "nwparser.payload", "Configuration Erasure Process %{p0}"); + + var part791 = match("MESSAGE#460:00027:14/1_0", "nwparser.p0", "has been initiated %{p0}"); + + var part792 = match("MESSAGE#460:00027:14/1_1", "nwparser.p0", "aborted %{p0}"); + + var select183 = linear_select([ + part791, + part792, + ]); + + var part793 = match("MESSAGE#460:00027:14/2", "nwparser.p0", ".%{space}(%{fld1})"); + + var all160 = all_match({ + processors: [ + part790, + select183, + part793, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg463 = msg("00027:14", all160); + + var part794 = match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg464 = msg("00027:15", part794); + + var part795 = match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{policy_id->} name \"%{fld2->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg465 = msg("00027:16", part795); + + var part796 = match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locked and will be unlocked after %{duration->} minutes (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg466 = msg("00027:17", part796); + + var part797 = match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{username->} from %{saddr->} is refused as this account is locked (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg467 = msg("00027:18", part797); + + var part798 = match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg468 = msg("00027:19", part798); + + var select184 = linear_select([ + msg449, + msg450, + msg451, + msg452, + msg453, + msg454, + msg455, + msg456, + msg457, + msg458, + msg459, + msg460, + msg461, + msg462, + msg463, + msg464, + msg465, + msg466, + msg467, + msg468, + ]); + + var part799 = match("MESSAGE#462:00028/0_0", "nwparser.payload", "An Intruder%{p0}"); + + var part800 = match("MESSAGE#462:00028/0_1", "nwparser.payload", "Intruder%{p0}"); + + var part801 = match("MESSAGE#462:00028/0_2", "nwparser.payload", "An intruter%{p0}"); + + var select185 = linear_select([ + part799, + part800, + part801, + ]); + + var part802 = match("MESSAGE#462:00028/1", "nwparser.p0", "%{}has attempted to connect to the NetScreen-Global PRO port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); + + var all161 = all_match({ + processors: [ + select185, + part802, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + setc("signame","Attempt to Connect to the NetScreen-Global Port"), + ]), + }); + + var msg469 = msg("00028", all161); + + var part803 = match("MESSAGE#463:00029", "nwparser.payload", "DNS has been refreshed%{}", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg470 = msg("00029", part803); + + var part804 = match("MESSAGE#464:00029:01", "nwparser.payload", "DHCP file write: out of memory.%{}", processor_chain([ + dup184, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg471 = msg("00029:01", part804); + + var part805 = match("MESSAGE#465:00029:02/0", "nwparser.payload", "The DHCP process cannot open file %{fld2->} to %{p0}"); + + var part806 = match("MESSAGE#465:00029:02/1_0", "nwparser.p0", "read %{p0}"); + + var part807 = match("MESSAGE#465:00029:02/1_1", "nwparser.p0", "write %{p0}"); + + var select186 = linear_select([ + part806, + part807, + ]); + + var part808 = match("MESSAGE#465:00029:02/2", "nwparser.p0", "data.%{}"); + + var all162 = all_match({ + processors: [ + part805, + select186, + part808, + ], + on_success: processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg472 = msg("00029:02", all162); + + var part809 = match("MESSAGE#466:00029:03/2", "nwparser.p0", "%{} %{interface->} is full. Unable to %{p0}"); + + var part810 = match("MESSAGE#466:00029:03/3_0", "nwparser.p0", "commit %{p0}"); + + var part811 = match("MESSAGE#466:00029:03/3_1", "nwparser.p0", "offer %{p0}"); + + var select187 = linear_select([ + part810, + part811, + ]); + + var part812 = match("MESSAGE#466:00029:03/4", "nwparser.p0", "IP address to client at %{fld2}"); + + var all163 = all_match({ + processors: [ + dup210, + dup337, + part809, + select187, + part812, + ], + on_success: processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg473 = msg("00029:03", all163); + + var part813 = match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{interface->} (another server found on %{hostip}).", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg474 = msg("00029:04", part813); + + var select188 = linear_select([ + msg470, + msg471, + msg472, + msg473, + msg474, + ]); + + var part814 = match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg475 = msg("00030", part814); + + var part815 = match("MESSAGE#469:00030:01/0", "nwparser.payload", "DSS checking of CRLs has been changed from %{p0}"); + + var part816 = match("MESSAGE#469:00030:01/1_0", "nwparser.p0", "0 to 1%{}"); + + var part817 = match("MESSAGE#469:00030:01/1_1", "nwparser.p0", "1 to 0%{}"); + + var select189 = linear_select([ + part816, + part817, + ]); + + var all164 = all_match({ + processors: [ + part815, + select189, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg476 = msg("00030:01", all164); + + var part818 = match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg477 = msg("00030:05", part818); + + var part819 = match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate request the %{fld2->} field has been changed from %{fld3}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg478 = msg("00030:06", part819); + + var part820 = match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be loaded%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg479 = msg("00030:07", part820); + + var part821 = match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate cannot be generated%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg480 = msg("00030:10", part821); + + var part822 = match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS image has successfully been updated%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg481 = msg("00030:12", part822); + + var part823 = match("MESSAGE#475:00030:13/0", "nwparser.payload", "The public key used for ScreenOS image authentication cannot be %{p0}"); + + var part824 = match("MESSAGE#475:00030:13/1_0", "nwparser.p0", "decoded%{}"); + + var part825 = match("MESSAGE#475:00030:13/1_1", "nwparser.p0", "loaded%{}"); + + var select190 = linear_select([ + part824, + part825, + ]); + + var all165 = all_match({ + processors: [ + part823, + select190, + ], + on_success: processor_chain([ + dup35, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg482 = msg("00030:13", all165); + + var part826 = match("MESSAGE#476:00030:14/1_0", "nwparser.p0", "CA IDENT %{p0}"); + + var part827 = match("MESSAGE#476:00030:14/1_1", "nwparser.p0", "Challenge password %{p0}"); + + var part828 = match("MESSAGE#476:00030:14/1_2", "nwparser.p0", "CA CGI URL %{p0}"); + + var part829 = match("MESSAGE#476:00030:14/1_3", "nwparser.p0", "RA CGI URL %{p0}"); + + var select191 = linear_select([ + part826, + part827, + part828, + part829, + ]); + + var part830 = match("MESSAGE#476:00030:14/2", "nwparser.p0", "for SCEP %{p0}"); + + var part831 = match("MESSAGE#476:00030:14/3_0", "nwparser.p0", "requests %{p0}"); + + var select192 = linear_select([ + part831, + dup16, + ]); + + var part832 = match("MESSAGE#476:00030:14/4", "nwparser.p0", "has been changed from %{change_old->} to %{change_new}"); + + var all166 = all_match({ + processors: [ + dup55, + select191, + part830, + select192, + part832, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg483 = msg("00030:14", all166); + + var msg484 = msg("00030:02", dup375); + + var part833 = match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS image authentication is invalid%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg485 = msg("00030:15", part833); + + var part834 = match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been deleted%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg486 = msg("00030:16", part834); + + var part835 = match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accept per config DN %{interface}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg487 = msg("00030:18", part835); + + var part836 = match("MESSAGE#481:00030:19/0", "nwparser.payload", "PKI: A configurable item %{change_attribute->} %{p0}"); + + var part837 = match("MESSAGE#481:00030:19/1_0", "nwparser.p0", "mode %{p0}"); + + var part838 = match("MESSAGE#481:00030:19/1_1", "nwparser.p0", "field%{p0}"); + + var select193 = linear_select([ + part837, + part838, + ]); + + var part839 = match("MESSAGE#481:00030:19/2", "nwparser.p0", "%{}has changed from %{change_old->} to %{change_new}"); + + var all167 = all_match({ + processors: [ + part836, + select193, + part839, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg488 = msg("00030:19", all167); + + var part840 = match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for total of %{fld2->} items.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg489 = msg("00030:30", part840); + + var part841 = match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} out of order expect %{fld3->} of %{fld4}.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg490 = msg("00030:31", part841); + + var part842 = match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} without first item.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg491 = msg("00030:32", part842); + + var part843 = match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received normal item during cold sync.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg492 = msg("00030:33", part843); + + var part844 = match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} is deleted.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg493 = msg("00030:34", part844); + + var part845 = match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availability synchronization %{fld2->} failed.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg494 = msg("00030:35", part845); + + var part846 = match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute->} has changed from %{change_old->} to %{change_new}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg495 = msg("00030:36", part846); + + var part847 = match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate for the ScreenOS image authentication is invalid.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg496 = msg("00030:37", part847); + + var part848 = match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certificate cannot be sync to vsd member.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg497 = msg("00030:38", part848); + + var part849 = match("MESSAGE#491:00030:39/0", "nwparser.payload", "PKI: The X.509 certificate %{p0}"); + + var part850 = match("MESSAGE#491:00030:39/1_0", "nwparser.p0", "revocation list %{p0}"); + + var select194 = linear_select([ + part850, + dup16, + ]); + + var part851 = match("MESSAGE#491:00030:39/2", "nwparser.p0", "cannot be loaded during NSRP synchronization.%{}"); + + var all168 = all_match({ + processors: [ + part849, + select194, + part851, + ], + on_success: processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg498 = msg("00030:39", all168); + + var part852 = match("MESSAGE#492:00030:17/0", "nwparser.payload", "X509 %{p0}"); + + var part853 = match("MESSAGE#492:00030:17/2", "nwparser.p0", "cannot be loaded%{}"); + + var all169 = all_match({ + processors: [ + part852, + dup376, + part853, + ], + on_success: processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg499 = msg("00030:17", all169); + + var part854 = match("MESSAGE#493:00030:40/0", "nwparser.payload", "PKI: The certificate %{fld2->} will expire %{p0}"); + + var part855 = match("MESSAGE#493:00030:40/1_1", "nwparser.p0", "please %{p0}"); + + var select195 = linear_select([ + dup214, + part855, + ]); + + var part856 = match("MESSAGE#493:00030:40/2", "nwparser.p0", "renew.%{}"); + + var all170 = all_match({ + processors: [ + part854, + select195, + part856, + ], + on_success: processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg500 = msg("00030:40", all170); + + var part857 = match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocation list has expired issued by certificate authority %{fld2}.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg501 = msg("00030:41", part857); + + var part858 = match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration content of certificate authority %{fld2->} is not valid.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg502 = msg("00030:42", part858); + + var part859 = match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot allocate this object id number %{fld2}.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg503 = msg("00030:43", part859); + + var part860 = match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg504 = msg("00030:44", part860); + + var part861 = match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find the PKI object %{fld2->} during cold sync.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg505 = msg("00030:45", part861); + + var part862 = match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X.509 certificate onto the device certificate %{fld2}.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg506 = msg("00030:46", part862); + + var part863 = match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a certificate pending SCEP completion.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg507 = msg("00030:47", part863); + + var part864 = match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load an X.509 certificate revocation list (CRL).%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg508 = msg("00030:48", part864); + + var part865 = match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load the CA certificate received through SCEP.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg509 = msg("00030:49", part865); + + var part866 = match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg510 = msg("00030:50", part866); + + var part867 = match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load the X.509 local certificate received through SCEP.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg511 = msg("00030:51", part867); + + var part868 = match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load the X.509 %{product->} during boot.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg512 = msg("00030:52", part868); + + var part869 = match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load the X.509 certificate file.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg513 = msg("00030:53", part869); + + var part870 = match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the coldsync of the PKI object at %{fld2->} attempt.", processor_chain([ + dup44, + dup211, + dup31, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg514 = msg("00030:54", part870); + + var part871 = match("MESSAGE#508:00030:55/0", "nwparser.payload", "PKI: The device could not generate %{p0}"); + + var all171 = all_match({ + processors: [ + part871, + dup377, + dup217, + ], + on_success: processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg515 = msg("00030:55", all171); + + var part872 = match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an invalid RSA key.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg516 = msg("00030:56", part872); + + var part873 = match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an invalid digital signature algorithm (DSA) key.%{}", processor_chain([ + dup35, + dup218, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg517 = msg("00030:57", part873); + + var part874 = match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to coldsync the PKI object at %{fld2->} attempt.", processor_chain([ + dup86, + dup218, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg518 = msg("00030:58", part874); + + var part875 = match("MESSAGE#512:00030:59", "nwparser.payload", "PKI: The device failed to decode the public key of the image%{quote}s signer certificate.", processor_chain([ + dup35, + dup218, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg519 = msg("00030:59", part875); + + var part876 = match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to install the RSA key.%{}", processor_chain([ + dup35, + dup218, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg520 = msg("00030:60", part876); + + var part877 = match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to retrieve the pending certificate %{fld2}.", processor_chain([ + dup35, + dup211, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg521 = msg("00030:61", part877); + + var part878 = match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to save the certificate authority related configuration.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg522 = msg("00030:62", part878); + + var part879 = match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to store the authority configuration.%{}", processor_chain([ + dup18, + dup219, + dup51, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg523 = msg("00030:63", part879); + + var part880 = match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.%{}", processor_chain([ + dup18, + dup218, + dup51, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg524 = msg("00030:64", part880); + + var part881 = match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.%{}", processor_chain([ + dup18, + dup218, + dup51, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg525 = msg("00030:65", part881); + + var part882 = match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected an invalid X.509 object attribute %{fld2}.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg526 = msg("00030:66", part882); + + var part883 = match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected invalid X.509 object content.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg527 = msg("00030:67", part883); + + var part884 = match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to load an invalid X.509 object.%{}", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg528 = msg("00030:68", part884); + + var part885 = match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading the version 0 PKI data.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg529 = msg("00030:69", part885); + + var part886 = match("MESSAGE#523:00030:70/0", "nwparser.payload", "PKI: The device successfully generated a new %{p0}"); + + var all172 = all_match({ + processors: [ + part886, + dup377, + dup217, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg530 = msg("00030:70", all172); + + var part887 = match("MESSAGE#524:00030:71", "nwparser.payload", "PKI: The public key of image%{quote}s signer has been loaded successfully, for future image authentication.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg531 = msg("00030:71", part887); + + var part888 = match("MESSAGE#525:00030:72", "nwparser.payload", "PKI: The signature of the image%{quote}s signer certificate cannot be verified.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg532 = msg("00030:72", part888); + + var part889 = match("MESSAGE#526:00030:73/0", "nwparser.payload", "PKI: The %{p0}"); + + var part890 = match("MESSAGE#526:00030:73/1_0", "nwparser.p0", "file name %{p0}"); + + var part891 = match("MESSAGE#526:00030:73/1_1", "nwparser.p0", "friendly name of a certificate %{p0}"); + + var part892 = match("MESSAGE#526:00030:73/1_2", "nwparser.p0", "vsys name %{p0}"); + + var select196 = linear_select([ + part890, + part891, + part892, + ]); + + var part893 = match("MESSAGE#526:00030:73/2", "nwparser.p0", "is too long %{fld2->} to do NSRP synchronization allowed %{fld3}."); + + var all173 = all_match({ + processors: [ + part889, + select196, + part893, + ], + on_success: processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg533 = msg("00030:73", all173); + + var part894 = match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier version save to file.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg534 = msg("00030:74", part894); + + var part895 = match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has been deleted distinguished name %{username}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg535 = msg("00030:75", part895); + + var part896 = match("MESSAGE#529:00030:76/0", "nwparser.payload", "PKI: X.509 %{p0}"); + + var part897 = match("MESSAGE#529:00030:76/2", "nwparser.p0", "file has been loaded successfully filename %{fld2}."); + + var all174 = all_match({ + processors: [ + part896, + dup376, + part897, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg536 = msg("00030:76", all174); + + var part898 = match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA key.%{}", processor_chain([ + dup18, + dup218, + dup51, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg537 = msg("00030:77", part898); + + var part899 = match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when requesting certificate.%{}", processor_chain([ + dup35, + dup211, + dup220, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg538 = msg("00030:78", part899); + + var part900 = match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check per config DN %{username}.", processor_chain([ + dup35, + dup211, + dup220, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg539 = msg("00030:79", part900); + + var part901 = match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 objects.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg540 = msg("00030:80", part901); + + var part902 = match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject name %{fld2->} is deleted.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg541 = msg("00030:81", part902); + + var part903 = match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg542 = msg("00030:82", part903); + + var part904 = match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire authcfg for this CA cert %{fld2}.", processor_chain([ + dup35, + dup211, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg543 = msg("00030:83", part904); + + var part905 = match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg from global.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg544 = msg("00030:84", part905); + + var part906 = match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is high (%{fld2->} alarm threshold: %{trigger_val}) %{info}", processor_chain([ + setc("eventcategory","1603080000"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg545 = msg("00030:85", part906); + + var part907 = match("MESSAGE#539:00030:86/2", "nwparser.p0", "Pair-wise invoked by started after key generation. (%{fld1})"); + + var all175 = all_match({ + processors: [ + dup221, + dup378, + part907, + ], + on_success: processor_chain([ + dup223, + dup2, + dup4, + dup5, + dup9, + ]), + }); + + var msg546 = msg("00030:86", all175); + + var part908 = match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is high (%{fld2->} > %{fld3->} ) %{fld4->} times in %{fld5->} minute (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + dup9, + ])); + + var msg547 = msg("00030:87", part908); + + var part909 = match("MESSAGE#1217:00030:88/2", "nwparser.p0", "Pair-wise invoked by passed. (%{fld1})\u003c\u003c%{fld6}>"); + + var all176 = all_match({ + processors: [ + dup221, + dup378, + part909, + ], + on_success: processor_chain([ + dup223, + dup2, + dup4, + dup5, + dup9, + ]), + }); + + var msg548 = msg("00030:88", all176); + + var select197 = linear_select([ + msg475, + msg476, + msg477, + msg478, + msg479, + msg480, + msg481, + msg482, + msg483, + msg484, + msg485, + msg486, + msg487, + msg488, + msg489, + msg490, + msg491, + msg492, + msg493, + msg494, + msg495, + msg496, + msg497, + msg498, + msg499, + msg500, + msg501, + msg502, + msg503, + msg504, + msg505, + msg506, + msg507, + msg508, + msg509, + msg510, + msg511, + msg512, + msg513, + msg514, + msg515, + msg516, + msg517, + msg518, + msg519, + msg520, + msg521, + msg522, + msg523, + msg524, + msg525, + msg526, + msg527, + msg528, + msg529, + msg530, + msg531, + msg532, + msg533, + msg534, + msg535, + msg536, + msg537, + msg538, + msg539, + msg540, + msg541, + msg542, + msg543, + msg544, + msg545, + msg546, + msg547, + msg548, + ]); + + var part910 = match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP address %{hostip->} changed from %{sinterface->} to interface %{dinterface->} (%{fld1})", processor_chain([ + dup121, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg549 = msg("00031:13", part910); + + var part911 = match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg550 = msg("00031", part911); + + var part912 = match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg551 = msg("00031:01", part912); + + var part913 = match("MESSAGE#543:00031:02/0", "nwparser.payload", "SNMP community %{fld2->} attributes-write access %{p0}"); + + var part914 = match("MESSAGE#543:00031:02/2", "nwparser.p0", "; receive traps %{p0}"); + + var part915 = match("MESSAGE#543:00031:02/4", "nwparser.p0", "; receive traffic alarms %{p0}"); + + var part916 = match("MESSAGE#543:00031:02/6", "nwparser.p0", "-have been modified%{}"); + + var all177 = all_match({ + processors: [ + part913, + dup379, + part914, + dup379, + part915, + dup379, + part916, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg552 = msg("00031:02", all177); + + var part917 = match("MESSAGE#544:00031:03/0", "nwparser.payload", "%{fld2->} SNMP host %{hostip->} has been %{p0}"); + + var select198 = linear_select([ + dup130, + dup129, + ]); + + var part918 = match("MESSAGE#544:00031:03/2", "nwparser.p0", "SNMP community %{fld3}"); + + var all178 = all_match({ + processors: [ + part917, + select198, + part918, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg553 = msg("00031:03", all178); + + var part919 = match("MESSAGE#545:00031:04/0", "nwparser.payload", "SNMP %{p0}"); + + var part920 = match("MESSAGE#545:00031:04/1_0", "nwparser.p0", "contact %{p0}"); + + var select199 = linear_select([ + part920, + dup226, + ]); + + var part921 = match("MESSAGE#545:00031:04/2", "nwparser.p0", "description has been modified%{}"); + + var all179 = all_match({ + processors: [ + part919, + select199, + part921, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg554 = msg("00031:04", all179); + + var part922 = match("MESSAGE#546:00031:11/0", "nwparser.payload", "SNMP system %{p0}"); + + var select200 = linear_select([ + dup226, + dup25, + ]); + + var part923 = match("MESSAGE#546:00031:11/2", "nwparser.p0", "has been changed to %{fld2}. (%{fld1})"); + + var all180 = all_match({ + processors: [ + part922, + select200, + part923, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg555 = msg("00031:11", all180); + + var part924 = match("MESSAGE#547:00031:08/0", "nwparser.payload", "%{fld2}: SNMP community name \"%{fld3}\" %{p0}"); + + var part925 = match("MESSAGE#547:00031:08/1_0", "nwparser.p0", "attributes -- %{p0}"); + + var part926 = match("MESSAGE#547:00031:08/1_1", "nwparser.p0", "-- %{p0}"); + + var select201 = linear_select([ + part925, + part926, + ]); + + var part927 = match("MESSAGE#547:00031:08/2", "nwparser.p0", "write access, %{p0}"); + + var part928 = match("MESSAGE#547:00031:08/4", "nwparser.p0", "; receive traps, %{p0}"); + + var part929 = match("MESSAGE#547:00031:08/6", "nwparser.p0", "; receive traffic alarms, %{p0}"); + + var part930 = match("MESSAGE#547:00031:08/8", "nwparser.p0", "-%{p0}"); + + var part931 = match("MESSAGE#547:00031:08/9_0", "nwparser.p0", "- %{p0}"); + + var select202 = linear_select([ + part931, + dup96, + ]); + + var part932 = match("MESSAGE#547:00031:08/10", "nwparser.p0", "have been modified%{}"); + + var all181 = all_match({ + processors: [ + part924, + select201, + part927, + dup379, + part928, + dup379, + part929, + dup379, + part930, + select202, + part932, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg556 = msg("00031:08", all181); + + var part933 = match("MESSAGE#548:00031:05/0", "nwparser.payload", "Detect IP conflict (%{fld2}) on %{p0}"); + + var all182 = all_match({ + processors: [ + part933, + dup337, + dup227, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg557 = msg("00031:05", all182); + + var part934 = match("MESSAGE#549:00031:06/1_0", "nwparser.p0", "q, %{p0}"); + + var select203 = linear_select([ + part934, + dup229, + dup230, + ]); + + var part935 = match("MESSAGE#549:00031:06/2", "nwparser.p0", "detect IP conflict ( %{hostip->} )%{p0}"); + + var select204 = linear_select([ + dup105, + dup96, + ]); + + var part936 = match("MESSAGE#549:00031:06/4", "nwparser.p0", "mac%{p0}"); + + var part937 = match("MESSAGE#549:00031:06/6", "nwparser.p0", "%{macaddr->} on %{p0}"); + + var all183 = all_match({ + processors: [ + dup228, + select203, + part935, + select204, + part936, + dup356, + part937, + dup352, + dup23, + dup380, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg558 = msg("00031:06", all183); + + var part938 = match("MESSAGE#550:00031:07/2", "nwparser.p0", "detects a duplicate virtual security device group master IP address %{hostip}, MAC address %{macaddr->} on %{p0}"); + + var all184 = all_match({ + processors: [ + dup228, + dup381, + part938, + dup337, + dup227, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg559 = msg("00031:07", all184); + + var part939 = match("MESSAGE#551:00031:09/2", "nwparser.p0", "detected an IP conflict (IP %{hostip}, MAC %{macaddr}) on interface %{p0}"); + + var all185 = all_match({ + processors: [ + dup228, + dup381, + part939, + dup380, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg560 = msg("00031:09", all185); + + var part940 = match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{fld3}\" has been moved. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg561 = msg("00031:10", part940); + + var part941 = match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has been changed to %{fld3}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg562 = msg("00031:12", part941); + + var select205 = linear_select([ + msg549, + msg550, + msg551, + msg552, + msg553, + msg554, + msg555, + msg556, + msg557, + msg558, + msg559, + msg560, + msg561, + msg562, + ]); + + var part942 = match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup232, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg563 = msg("00032", part942); + + var part943 = match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ + dup232, + dup2, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg564 = msg("00032:01", part943); + + var part944 = match("MESSAGE#556:00032:03/0", "nwparser.payload", "Vsys %{fld2->} has been %{p0}"); + + var part945 = match("MESSAGE#556:00032:03/1_0", "nwparser.p0", "changed to %{fld3}"); + + var part946 = match("MESSAGE#556:00032:03/1_1", "nwparser.p0", "created%{}"); + + var part947 = match("MESSAGE#556:00032:03/1_2", "nwparser.p0", "deleted%{}"); + + var part948 = match("MESSAGE#556:00032:03/1_3", "nwparser.p0", "removed%{}"); + + var select206 = linear_select([ + part945, + part946, + part947, + part948, + ]); + + var all186 = all_match({ + processors: [ + part944, + select206, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg565 = msg("00032:03", all186); + + var part949 = match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup232, + dup2, + dup3, + dup4, + dup59, + dup5, + dup61, + ])); + + var msg566 = msg("00032:04", part949); + + var part950 = match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsys %{fld2->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg567 = msg("00032:05", part950); + + var msg568 = msg("00032:02", dup375); + + var select207 = linear_select([ + msg563, + msg564, + msg565, + msg566, + msg567, + msg568, + ]); + + var part951 = match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("agent","NSM"), + ])); + + var msg569 = msg("00033:25", part951); + + var part952 = match("MESSAGE#561:00033/1", "nwparser.p0", "timeout value has been %{p0}"); + + var part953 = match("MESSAGE#561:00033/2_1", "nwparser.p0", "returned%{p0}"); + + var select208 = linear_select([ + dup52, + part953, + ]); + + var part954 = match("MESSAGE#561:00033/3", "nwparser.p0", "%{}to %{fld2}"); + + var all187 = all_match({ + processors: [ + dup382, + part952, + select208, + part954, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg570 = msg("00033", all187); + + var part955 = match("MESSAGE#562:00033:03/1_0", "nwparser.p0", "Global PRO %{p0}"); + + var part956 = match("MESSAGE#562:00033:03/1_1", "nwparser.p0", "%{fld3->} %{p0}"); + + var select209 = linear_select([ + part955, + part956, + ]); + + var part957 = match("MESSAGE#562:00033:03/4", "nwparser.p0", "host has been set to %{fld4}"); + + var all188 = all_match({ + processors: [ + dup160, + select209, + dup23, + dup369, + part957, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg571 = msg("00033:03", all188); + + var part958 = match("MESSAGE#563:00033:02/3", "nwparser.p0", "host has been %{disposition}"); + + var all189 = all_match({ + processors: [ + dup382, + dup23, + dup369, + part958, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg572 = msg("00033:02", all189); + + var part959 = match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{fld3->} has been %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg573 = msg("00033:04", part959); + + var part960 = match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg574 = msg("00033:05", part960); + + var part961 = match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The attack occurred %{dclass_counter1->} times", processor_chain([ + dup27, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + ])); + + var msg575 = msg("00033:06", part961); + + var part962 = match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The threshold was exceeded %{dclass_counter1->} times", processor_chain([ + dup27, + dup2, + dup3, + setc("dclass_counter1_string","Number of times the threshold was exceeded"), + dup4, + dup5, + dup61, + ])); + + var msg576 = msg("00033:01", part962); + + var part963 = match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{service->} has been %{disposition->} from %{fld2->} distribution", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg577 = msg("00033:07", part963); + + var part964 = match("MESSAGE#569:00033:08/2", "nwparser.p0", "?s CA certificate field has not been specified.%{}"); + + var all190 = all_match({ + processors: [ + dup235, + dup383, + part964, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg578 = msg("00033:08", all190); + + var part965 = match("MESSAGE#570:00033:09/2", "nwparser.p0", "?s Cert-Subject field has not been specified.%{}"); + + var all191 = all_match({ + processors: [ + dup235, + dup383, + part965, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg579 = msg("00033:09", all191); + + var part966 = match("MESSAGE#571:00033:10/2", "nwparser.p0", "?s host field has been %{p0}"); + + var part967 = match("MESSAGE#571:00033:10/3_0", "nwparser.p0", "set to %{fld2->} %{p0}"); + + var select210 = linear_select([ + part967, + dup238, + ]); + + var all192 = all_match({ + processors: [ + dup235, + dup383, + part966, + select210, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg580 = msg("00033:10", all192); + + var part968 = match("MESSAGE#572:00033:11/2", "nwparser.p0", "?s outgoing interface used to report NACN to Policy Manager %{p0}"); + + var part969 = match("MESSAGE#572:00033:11/4", "nwparser.p0", "has not been specified.%{}"); + + var all193 = all_match({ + processors: [ + dup235, + dup383, + part968, + dup383, + part969, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg581 = msg("00033:11", all193); + + var part970 = match("MESSAGE#573:00033:12/2", "nwparser.p0", "?s password field has been %{p0}"); + + var select211 = linear_select([ + dup101, + dup238, + ]); + + var all194 = all_match({ + processors: [ + dup235, + dup383, + part970, + select211, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg582 = msg("00033:12", all194); + + var part971 = match("MESSAGE#574:00033:13/2", "nwparser.p0", "?s policy-domain field has been %{p0}"); + + var part972 = match("MESSAGE#574:00033:13/3_0", "nwparser.p0", "unset .%{}"); + + var part973 = match("MESSAGE#574:00033:13/3_1", "nwparser.p0", "set to %{domain}."); + + var select212 = linear_select([ + part972, + part973, + ]); + + var all195 = all_match({ + processors: [ + dup235, + dup383, + part971, + select212, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg583 = msg("00033:13", all195); + + var part974 = match("MESSAGE#575:00033:14/2", "nwparser.p0", "?s CA certificate field has been set to %{fld2}."); + + var all196 = all_match({ + processors: [ + dup235, + dup383, + part974, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg584 = msg("00033:14", all196); + + var part975 = match("MESSAGE#576:00033:15/2", "nwparser.p0", "?s Cert-Subject field has been set to %{fld2}."); + + var all197 = all_match({ + processors: [ + dup235, + dup383, + part975, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg585 = msg("00033:15", all197); + + var part976 = match("MESSAGE#577:00033:16/2", "nwparser.p0", "?s outgoing-interface field has been set to %{interface}."); + + var all198 = all_match({ + processors: [ + dup235, + dup383, + part976, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg586 = msg("00033:16", all198); + + var part977 = match("MESSAGE#578:00033:17/2", "nwparser.p0", "?s port field has been %{p0}"); + + var part978 = match("MESSAGE#578:00033:17/3_0", "nwparser.p0", "set to %{network_port->} %{p0}"); + + var part979 = match("MESSAGE#578:00033:17/3_1", "nwparser.p0", "reset to the default value %{p0}"); + + var select213 = linear_select([ + part978, + part979, + ]); + + var all199 = all_match({ + processors: [ + dup235, + dup383, + part977, + select213, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg587 = msg("00033:17", all199); + + var part980 = match("MESSAGE#579:00033:19/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); + + var part981 = match("MESSAGE#579:00033:19/4", "nwparser.p0", "%{fld99}arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time."); + + var all200 = all_match({ + processors: [ + part980, + dup339, + dup70, + dup340, + part981, + ], + on_success: processor_chain([ + dup27, + dup2, + dup4, + dup5, + dup3, + dup59, + dup61, + ]), + }); + + var msg588 = msg("00033:19", all200); + + var part982 = match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.", processor_chain([ + dup27, + dup2, + dup4, + dup5, + dup3, + dup59, + dup60, + ])); + + var msg589 = msg("00033:20", part982); + + var all201 = all_match({ + processors: [ + dup239, + dup343, + dup83, + ], + on_success: processor_chain([ + dup27, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg590 = msg("00033:21", all201); + + var part983 = match("MESSAGE#582:00033:22/0", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var all202 = all_match({ + processors: [ + part983, + dup343, + dup83, + ], + on_success: processor_chain([ + dup27, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + dup60, + ]), + }); + + var msg591 = msg("00033:22", all202); + + var part984 = match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name %{hostname->} was set: addr %{hostip}, port %{network_port}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg592 = msg("00033:23", part984); + + var part985 = match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{info}. (%{fld1})", processor_chain([ + setc("eventcategory","1001030500"), + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg593 = msg("00033:24", part985); + + var select214 = linear_select([ + msg569, + msg570, + msg571, + msg572, + msg573, + msg574, + msg575, + msg576, + msg577, + msg578, + msg579, + msg580, + msg581, + msg582, + msg583, + msg584, + msg585, + msg586, + msg587, + msg588, + msg589, + msg590, + msg591, + msg592, + msg593, + ]); + + var part986 = match("MESSAGE#585:00034/0_0", "nwparser.payload", "SCS: Failed %{p0}"); + + var part987 = match("MESSAGE#585:00034/0_1", "nwparser.payload", "Failed %{p0}"); + + var select215 = linear_select([ + part986, + part987, + ]); + + var part988 = match("MESSAGE#585:00034/2_0", "nwparser.p0", "bind %{p0}"); + + var part989 = match("MESSAGE#585:00034/2_2", "nwparser.p0", "retrieve %{p0}"); + + var select216 = linear_select([ + part988, + dup201, + part989, + ]); + + var select217 = linear_select([ + dup196, + dup103, + dup163, + ]); + + var part990 = match("MESSAGE#585:00034/5", "nwparser.p0", "SSH user %{username}. (Key ID=%{fld2})"); + + var all203 = all_match({ + processors: [ + select215, + dup103, + select216, + dup202, + select217, + part990, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg594 = msg("00034", all203); + + var part991 = match("MESSAGE#586:00034:01/0_0", "nwparser.payload", "SCS: Incompatible %{p0}"); + + var part992 = match("MESSAGE#586:00034:01/0_1", "nwparser.payload", "Incompatible %{p0}"); + + var select218 = linear_select([ + part991, + part992, + ]); + + var part993 = match("MESSAGE#586:00034:01/1", "nwparser.p0", "SSH version %{version->} has been received from %{p0}"); + + var part994 = match("MESSAGE#586:00034:01/2_0", "nwparser.p0", "the SSH %{p0}"); + + var select219 = linear_select([ + part994, + dup241, + ]); + + var part995 = match("MESSAGE#586:00034:01/3", "nwparser.p0", "client at %{saddr}:%{sport}"); + + var all204 = all_match({ + processors: [ + select218, + part993, + select219, + part995, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg595 = msg("00034:01", all204); + + var part996 = match("MESSAGE#587:00034:02", "nwparser.payload", "Maximum number of SCS sessions %{fld2->} has been reached. Connection request from SSH user %{username->} at %{saddr}:%{sport->} has been %{disposition}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg596 = msg("00034:02", part996); + + var part997 = match("MESSAGE#588:00034:03/1", "nwparser.p0", "device failed to authenticate the SSH client at %{saddr}:%{sport}"); + + var all205 = all_match({ + processors: [ + dup384, + part997, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg597 = msg("00034:03", all205); + + var part998 = match("MESSAGE#589:00034:04", "nwparser.payload", "SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user %{username->} at %{saddr}:%{sport}. (Key ID=%{fld2})", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg598 = msg("00034:04", part998); + + var part999 = match("MESSAGE#590:00034:05", "nwparser.payload", "NetScreen device failed to generate a PKA RSA challenge for SSH user %{username}. (Key ID=%{fld2})", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg599 = msg("00034:05", part999); + + var part1000 = match("MESSAGE#591:00034:06/1", "nwparser.p0", "device failed to %{p0}"); + + var part1001 = match("MESSAGE#591:00034:06/2_0", "nwparser.p0", "identify itself %{p0}"); + + var part1002 = match("MESSAGE#591:00034:06/2_1", "nwparser.p0", "send the identification string %{p0}"); + + var select220 = linear_select([ + part1001, + part1002, + ]); + + var part1003 = match("MESSAGE#591:00034:06/3", "nwparser.p0", "to the SSH client at %{saddr}:%{sport}"); + + var all206 = all_match({ + processors: [ + dup384, + part1000, + select220, + part1003, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg600 = msg("00034:06", all206); + + var part1004 = match("MESSAGE#592:00034:07", "nwparser.payload", "SCS connection has been terminated for admin user %{username->} at %{saddr}:%{sport}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg601 = msg("00034:07", part1004); + + var part1005 = match("MESSAGE#593:00034:08", "nwparser.payload", "SCS: SCS has been %{disposition->} for %{username->} with %{fld2->} existing PKA keys already bound to %{fld3->} SSH users.", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg602 = msg("00034:08", part1005); + + var part1006 = match("MESSAGE#594:00034:09", "nwparser.payload", "SCS has been %{disposition->} for %{username->} with %{fld2->} PKA keys already bound to %{fld3->} SSH users", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg603 = msg("00034:09", part1006); + + var part1007 = match("MESSAGE#595:00034:10/2", "nwparser.p0", "%{}client at %{saddr->} has attempted to make an SCS connection to %{p0}"); + + var part1008 = match("MESSAGE#595:00034:10/4", "nwparser.p0", "%{interface->} %{p0}"); + + var part1009 = match("MESSAGE#595:00034:10/5_0", "nwparser.p0", "with%{p0}"); + + var part1010 = match("MESSAGE#595:00034:10/5_1", "nwparser.p0", "at%{p0}"); + + var select221 = linear_select([ + part1009, + part1010, + ]); + + var part1011 = match("MESSAGE#595:00034:10/6", "nwparser.p0", "%{}IP %{hostip->} but %{disposition->} because %{result}"); + + var all207 = all_match({ + processors: [ + dup244, + dup385, + part1007, + dup352, + part1008, + select221, + part1011, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg604 = msg("00034:10", all207); + + var part1012 = match("MESSAGE#596:00034:12/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has attempted to make an SCS connection to %{p0}"); + + var part1013 = match("MESSAGE#596:00034:12/4", "nwparser.p0", "but %{disposition->} because %{result}"); + + var all208 = all_match({ + processors: [ + dup244, + dup385, + part1012, + dup386, + part1013, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg605 = msg("00034:12", all208); + + var part1014 = match("MESSAGE#597:00034:11/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to %{p0}"); + + var part1015 = match("MESSAGE#597:00034:11/4", "nwparser.p0", "because %{result}"); + + var all209 = all_match({ + processors: [ + dup244, + dup385, + part1014, + dup386, + part1015, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg606 = msg("00034:11", all209); + + var part1016 = match("MESSAGE#598:00034:15", "nwparser.payload", "SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection because %{result}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg607 = msg("00034:15", part1016); + + var part1017 = match("MESSAGE#599:00034:18/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} cannot log in via SCS to %{service->} using the shared %{interface->} interface because %{result}"); + + var all210 = all_match({ + processors: [ + dup244, + dup387, + part1017, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg608 = msg("00034:18", all210); + + var part1018 = match("MESSAGE#600:00034:20/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has %{disposition->} the PKA RSA challenge"); + + var all211 = all_match({ + processors: [ + dup244, + dup387, + part1018, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg609 = msg("00034:20", all211); + + var part1019 = match("MESSAGE#601:00034:21/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has requested %{p0}"); + + var part1020 = match("MESSAGE#601:00034:21/4", "nwparser.p0", "authentication which is not %{p0}"); + + var part1021 = match("MESSAGE#601:00034:21/5_0", "nwparser.p0", "supported %{p0}"); + + var select222 = linear_select([ + part1021, + dup156, + ]); + + var part1022 = match("MESSAGE#601:00034:21/6", "nwparser.p0", "for that %{p0}"); + + var part1023 = match("MESSAGE#601:00034:21/7_0", "nwparser.p0", "client%{}"); + + var part1024 = match("MESSAGE#601:00034:21/7_1", "nwparser.p0", "user%{}"); + + var select223 = linear_select([ + part1023, + part1024, + ]); + + var all212 = all_match({ + processors: [ + dup244, + dup387, + part1019, + dup372, + part1020, + select222, + part1022, + select223, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg610 = msg("00034:21", all212); + + var part1025 = match("MESSAGE#602:00034:22", "nwparser.payload", "SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to vsys %{fld2->} using the shared untrusted interface", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg611 = msg("00034:22", part1025); + + var part1026 = match("MESSAGE#603:00034:23/1_0", "nwparser.p0", "SCS: Unable %{p0}"); + + var part1027 = match("MESSAGE#603:00034:23/1_1", "nwparser.p0", "Unable %{p0}"); + + var select224 = linear_select([ + part1026, + part1027, + ]); + + var part1028 = match("MESSAGE#603:00034:23/2", "nwparser.p0", "to validate cookie from the SSH client at %{saddr}:%{sport}"); + + var all213 = all_match({ + processors: [ + dup160, + select224, + part1028, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg612 = msg("00034:23", all213); + + var part1029 = match("MESSAGE#604:00034:24", "nwparser.payload", "AC %{username->} is advertising URL %{fld2}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg613 = msg("00034:24", part1029); + + var part1030 = match("MESSAGE#605:00034:25", "nwparser.payload", "Message from AC %{username}: %{fld2}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg614 = msg("00034:25", part1030); + + var part1031 = match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg615 = msg("00034:26", part1031); + + var part1032 = match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on %{interface->} interface", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg616 = msg("00034:27", part1032); + + var part1033 = match("MESSAGE#608:00034:28", "nwparser.payload", "PPPoE%{quote}s session closed by AC", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg617 = msg("00034:28", part1033); + + var part1034 = match("MESSAGE#609:00034:29", "nwparser.payload", "SCS: Disabled for %{username}. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg618 = msg("00034:29", part1034); + + var part1035 = match("MESSAGE#610:00034:30", "nwparser.payload", "SCS: %{disposition->} to remove PKA key removed.", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg619 = msg("00034:30", part1035); + + var part1036 = match("MESSAGE#611:00034:31", "nwparser.payload", "SCS: %{disposition->} to retrieve host key", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg620 = msg("00034:31", part1036); + + var part1037 = match("MESSAGE#612:00034:32", "nwparser.payload", "SCS: %{disposition->} to send identification string to client host at %{saddr}:%{sport}.", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg621 = msg("00034:32", part1037); + + var part1038 = match("MESSAGE#613:00034:33", "nwparser.payload", "SCS: Max %{fld2->} sessions reached unabel to accept connection : %{saddr}:%{sport}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg622 = msg("00034:33", part1038); + + var part1039 = match("MESSAGE#614:00034:34", "nwparser.payload", "SCS: Maximum number for SCS sessions %{fld2->} has been reached. Connection request from SSH user at %{saddr}:%{sport->} has been %{disposition}.", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg623 = msg("00034:34", part1039); + + var part1040 = match("MESSAGE#615:00034:35", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to %{service->} using the shared untrusted interface because SCS is disabled on that interface.", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg624 = msg("00034:35", part1040); + + var part1041 = match("MESSAGE#616:00034:36", "nwparser.payload", "SCS: Unsupported cipher type %{fld2->} requested from: %{saddr}:%{sport}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg625 = msg("00034:36", part1041); + + var part1042 = match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg626 = msg("00034:37", part1042); + + var part1043 = match("MESSAGE#618:00034:38", "nwparser.payload", "SSH: %{disposition->} to retreive PKA key bound to SSH user %{username->} (Key ID %{fld2})", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg627 = msg("00034:38", part1043); + + var part1044 = match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet from host %{saddr->} (Code %{fld2})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg628 = msg("00034:39", part1044); + + var part1045 = match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send initialization string to client at %{saddr}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg629 = msg("00034:40", part1045); + + var part1046 = match("MESSAGE#621:00034:41/0", "nwparser.payload", "SCP: Admin user '%{administrator}' attempted to transfer file %{p0}"); + + var part1047 = match("MESSAGE#621:00034:41/2", "nwparser.p0", "the device with insufficient privilege.%{}"); + + var all214 = all_match({ + processors: [ + part1046, + dup373, + part1047, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg630 = msg("00034:41", all214); + + var part1048 = match("MESSAGE#622:00034:42", "nwparser.payload", "SSH: Maximum number of SSH sessions (%{fld2}) exceeded. Connection request from SSH user %{username->} at %{saddr->} denied.", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg631 = msg("00034:42", part1048); + + var part1049 = match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx bd (port %{network_port})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg632 = msg("00034:43", part1049); + + var part1050 = match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack detected on SSH connection initiated from %{saddr}:%{sport->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg633 = msg("00034:44", part1050); + + var select225 = linear_select([ + msg594, + msg595, + msg596, + msg597, + msg598, + msg599, + msg600, + msg601, + msg602, + msg603, + msg604, + msg605, + msg606, + msg607, + msg608, + msg609, + msg610, + msg611, + msg612, + msg613, + msg614, + msg615, + msg616, + msg617, + msg618, + msg619, + msg620, + msg621, + msg622, + msg623, + msg624, + msg625, + msg626, + msg627, + msg628, + msg629, + msg630, + msg631, + msg632, + msg633, + ]); + + var part1051 = match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}:%{result}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg634 = msg("00035", part1051); + + var part1052 = match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in incoming mail - %{fld2}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg635 = msg("00035:01", part1052); + + var part1053 = match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} is not allowed in export or firewall only system", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg636 = msg("00035:02", part1053); + + var part1054 = match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg637 = msg("00035:03", part1054); + + var part1055 = match("MESSAGE#628:00035:04/0", "nwparser.payload", "SSL Error when retrieve local c%{p0}"); + + var part1056 = match("MESSAGE#628:00035:04/1_0", "nwparser.p0", "a(verify) %{p0}"); + + var part1057 = match("MESSAGE#628:00035:04/1_1", "nwparser.p0", "ert(verify) %{p0}"); + + var part1058 = match("MESSAGE#628:00035:04/1_2", "nwparser.p0", "ert(all) %{p0}"); + + var select226 = linear_select([ + part1056, + part1057, + part1058, + ]); + + var part1059 = match("MESSAGE#628:00035:04/2", "nwparser.p0", ": %{fld2}"); + + var all215 = all_match({ + processors: [ + part1055, + select226, + part1059, + ], + on_success: processor_chain([ + dup117, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg638 = msg("00035:04", all215); + + var part1060 = match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready for connections.%{}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg639 = msg("00035:05", part1060); + + var part1061 = match("MESSAGE#630:00035:06/0", "nwparser.payload", "SSL c%{p0}"); + + var part1062 = match("MESSAGE#630:00035:06/2", "nwparser.p0", "changed to none%{}"); + + var all216 = all_match({ + processors: [ + part1061, + dup388, + part1062, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg640 = msg("00035:06", all216); + + var part1063 = match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{fld2->} recieved %{fld3->} is expected", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg641 = msg("00035:07", part1063); + + var part1064 = match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg642 = msg("00035:08", part1064); + + var part1065 = match("MESSAGE#633:00035:09/1_0", "nwparser.p0", "enabled%{}"); + + var select227 = linear_select([ + part1065, + dup92, + ]); + + var all217 = all_match({ + processors: [ + dup253, + select227, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg643 = msg("00035:09", all217); + + var part1066 = match("MESSAGE#634:00035:10/0", "nwparser.payload", "SSL memory allocation fails in process_c%{p0}"); + + var part1067 = match("MESSAGE#634:00035:10/1_0", "nwparser.p0", "a()%{}"); + + var part1068 = match("MESSAGE#634:00035:10/1_1", "nwparser.p0", "ert()%{}"); + + var select228 = linear_select([ + part1067, + part1068, + ]); + + var all218 = all_match({ + processors: [ + part1066, + select228, + ], + on_success: processor_chain([ + dup184, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg644 = msg("00035:10", all218); + + var part1069 = match("MESSAGE#635:00035:11/0", "nwparser.payload", "SSL no ssl c%{p0}"); + + var part1070 = match("MESSAGE#635:00035:11/1_0", "nwparser.p0", "a%{}"); + + var part1071 = match("MESSAGE#635:00035:11/1_1", "nwparser.p0", "ert%{}"); + + var select229 = linear_select([ + part1070, + part1071, + ]); + + var all219 = all_match({ + processors: [ + part1069, + select229, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg645 = msg("00035:11", all219); + + var part1072 = match("MESSAGE#636:00035:12/0", "nwparser.payload", "SSL set c%{p0}"); + + var part1073 = match("MESSAGE#636:00035:12/2", "nwparser.p0", "id is invalid %{fld2}"); + + var all220 = all_match({ + processors: [ + part1072, + dup388, + part1073, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg646 = msg("00035:12", all220); + + var part1074 = match("MESSAGE#637:00035:13/1_1", "nwparser.p0", "verify %{p0}"); + + var select230 = linear_select([ + dup101, + part1074, + ]); + + var part1075 = match("MESSAGE#637:00035:13/2", "nwparser.p0", "cert failed. Key type is not RSA%{}"); + + var all221 = all_match({ + processors: [ + dup253, + select230, + part1075, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg647 = msg("00035:13", all221); + + var part1076 = match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg648 = msg("00035:14", part1076); + + var part1077 = match("MESSAGE#639:00035:15/0", "nwparser.payload", "%{change_attribute->} has been changed %{p0}"); + + var part1078 = match("MESSAGE#639:00035:15/1_0", "nwparser.p0", "from %{change_old->} to %{change_new}"); + + var part1079 = match("MESSAGE#639:00035:15/1_1", "nwparser.p0", "to %{fld2}"); + + var select231 = linear_select([ + part1078, + part1079, + ]); + + var all222 = all_match({ + processors: [ + part1077, + select231, + ], + on_success: processor_chain([ + dup184, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg649 = msg("00035:15", all222); + + var part1080 = match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed to by %{username->} via web from host %{saddr->} to %{daddr}:%{dport->} %{fld5}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg650 = msg("00035:16", part1080); + + var select232 = linear_select([ + msg634, + msg635, + msg636, + msg637, + msg638, + msg639, + msg640, + msg641, + msg642, + msg643, + msg644, + msg645, + msg646, + msg647, + msg648, + msg649, + msg650, + ]); + + var part1081 = match("MESSAGE#641:00036", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key%{}", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg651 = msg("00036", part1081); + + var part1082 = match("MESSAGE#642:00036:01/0", "nwparser.payload", "%{fld2->} license keys were updated successfully by %{p0}"); + + var part1083 = match("MESSAGE#642:00036:01/1_1", "nwparser.p0", "manual %{p0}"); + + var select233 = linear_select([ + dup214, + part1083, + ]); + + var part1084 = match("MESSAGE#642:00036:01/2", "nwparser.p0", "retrieval%{}"); + + var all223 = all_match({ + processors: [ + part1082, + select233, + part1084, + ], + on_success: processor_chain([ + dup254, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg652 = msg("00036:01", all223); + + var select234 = linear_select([ + msg651, + msg652, + ]); + + var part1085 = match("MESSAGE#643:00037/0", "nwparser.payload", "Intra-zone block for zone %{zone->} was set to o%{p0}"); + + var part1086 = match("MESSAGE#643:00037/1_0", "nwparser.p0", "n%{}"); + + var part1087 = match("MESSAGE#643:00037/1_1", "nwparser.p0", "ff%{}"); + + var select235 = linear_select([ + part1086, + part1087, + ]); + + var all224 = all_match({ + processors: [ + part1085, + select235, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg653 = msg("00037", all224); + + var part1088 = match("MESSAGE#644:00037:01/0", "nwparser.payload", "New zone %{zone->} ( %{p0}"); + + var select236 = linear_select([ + dup255, + dup256, + ]); + + var part1089 = match("MESSAGE#644:00037:01/2", "nwparser.p0", "%{fld2}) was created.%{p0}"); + + var all225 = all_match({ + processors: [ + part1088, + select236, + part1089, + dup351, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg654 = msg("00037:01", all225); + + var part1090 = match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was bound to out zone %{dst_zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg655 = msg("00037:02", part1090); + + var part1091 = match("MESSAGE#646:00037:03/1_0", "nwparser.p0", "was was %{p0}"); + + var part1092 = match("MESSAGE#646:00037:03/1_1", "nwparser.p0", "%{zone->} was %{p0}"); + + var select237 = linear_select([ + part1091, + part1092, + ]); + + var part1093 = match("MESSAGE#646:00037:03/3", "nwparser.p0", "virtual router %{p0}"); + + var part1094 = match("MESSAGE#646:00037:03/4_0", "nwparser.p0", "%{node->} (%{fld1})"); + + var part1095 = match("MESSAGE#646:00037:03/4_1", "nwparser.p0", "%{node}."); + + var select238 = linear_select([ + part1094, + part1095, + ]); + + var all226 = all_match({ + processors: [ + dup113, + select237, + dup371, + part1093, + select238, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg656 = msg("00037:03", all226); + + var part1096 = match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to non-shared.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg657 = msg("00037:04", part1096); + + var part1097 = match("MESSAGE#648:00037:05/0", "nwparser.payload", "Zone %{zone->} ( %{p0}"); + + var select239 = linear_select([ + dup256, + dup255, + ]); + + var part1098 = match("MESSAGE#648:00037:05/2", "nwparser.p0", "%{fld2}) was deleted. %{p0}"); + + var part1099 = match_copy("MESSAGE#648:00037:05/3_1", "nwparser.p0", "space"); + + var select240 = linear_select([ + dup10, + part1099, + ]); + + var all227 = all_match({ + processors: [ + part1097, + select239, + part1098, + select240, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg658 = msg("00037:05", all227); + + var part1100 = match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was %{disposition->} on zone %{zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg659 = msg("00037:06", part1100); + + var select241 = linear_select([ + msg653, + msg654, + msg655, + msg656, + msg657, + msg658, + msg659, + ]); + + var part1101 = match("MESSAGE#650:00038/0", "nwparser.payload", "OSPF routing instance in vrouter %{p0}"); + + var part1102 = match("MESSAGE#650:00038/1_0", "nwparser.p0", "%{node->} is %{p0}"); + + var part1103 = match("MESSAGE#650:00038/1_1", "nwparser.p0", "%{node->} %{p0}"); + + var select242 = linear_select([ + part1102, + part1103, + ]); + + var all228 = all_match({ + processors: [ + part1101, + select242, + dup36, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg660 = msg("00038", all228); + + var part1104 = match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr %{node}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg661 = msg("00039", part1104); + + var part1105 = match("MESSAGE#652:00040/0_0", "nwparser.payload", "Low watermark%{p0}"); + + var part1106 = match("MESSAGE#652:00040/0_1", "nwparser.payload", "High watermark%{p0}"); + + var select243 = linear_select([ + part1105, + part1106, + ]); + + var part1107 = match("MESSAGE#652:00040/1", "nwparser.p0", "%{}for early aging has been changed to the default %{fld2}"); + + var all229 = all_match({ + processors: [ + select243, + part1107, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg662 = msg("00040", all229); + + var part1108 = match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg663 = msg("00040:01", part1108); + + var select244 = linear_select([ + msg662, + msg663, + ]); + + var part1109 = match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual router %{node->} has been removed", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg664 = msg("00041", part1109); + + var part1110 = match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg665 = msg("00041:01", part1110); + + var select245 = linear_select([ + msg664, + msg665, + ]); + + var part1111 = match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec tunnel on %{interface->} with tunnel ID %{fld2}! From %{saddr->} to %{daddr}/%{dport}, %{info->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg666 = msg("00042", part1111); + + var part1112 = match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup9, + dup4, + dup5, + dup60, + ])); + + var msg667 = msg("00042:01", part1112); + + var select246 = linear_select([ + msg666, + msg667, + ]); + + var part1113 = match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp tunnel (%{fld2}-%{fld3}), Result code %{resultcode->} (%{result}). (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg668 = msg("00043", part1113); + + var part1114 = match("MESSAGE#659:00044/0", "nwparser.payload", "access list %{listnum->} sequence number %{fld3->} %{p0}"); + + var part1115 = match("MESSAGE#659:00044/1_1", "nwparser.p0", "deny %{p0}"); + + var select247 = linear_select([ + dup257, + part1115, + ]); + + var part1116 = match("MESSAGE#659:00044/2", "nwparser.p0", "ip %{hostip}/%{mask->} %{disposition->} in vrouter %{node}"); + + var all230 = all_match({ + processors: [ + part1114, + select247, + part1116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg669 = msg("00044", all230); + + var part1117 = match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{disposition->} in vrouter %{node}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg670 = msg("00044:01", part1117); + + var select248 = linear_select([ + msg669, + msg670, + ]); + + var part1118 = match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router %{node->} was %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg671 = msg("00045", part1118); + + var part1119 = match("MESSAGE#662:00047/1_0", "nwparser.p0", "remove %{p0}"); + + var part1120 = match("MESSAGE#662:00047/1_1", "nwparser.p0", "add %{p0}"); + + var select249 = linear_select([ + part1119, + part1120, + ]); + + var part1121 = match("MESSAGE#662:00047/2", "nwparser.p0", "multicast policy from %{src_zone->} %{fld4->} to %{dst_zone->} %{fld3->} (%{fld1})"); + + var all231 = all_match({ + processors: [ + dup183, + select249, + part1121, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg672 = msg("00047", all231); + + var part1122 = match("MESSAGE#663:00048/0", "nwparser.payload", "Access list entry %{listnum->} with %{p0}"); + + var part1123 = match("MESSAGE#663:00048/1_0", "nwparser.p0", "a sequence %{p0}"); + + var part1124 = match("MESSAGE#663:00048/1_1", "nwparser.p0", "sequence %{p0}"); + + var select250 = linear_select([ + part1123, + part1124, + ]); + + var part1125 = match("MESSAGE#663:00048/2", "nwparser.p0", "number %{fld2->} %{p0}"); + + var part1126 = match("MESSAGE#663:00048/3_0", "nwparser.p0", "with an action of %{p0}"); + + var select251 = linear_select([ + part1126, + dup112, + ]); + + var part1127 = match("MESSAGE#663:00048/5_0", "nwparser.p0", "with an IP %{p0}"); + + var select252 = linear_select([ + part1127, + dup139, + ]); + + var part1128 = match("MESSAGE#663:00048/6", "nwparser.p0", "address %{p0}"); + + var part1129 = match("MESSAGE#663:00048/7_0", "nwparser.p0", "and subnetwork mask of %{p0}"); + + var select253 = linear_select([ + part1129, + dup16, + ]); + + var part1130 = match("MESSAGE#663:00048/8", "nwparser.p0", "%{} %{fld3}was %{p0}"); + + var part1131 = match("MESSAGE#663:00048/9_0", "nwparser.p0", "created on %{p0}"); + + var select254 = linear_select([ + part1131, + dup129, + ]); + + var part1132 = match("MESSAGE#663:00048/10", "nwparser.p0", "virtual router %{node->} (%{fld1})"); + + var all232 = all_match({ + processors: [ + part1122, + select250, + part1125, + select251, + dup257, + select252, + part1128, + select253, + part1130, + select254, + part1132, + ], + on_success: processor_chain([ + setc("eventcategory","1501000000"), + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg673 = msg("00048", all232); + + var part1133 = match("MESSAGE#664:00048:01/0", "nwparser.payload", "Route %{p0}"); + + var part1134 = match("MESSAGE#664:00048:01/1_0", "nwparser.p0", "map entry %{p0}"); + + var part1135 = match("MESSAGE#664:00048:01/1_1", "nwparser.p0", "entry %{p0}"); + + var select255 = linear_select([ + part1134, + part1135, + ]); + + var part1136 = match("MESSAGE#664:00048:01/2", "nwparser.p0", "with sequence number %{fld2->} in route map binck-ospf%{p0}"); + + var part1137 = match("MESSAGE#664:00048:01/3_0", "nwparser.p0", " in %{p0}"); + + var select256 = linear_select([ + part1137, + dup105, + ]); + + var part1138 = match("MESSAGE#664:00048:01/4", "nwparser.p0", "virtual router %{node->} was %{disposition->} (%{fld1})"); + + var all233 = all_match({ + processors: [ + part1133, + select255, + part1136, + select256, + part1138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg674 = msg("00048:01", all233); + + var part1139 = match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface %{interface->} (%{fld1})", processor_chain([ + dup209, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg675 = msg("00048:02", part1139); + + var select257 = linear_select([ + msg673, + msg674, + msg675, + ]); + + var part1140 = match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed to %{fld8->} (%{fld2}) => %{fld3->} (%{fld4}) => %{fld5->} (%{fld6}) in virtual router (%{node})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg676 = msg("00049", part1140); + + var part1141 = match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} in virtual router %{node}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg677 = msg("00049:01", part1141); + + var part1142 = match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{node->} and ID %{fld2->} has been removed", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg678 = msg("00049:02", part1142); + + var part1143 = match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual router \"%{node}\" used by OSPF, BGP routing instances id has been uninitialized. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg679 = msg("00049:03", part1143); + + var part1144 = match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route through virtual router \"%{node}\" has been added in virtual router \"%{fld4}\" (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg680 = msg("00049:04", part1144); + + var part1145 = match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking for interfaces in virtual router (%{node}) has been enabled. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg681 = msg("00049:05", part1145); + + var select258 = linear_select([ + msg676, + msg677, + msg678, + msg679, + msg680, + msg681, + ]); + + var part1146 = match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg682 = msg("00050", part1146); + + var part1147 = match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached %{fld2}, which is %{fld3->} of the system capacity!", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg683 = msg("00051", part1147); + + var part1148 = match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:%{sport}->%{daddr}:%{dport->} used %{fld2->} percent of AV resources, which exceeded the max of %{fld3->} percent.", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg684 = msg("00052", part1148); + + var part1149 = match("MESSAGE#675:00055/1_1", "nwparser.p0", "router %{p0}"); + + var select259 = linear_select([ + dup169, + part1149, + ]); + + var part1150 = match("MESSAGE#675:00055/2", "nwparser.p0", "instance was %{disposition->} on interface %{interface}."); + + var all234 = all_match({ + processors: [ + dup258, + select259, + part1150, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg685 = msg("00055", all234); + + var part1151 = match("MESSAGE#676:00055:01/1_0", "nwparser.p0", "proxy %{p0}"); + + var part1152 = match("MESSAGE#676:00055:01/1_1", "nwparser.p0", "function %{p0}"); + + var select260 = linear_select([ + part1151, + part1152, + ]); + + var part1153 = match("MESSAGE#676:00055:01/2", "nwparser.p0", "was %{disposition->} on interface %{interface}."); + + var all235 = all_match({ + processors: [ + dup258, + select260, + part1153, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg686 = msg("00055:01", all235); + + var part1154 = match("MESSAGE#677:00055:02/2", "nwparser.p0", "same subnet check on interface %{interface}."); + + var all236 = all_match({ + processors: [ + dup259, + dup389, + part1154, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg687 = msg("00055:02", all236); + + var part1155 = match("MESSAGE#678:00055:03/2", "nwparser.p0", "router alert IP option check on interface %{interface}."); + + var all237 = all_match({ + processors: [ + dup259, + dup389, + part1155, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg688 = msg("00055:03", all237); + + var part1156 = match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to %{version->} on interface %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg689 = msg("00055:04", part1156); + + var part1157 = match("MESSAGE#680:00055:05/0", "nwparser.payload", "IGMP query %{p0}"); + + var part1158 = match("MESSAGE#680:00055:05/1_1", "nwparser.p0", "max response time %{p0}"); + + var select261 = linear_select([ + dup110, + part1158, + ]); + + var part1159 = match("MESSAGE#680:00055:05/2", "nwparser.p0", "was changed to %{fld2->} on interface %{interface}"); + + var all238 = all_match({ + processors: [ + part1157, + select261, + part1159, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg690 = msg("00055:05", all238); + + var part1160 = match("MESSAGE#681:00055:06/0", "nwparser.payload", "IGMP l%{p0}"); + + var part1161 = match("MESSAGE#681:00055:06/1_0", "nwparser.p0", "eave %{p0}"); + + var part1162 = match("MESSAGE#681:00055:06/1_1", "nwparser.p0", "ast member query %{p0}"); + + var select262 = linear_select([ + part1161, + part1162, + ]); + + var part1163 = match("MESSAGE#681:00055:06/2", "nwparser.p0", "interval was changed to %{fld2->} on interface %{interface}."); + + var all239 = all_match({ + processors: [ + part1160, + select262, + part1163, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg691 = msg("00055:06", all239); + + var part1164 = match("MESSAGE#682:00055:07/1_0", "nwparser.p0", "routers %{p0}"); + + var part1165 = match("MESSAGE#682:00055:07/1_1", "nwparser.p0", "hosts %{p0}"); + + var part1166 = match("MESSAGE#682:00055:07/1_2", "nwparser.p0", "groups %{p0}"); + + var select263 = linear_select([ + part1164, + part1165, + part1166, + ]); + + var part1167 = match("MESSAGE#682:00055:07/2", "nwparser.p0", "accept list ID was changed to %{fld2->} on interface %{interface}."); + + var all240 = all_match({ + processors: [ + dup258, + select263, + part1167, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg692 = msg("00055:07", all240); + + var part1168 = match("MESSAGE#683:00055:08/1_0", "nwparser.p0", "all groups %{p0}"); + + var part1169 = match("MESSAGE#683:00055:08/1_1", "nwparser.p0", "group %{p0}"); + + var select264 = linear_select([ + part1168, + part1169, + ]); + + var part1170 = match("MESSAGE#683:00055:08/2", "nwparser.p0", "%{group->} static flag was %{disposition->} on interface %{interface}."); + + var all241 = all_match({ + processors: [ + dup258, + select264, + part1170, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg693 = msg("00055:08", all241); + + var part1171 = match("MESSAGE#684:00055:09", "nwparser.payload", "IGMP static group %{group->} was added on interface %{interface}", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg694 = msg("00055:09", part1171); + + var part1172 = match("MESSAGE#685:00055:10", "nwparser.payload", "IGMP proxy always is %{disposition->} on interface %{interface}.", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg695 = msg("00055:10", part1172); + + var select265 = linear_select([ + msg685, + msg686, + msg687, + msg688, + msg689, + msg690, + msg691, + msg692, + msg693, + msg694, + msg695, + ]); + + var part1173 = match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{src_zone->} %{saddr->} to %{dst_zone->} %{daddr}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg696 = msg("00056", part1173); + + var part1174 = match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route src=%{saddr}, grp=%{group->} input ifp = %{sinterface->} output ifp = %{dinterface->} added", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg697 = msg("00057", part1174); + + var part1175 = match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on interface %{interface}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg698 = msg("00058", part1175); + + var part1176 = match("MESSAGE#689:00059/0", "nwparser.payload", "DDNS module is %{p0}"); + + var part1177 = match("MESSAGE#689:00059/1_0", "nwparser.p0", "initialized %{p0}"); + + var select266 = linear_select([ + part1177, + dup262, + dup157, + dup156, + ]); + + var all242 = all_match({ + processors: [ + part1176, + select266, + dup116, + ], + on_success: processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg699 = msg("00059", all242); + + var part1178 = match("MESSAGE#690:00059:02/0", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with server type \"%{fld3}\" name \"%{hostname}\" refresh-interval %{fld5->} hours minimum update interval %{fld6->} minutes with %{p0}"); + + var part1179 = match("MESSAGE#690:00059:02/1_0", "nwparser.p0", "secure %{p0}"); + + var part1180 = match("MESSAGE#690:00059:02/1_1", "nwparser.p0", "clear-text %{p0}"); + + var select267 = linear_select([ + part1179, + part1180, + ]); + + var part1181 = match("MESSAGE#690:00059:02/2", "nwparser.p0", "secure connection.%{}"); + + var all243 = all_match({ + processors: [ + part1178, + select267, + part1181, + ], + on_success: processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg700 = msg("00059:02", all243); + + var part1182 = match("MESSAGE#691:00059:03", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with user name \"%{username}\" agent \"%{fld3}\"", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg701 = msg("00059:03", part1182); + + var part1183 = match("MESSAGE#692:00059:04", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with interface \"%{interface}\" host-name \"%{hostname}\"", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg702 = msg("00059:04", part1183); + + var part1184 = match("MESSAGE#693:00059:05/0_0", "nwparser.payload", "Hostname %{p0}"); + + var part1185 = match("MESSAGE#693:00059:05/0_1", "nwparser.payload", "Source interface %{p0}"); + + var part1186 = match("MESSAGE#693:00059:05/0_2", "nwparser.payload", "Username and password %{p0}"); + + var part1187 = match("MESSAGE#693:00059:05/0_3", "nwparser.payload", "Server %{p0}"); + + var select268 = linear_select([ + part1184, + part1185, + part1186, + part1187, + ]); + + var part1188 = match("MESSAGE#693:00059:05/1", "nwparser.p0", "of DDNS entry with id %{fld2->} is cleared."); + + var all244 = all_match({ + processors: [ + select268, + part1188, + ], + on_success: processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg703 = msg("00059:05", all244); + + var part1189 = match("MESSAGE#694:00059:06", "nwparser.payload", "Agent of DDNS entry with id %{fld2->} is reset to its default value.", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg704 = msg("00059:06", part1189); + + var part1190 = match("MESSAGE#695:00059:07", "nwparser.payload", "Updates for DDNS entry with id %{fld2->} are set to be sent in secure (%{protocol}) mode.", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg705 = msg("00059:07", part1190); + + var part1191 = match("MESSAGE#696:00059:08/0_0", "nwparser.payload", "Refresh %{p0}"); + + var part1192 = match("MESSAGE#696:00059:08/0_1", "nwparser.payload", "Minimum update %{p0}"); + + var select269 = linear_select([ + part1191, + part1192, + ]); + + var part1193 = match("MESSAGE#696:00059:08/1", "nwparser.p0", "interval of DDNS entry with id %{fld2->} is set to default value (%{fld3})."); + + var all245 = all_match({ + processors: [ + select269, + part1193, + ], + on_success: processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg706 = msg("00059:08", all245); + + var part1194 = match("MESSAGE#697:00059:09/1_0", "nwparser.p0", "No-Change %{p0}"); + + var part1195 = match("MESSAGE#697:00059:09/1_1", "nwparser.p0", "Error %{p0}"); + + var select270 = linear_select([ + part1194, + part1195, + ]); + + var part1196 = match("MESSAGE#697:00059:09/2", "nwparser.p0", "response received for DDNS entry update for id %{fld2->} user \"%{username}\" domain \"%{domain}\" server type \" d%{p0}"); + + var part1197 = match("MESSAGE#697:00059:09/3_1", "nwparser.p0", "yndns %{p0}"); + + var select271 = linear_select([ + dup261, + part1197, + ]); + + var part1198 = match("MESSAGE#697:00059:09/4", "nwparser.p0", "\", server name \"%{hostname}\""); + + var all246 = all_match({ + processors: [ + dup160, + select270, + part1196, + select271, + part1198, + ], + on_success: processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg707 = msg("00059:09", all246); + + var part1199 = match("MESSAGE#698:00059:01", "nwparser.payload", "DDNS entry with id %{fld2->} is %{disposition}.", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg708 = msg("00059:01", part1199); + + var select272 = linear_select([ + msg699, + msg700, + msg701, + msg702, + msg703, + msg704, + msg705, + msg706, + msg707, + msg708, + ]); + + var part1200 = match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip->} failed. (%{event_time_string})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Track IP failed"), + ])); + + var msg709 = msg("00062:01", part1200); + + var part1201 = match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached threshold. (%{event_time_string})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Track IP failure reached threshold"), + ])); + + var msg710 = msg("00062:02", part1201); + + var part1202 = match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip->} succeeded. (%{event_time_string})", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Track IP succeeded"), + ])); + + var msg711 = msg("00062:03", part1202); + + var part1203 = match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg712 = msg("00062", part1203); + + var select273 = linear_select([ + msg709, + msg710, + msg711, + msg712, + ]); + + var part1204 = match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{disposition}!", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg713 = msg("00063", part1204); + + var part1205 = match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg714 = msg("00064", part1205); + + var part1206 = match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches threshold system may fail over!%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg715 = msg("00064:01", part1206); + + var part1207 = match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from policy ID %{policy_id}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg716 = msg("00064:02", part1207); + + var select274 = linear_select([ + msg714, + msg715, + msg716, + ]); + + var msg717 = msg("00070", dup411); + + var part1208 = match("MESSAGE#708:00070:01/2", "nwparser.p0", "%{}Device group %{group->} changed state from %{fld3->} to %{p0}"); + + var part1209 = match("MESSAGE#708:00070:01/3_0", "nwparser.p0", "Init%{}"); + + var part1210 = match("MESSAGE#708:00070:01/3_1", "nwparser.p0", "init. (%{fld1})"); + + var select275 = linear_select([ + part1209, + part1210, + ]); + + var all247 = all_match({ + processors: [ + dup267, + dup391, + part1208, + select275, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg718 = msg("00070:01", all247); + + var part1211 = match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel change to %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg719 = msg("00070:02", part1211); + + var select276 = linear_select([ + msg717, + msg718, + msg719, + ]); + + var msg720 = msg("00071", dup411); + + var part1212 = match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in the Virtual Security Device group %{group->} changed state", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg721 = msg("00071:01", part1212); + + var select277 = linear_select([ + msg720, + msg721, + ]); + + var msg722 = msg("00072", dup411); + + var msg723 = msg("00072:01", dup412); + + var select278 = linear_select([ + msg722, + msg723, + ]); + + var msg724 = msg("00073", dup411); + + var msg725 = msg("00073:01", dup412); + + var select279 = linear_select([ + msg724, + msg725, + ]); + + var msg726 = msg("00074", dup392); + + var all248 = all_match({ + processors: [ + dup263, + dup390, + dup271, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg727 = msg("00075", all248); + + var part1213 = match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} changed state from %{event_state->} to inoperable. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","local device in the Virtual Security Device group changed state to inoperable"), + ])); + + var msg728 = msg("00075:02", part1213); + + var part1214 = match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg729 = msg("00075:01", part1214); + + var select280 = linear_select([ + msg727, + msg728, + msg729, + ]); + + var msg730 = msg("00076", dup392); + + var part1215 = match("MESSAGE#721:00076:01/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} send 2nd path request to unit=%{fld3}"); + + var all249 = all_match({ + processors: [ + dup263, + dup390, + part1215, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg731 = msg("00076:01", all249); + + var select281 = linear_select([ + msg730, + msg731, + ]); + + var part1216 = match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use second path of HA%{}", processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg732 = msg("00077", part1216); + + var all250 = all_match({ + processors: [ + dup263, + dup390, + dup271, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg733 = msg("00077:01", all250); + + var part1217 = match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group}", processor_chain([ + setc("eventcategory","1607000000"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg734 = msg("00077:02", part1217); + + var select282 = linear_select([ + msg732, + msg733, + msg734, + ]); + + var part1218 = match("MESSAGE#725:00084", "nwparser.payload", "RTSYNC: NSRP route synchronization is %{disposition}", processor_chain([ + dup272, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg735 = msg("00084", part1218); + + var part1219 = match("MESSAGE#726:00090/0_0", "nwparser.payload", "Failover %{p0}"); + + var part1220 = match("MESSAGE#726:00090/0_1", "nwparser.payload", "Recovery %{p0}"); + + var select283 = linear_select([ + part1219, + part1220, + ]); + + var part1221 = match("MESSAGE#726:00090/3", "nwparser.p0", "untrust interface occurred.%{}"); + + var all251 = all_match({ + processors: [ + select283, + dup103, + dup369, + part1221, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg736 = msg("00090", all251); + + var part1222 = match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to the device because the maximum number of system route entries %{fld2->} has been exceeded", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg737 = msg("00200", part1222); + + var part1223 = match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cannot be added to the virtual router %{node->} because the number of route entries in the virtual router exceeds the maximum number of routes %{fld3->} allowed", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg738 = msg("00201", part1223); + + var part1224 = match("MESSAGE#729:00202", "nwparser.payload", "%{fld2->} hello-packet flood from neighbor (ip = %{hostip->} router-id = %{fld3}) on interface %{interface->} packet is dropped", processor_chain([ + dup272, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg739 = msg("00202", part1224); + + var part1225 = match("MESSAGE#730:00203", "nwparser.payload", "%{fld2->} lsa flood on interface %{interface->} has dropped a packet.", processor_chain([ + dup272, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg740 = msg("00203", part1225); + + var part1226 = match("MESSAGE#731:00206/0", "nwparser.payload", "The total number of redistributed routes into %{p0}"); + + var part1227 = match("MESSAGE#731:00206/1_0", "nwparser.p0", "BGP %{p0}"); + + var part1228 = match("MESSAGE#731:00206/1_1", "nwparser.p0", "OSPF %{p0}"); + + var select284 = linear_select([ + part1227, + part1228, + ]); + + var part1229 = match("MESSAGE#731:00206/2", "nwparser.p0", "in vrouter %{node->} exceeded system limit (%{fld2})"); + + var all252 = all_match({ + processors: [ + part1226, + select284, + part1229, + ], + on_success: processor_chain([ + dup272, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg741 = msg("00206", all252); + + var part1230 = match("MESSAGE#732:00206:01/0", "nwparser.payload", "LSA flood in OSPF with router-id %{fld2->} on %{p0}"); + + var part1231 = match("MESSAGE#732:00206:01/2", "nwparser.p0", "%{interface->} forced the interface to drop a packet."); + + var all253 = all_match({ + processors: [ + part1230, + dup352, + part1231, + ], + on_success: processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg742 = msg("00206:01", all253); + + var part1232 = match("MESSAGE#733:00206:02/0", "nwparser.payload", "OSPF instance with router-id %{fld3->} received a Hello packet flood from neighbor (IP address %{hostip}, router ID %{fld2}) on %{p0}"); + + var part1233 = match("MESSAGE#733:00206:02/2", "nwparser.p0", "%{interface->} forcing the interface to drop the packet."); + + var all254 = all_match({ + processors: [ + part1232, + dup352, + part1233, + ], + on_success: processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg743 = msg("00206:02", all254); + + var part1234 = match("MESSAGE#734:00206:03", "nwparser.payload", "Link State Advertisement Id %{fld2}, router ID %{fld3}, type %{fld4->} cannot be deleted from the real-time database in area %{fld5}", processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg744 = msg("00206:03", part1234); + + var part1235 = match("MESSAGE#735:00206:04", "nwparser.payload", "Reject second OSPF neighbor (%{fld2}) on interface (%{interface}) since it_s configured as point-to-point interface", processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg745 = msg("00206:04", part1235); + + var select285 = linear_select([ + msg741, + msg742, + msg743, + msg744, + msg745, + ]); + + var part1236 = match("MESSAGE#736:00207", "nwparser.payload", "System wide RIP route limit exceeded, RIP route dropped.%{}", processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg746 = msg("00207", part1236); + + var part1237 = match("MESSAGE#737:00207:01", "nwparser.payload", "%{fld2->} RIP routes dropped from last system wide RIP route limit exceed.", processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg747 = msg("00207:01", part1237); + + var part1238 = match("MESSAGE#738:00207:02", "nwparser.payload", "RIP database size limit exceeded for %{fld2}, RIP route dropped.", processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg748 = msg("00207:02", part1238); + + var part1239 = match("MESSAGE#739:00207:03", "nwparser.payload", "%{fld2->} RIP routes dropped from the last database size exceed in vr %{fld3}.", processor_chain([ + dup273, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg749 = msg("00207:03", part1239); + + var select286 = linear_select([ + msg746, + msg747, + msg748, + msg749, + ]); + + var part1240 = match("MESSAGE#740:00257", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup276, + dup277, + dup278, + ])); + + var msg750 = msg("00257", part1240); + + var part1241 = match("MESSAGE#741:00257:14", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup279, + dup276, + dup277, + dup280, + ])); + + var msg751 = msg("00257:14", part1241); + + var part1242 = match("MESSAGE#742:00257:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup282, + dup278, + ])); + + var msg752 = msg("00257:01", part1242); + + var part1243 = match("MESSAGE#743:00257:15", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup279, + dup282, + dup280, + ])); + + var msg753 = msg("00257:15", part1243); + + var part1244 = match("MESSAGE#744:00257:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup276, + dup277, + ])); + + var msg754 = msg("00257:02", part1244); + + var part1245 = match("MESSAGE#745:00257:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup282, + ])); + + var msg755 = msg("00257:03", part1245); + + var part1246 = match("MESSAGE#746:00257:04", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup276, + dup277, + ])); + + var msg756 = msg("00257:04", part1246); + + var part1247 = match("MESSAGE#747:00257:05", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid->} reason=%{result}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup282, + ])); + + var msg757 = msg("00257:05", part1247); + + var part1248 = match("MESSAGE#748:00257:19/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} icmp code=%{icmpcode->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid->} reason=%{result}"); + + var all255 = all_match({ + processors: [ + dup283, + dup393, + part1248, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup282, + ]), + }); + + var msg758 = msg("00257:19", all255); + + var part1249 = match("MESSAGE#749:00257:16/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid}"); + + var all256 = all_match({ + processors: [ + dup283, + dup393, + part1249, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup282, + ]), + }); + + var msg759 = msg("00257:16", all256); + + var part1250 = match("MESSAGE#750:00257:17/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid}"); + + var all257 = all_match({ + processors: [ + dup283, + dup393, + part1250, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup282, + ]), + }); + + var msg760 = msg("00257:17", all257); + + var part1251 = match("MESSAGE#751:00257:18/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} session_id=%{sessionid}"); + + var all258 = all_match({ + processors: [ + dup283, + dup393, + part1251, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup282, + ]), + }); + + var msg761 = msg("00257:18", all258); + + var part1252 = match("MESSAGE#752:00257:06/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{p0}"); + + var part1253 = match("MESSAGE#752:00257:06/1_0", "nwparser.p0", "%{dport->} session_id=%{sessionid}"); + + var part1254 = match_copy("MESSAGE#752:00257:06/1_1", "nwparser.p0", "dport"); + + var select287 = linear_select([ + part1253, + part1254, + ]); + + var all259 = all_match({ + processors: [ + part1252, + select287, + ], + on_success: processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup276, + dup277, + ]), + }); + + var msg762 = msg("00257:06", all259); + + var part1255 = match("MESSAGE#753:00257:07", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup61, + dup282, + ])); + + var msg763 = msg("00257:07", part1255); + + var part1256 = match("MESSAGE#754:00257:08", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} tcp=%{icmptype}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup276, + dup277, + ])); + + var msg764 = msg("00257:08", part1256); + + var part1257 = match("MESSAGE#755:00257:09/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{p0}"); + + var part1258 = match("MESSAGE#755:00257:09/1_0", "nwparser.p0", "%{icmptype->} icmp code=%{icmpcode->} session_id=%{sessionid->} reason=%{result}"); + + var part1259 = match("MESSAGE#755:00257:09/1_1", "nwparser.p0", "%{icmptype->} session_id=%{sessionid}"); + + var part1260 = match_copy("MESSAGE#755:00257:09/1_2", "nwparser.p0", "icmptype"); + + var select288 = linear_select([ + part1258, + part1259, + part1260, + ]); + + var all260 = all_match({ + processors: [ + part1257, + select288, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup282, + ]), + }); + + var msg765 = msg("00257:09", all260); + + var part1261 = match("MESSAGE#756:00257:10/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); + + var part1262 = match("MESSAGE#756:00257:10/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid}"); + + var select289 = linear_select([ + part1262, + dup286, + ]); + + var all261 = all_match({ + processors: [ + part1261, + select289, + ], + on_success: processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup276, + dup277, + ]), + }); + + var msg766 = msg("00257:10", all261); + + var part1263 = match("MESSAGE#757:00257:11/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); + + var part1264 = match("MESSAGE#757:00257:11/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid->} reason=%{result}"); + + var select290 = linear_select([ + part1264, + dup286, + ]); + + var all262 = all_match({ + processors: [ + part1263, + select290, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup282, + ]), + }); + + var msg767 = msg("00257:11", all262); + + var part1265 = match("MESSAGE#758:00257:12", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} type=%{fld3}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup274, + dup275, + dup60, + dup282, + ])); + + var msg768 = msg("00257:12", part1265); + + var part1266 = match("MESSAGE#759:00257:13", "nwparser.payload", "start_time=\"%{fld2}", processor_chain([ + dup281, + dup2, + dup3, + dup274, + dup4, + dup5, + ])); + + var msg769 = msg("00257:13", part1266); + + var select291 = linear_select([ + msg750, + msg751, + msg752, + msg753, + msg754, + msg755, + msg756, + msg757, + msg758, + msg759, + msg760, + msg761, + msg762, + msg763, + msg764, + msg765, + msg766, + msg767, + msg768, + msg769, + ]); + + var part1267 = match("MESSAGE#760:00259/1", "nwparser.p0", "user %{username->} has logged on via %{p0}"); + + var part1268 = match("MESSAGE#760:00259/2_0", "nwparser.p0", "the console %{p0}"); + + var select292 = linear_select([ + part1268, + dup289, + dup241, + ]); + + var part1269 = match("MESSAGE#760:00259/3", "nwparser.p0", "from %{saddr}:%{sport}"); + + var all263 = all_match({ + processors: [ + dup394, + part1267, + select292, + part1269, + ], + on_success: processor_chain([ + dup28, + dup29, + dup30, + dup31, + dup32, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg770 = msg("00259", all263); + + var part1270 = match("MESSAGE#761:00259:07/1", "nwparser.p0", "user %{administrator->} has logged out via %{logon_type->} from %{saddr}:%{sport}"); + + var all264 = all_match({ + processors: [ + dup394, + part1270, + ], + on_success: processor_chain([ + dup33, + dup29, + dup34, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg771 = msg("00259:07", all264); + + var part1271 = match("MESSAGE#762:00259:01", "nwparser.payload", "Management session via %{logon_type->} from %{saddr}:%{sport->} for [vsys] admin %{administrator->} has timed out", processor_chain([ + dup290, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg772 = msg("00259:01", part1271); + + var part1272 = match("MESSAGE#763:00259:02", "nwparser.payload", "Management session via %{logon_type->} for [ vsys ] admin %{administrator->} has timed out", processor_chain([ + dup290, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg773 = msg("00259:02", part1272); + + var part1273 = match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by admin %{administrator->} via the %{logon_type->} has failed", processor_chain([ + dup206, + dup29, + dup30, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg774 = msg("00259:03", part1273); + + var part1274 = match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{logon_type->} from %{saddr}:%{sport->} has failed", processor_chain([ + dup206, + dup29, + dup30, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg775 = msg("00259:04", part1274); + + var part1275 = match("MESSAGE#766:00259:05/0", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the %{p0}"); + + var part1276 = match("MESSAGE#766:00259:05/1_2", "nwparser.p0", "Web %{p0}"); + + var select293 = linear_select([ + dup241, + dup289, + part1276, + ]); + + var part1277 = match("MESSAGE#766:00259:05/2", "nwparser.p0", "session on host %{daddr}:%{dport}"); + + var all265 = all_match({ + processors: [ + part1275, + select293, + part1277, + ], + on_success: processor_chain([ + dup290, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg776 = msg("00259:05", all265); + + var part1278 = match("MESSAGE#767:00259:06", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the serial console session.", processor_chain([ + dup290, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg777 = msg("00259:06", part1278); + + var select294 = linear_select([ + msg770, + msg771, + msg772, + msg773, + msg774, + msg775, + msg776, + msg777, + ]); + + var part1279 = match("MESSAGE#768:00262", "nwparser.payload", "Admin user %{administrator->} has been rejected via the %{logon_type->} server at %{hostip}", processor_chain([ + dup290, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg778 = msg("00262", part1279); + + var part1280 = match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} has been accepted via the %{logon_type->} server at %{hostip}", processor_chain([ + setc("eventcategory","1401050100"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg779 = msg("00263", part1280); + + var part1281 = match("MESSAGE#770:00400/0_0", "nwparser.payload", "ActiveX control %{p0}"); + + var part1282 = match("MESSAGE#770:00400/0_1", "nwparser.payload", "JAVA applet %{p0}"); + + var part1283 = match("MESSAGE#770:00400/0_2", "nwparser.payload", "EXE file %{p0}"); + + var part1284 = match("MESSAGE#770:00400/0_3", "nwparser.payload", "ZIP file %{p0}"); + + var select295 = linear_select([ + part1281, + part1282, + part1283, + part1284, + ]); + + var part1285 = match("MESSAGE#770:00400/1", "nwparser.p0", "has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{dinterface->} in zone %{dst_zone}. %{info}"); + + var all266 = all_match({ + processors: [ + select295, + part1285, + ], + on_success: processor_chain([ + setc("eventcategory","1003000000"), + dup2, + dup4, + dup5, + dup3, + dup61, + ]), + }); + + var msg780 = msg("00400", all266); + + var part1286 = match("MESSAGE#771:00401", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup85, + dup2, + dup4, + dup5, + dup3, + dup291, + ])); + + var msg781 = msg("00401", part1286); + + var part1287 = match("MESSAGE#772:00402", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup85, + dup2, + dup4, + dup5, + dup3, + dup292, + ])); + + var msg782 = msg("00402", part1287); + + var part1288 = match("MESSAGE#773:00402:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at %{p0}"); + + var part1289 = match("MESSAGE#773:00402:01/2", "nwparser.p0", "%{} %{interface->} in zone %{zone}. %{info}"); + + var all267 = all_match({ + processors: [ + part1288, + dup337, + part1289, + ], + on_success: processor_chain([ + dup85, + dup2, + dup4, + dup5, + dup3, + dup292, + ]), + }); + + var msg783 = msg("00402:01", all267); + + var select296 = linear_select([ + msg782, + msg783, + ]); + + var part1290 = match("MESSAGE#774:00403", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup85, + dup2, + dup4, + dup5, + dup3, + dup291, + ])); + + var msg784 = msg("00403", part1290); + + var part1291 = match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup4, + dup5, + dup3, + dup292, + ])); + + var msg785 = msg("00404", part1291); + + var part1292 = match("MESSAGE#776:00405", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup147, + dup2, + dup4, + dup5, + dup3, + dup291, + ])); + + var msg786 = msg("00405", part1292); + + var msg787 = msg("00406", dup413); + + var msg788 = msg("00407", dup413); + + var msg789 = msg("00408", dup413); + + var all268 = all_match({ + processors: [ + dup132, + dup343, + dup293, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup60, + ]), + }); + + var msg790 = msg("00409", all268); + + var msg791 = msg("00410", dup413); + + var part1293 = match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup60, + ])); + + var msg792 = msg("00410:01", part1293); + + var select297 = linear_select([ + msg791, + msg792, + ]); + + var part1294 = match("MESSAGE#783:00411/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto TCP (zone %{zone->} %{p0}"); + + var all269 = all_match({ + processors: [ + part1294, + dup343, + dup293, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg793 = msg("00411", all269); + + var part1295 = match("MESSAGE#784:00413/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at %{p0}"); + + var part1296 = match("MESSAGE#784:00413/2", "nwparser.p0", "%{} %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); + + var all270 = all_match({ + processors: [ + part1295, + dup337, + part1296, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var msg794 = msg("00413", all270); + + var part1297 = match("MESSAGE#785:00413:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}(zone %{group->} %{p0}"); + + var all271 = all_match({ + processors: [ + part1297, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup61, + ]), + }); + + var msg795 = msg("00413:01", all271); + + var part1298 = match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup59, + dup5, + dup9, + ])); + + var msg796 = msg("00413:02", part1298); + + var select298 = linear_select([ + msg794, + msg795, + msg796, + ]); + + var part1299 = match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + ])); + + var msg797 = msg("00414", part1299); + + var part1300 = match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup9, + ])); + + var msg798 = msg("00414:01", part1300); + + var select299 = linear_select([ + msg797, + msg798, + ]); + + var part1301 = match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg799 = msg("00415", part1301); + + var all272 = all_match({ + processors: [ + dup132, + dup343, + dup294, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup60, + ]), + }); + + var msg800 = msg("00423", all272); + + var all273 = all_match({ + processors: [ + dup80, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup60, + ]), + }); + + var msg801 = msg("00429", all273); + + var all274 = all_match({ + processors: [ + dup132, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup60, + ]), + }); + + var msg802 = msg("00429:01", all274); + + var select300 = linear_select([ + msg801, + msg802, + ]); + + var all275 = all_match({ + processors: [ + dup80, + dup343, + dup295, + dup351, + ], + on_success: processor_chain([ + dup85, + dup2, + dup59, + dup3, + dup9, + dup4, + dup5, + dup61, + ]), + }); + + var msg803 = msg("00430", all275); + + var all276 = all_match({ + processors: [ + dup132, + dup343, + dup295, + dup351, + ], + on_success: processor_chain([ + dup85, + dup2, + dup59, + dup3, + dup9, + dup4, + dup5, + dup60, + ]), + }); + + var msg804 = msg("00430:01", all276); + + var select301 = linear_select([ + msg803, + msg804, + ]); + + var msg805 = msg("00431", dup414); + + var msg806 = msg("00432", dup414); + + var msg807 = msg("00433", dup415); + + var msg808 = msg("00434", dup415); + + var msg809 = msg("00435", dup395); + + var all277 = all_match({ + processors: [ + dup132, + dup343, + dup294, + ], + on_success: processor_chain([ + dup58, + dup2, + dup4, + dup59, + dup5, + dup3, + dup60, + ]), + }); + + var msg810 = msg("00435:01", all277); + + var select302 = linear_select([ + msg809, + msg810, + ]); + + var msg811 = msg("00436", dup395); + + var all278 = all_match({ + processors: [ + dup64, + dup338, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup9, + dup4, + dup5, + dup3, + dup60, + ]), + }); + + var msg812 = msg("00436:01", all278); + + var select303 = linear_select([ + msg811, + msg812, + ]); + + var part1302 = match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg813 = msg("00437", part1302); + + var all279 = all_match({ + processors: [ + dup299, + dup338, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + dup9, + ]), + }); + + var msg814 = msg("00437:01", all279); + + var part1303 = match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + dup9, + ])); + + var msg815 = msg("00437:02", part1303); + + var select304 = linear_select([ + msg813, + msg814, + msg815, + ]); + + var part1304 = match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg816 = msg("00438", part1304); + + var part1305 = match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ])); + + var msg817 = msg("00438:01", part1305); + + var all280 = all_match({ + processors: [ + dup299, + dup338, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup61, + ]), + }); + + var msg818 = msg("00438:02", all280); + + var select305 = linear_select([ + msg816, + msg817, + msg818, + ]); + + var part1306 = match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup60, + ])); + + var msg819 = msg("00440", part1306); + + var part1307 = match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup61, + ])); + + var msg820 = msg("00440:02", part1307); + + var all281 = all_match({ + processors: [ + dup239, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup9, + dup61, + ]), + }); + + var msg821 = msg("00440:01", all281); + + var part1308 = match("MESSAGE#812:00440:03/0", "nwparser.payload", "Fragmented traffic! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{group->} %{p0}"); + + var all282 = all_match({ + processors: [ + part1308, + dup343, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup9, + dup60, + ]), + }); + + var msg822 = msg("00440:03", all282); + + var select306 = linear_select([ + msg819, + msg820, + msg821, + msg822, + ]); + + var part1309 = match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup4, + dup59, + dup5, + dup9, + dup2, + dup3, + dup60, + ])); + + var msg823 = msg("00441", part1309); + + var msg824 = msg("00442", dup396); + + var msg825 = msg("00443", dup396); + + var part1310 = match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued command %{fld2->} to redirect output.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg826 = msg("00511", part1310); + + var part1311 = match("MESSAGE#817:00511:01/0", "nwparser.payload", "All System Config saved by admin %{p0}"); + + var all283 = all_match({ + processors: [ + part1311, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg827 = msg("00511:01", all283); + + var part1312 = match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms are cleared by admin %{administrator}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg828 = msg("00511:02", part1312); + + var part1313 = match("MESSAGE#819:00511:03/0", "nwparser.payload", "Get new software from flash to slot (file: %{fld2}) by admin %{p0}"); + + var all284 = all_match({ + processors: [ + part1313, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg829 = msg("00511:03", all284); + + var part1314 = match("MESSAGE#820:00511:04/0", "nwparser.payload", "Get new software from %{hostip->} (file: %{fld2}) to slot (file: %{fld3}) by admin %{p0}"); + + var all285 = all_match({ + processors: [ + part1314, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg830 = msg("00511:04", all285); + + var part1315 = match("MESSAGE#821:00511:05/0", "nwparser.payload", "Get new software to %{hostip->} (file: %{fld2}) by admin %{p0}"); + + var all286 = all_match({ + processors: [ + part1315, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg831 = msg("00511:05", all286); + + var part1316 = match("MESSAGE#822:00511:06/0", "nwparser.payload", "Log setting is modified by admin %{p0}"); + + var all287 = all_match({ + processors: [ + part1316, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg832 = msg("00511:06", all287); + + var part1317 = match("MESSAGE#823:00511:07/0", "nwparser.payload", "Save configuration to %{hostip->} (file: %{fld2}) by admin %{p0}"); + + var all288 = all_match({ + processors: [ + part1317, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg833 = msg("00511:07", all288); + + var part1318 = match("MESSAGE#824:00511:08/0", "nwparser.payload", "Save new software from slot (file: %{fld2}) to flash by admin %{p0}"); + + var all289 = all_match({ + processors: [ + part1318, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg834 = msg("00511:08", all289); + + var part1319 = match("MESSAGE#825:00511:09/0", "nwparser.payload", "Save new software from %{hostip->} (file: %{result}) to flash by admin %{p0}"); + + var all290 = all_match({ + processors: [ + part1319, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg835 = msg("00511:09", all290); + + var part1320 = match("MESSAGE#826:00511:10/0", "nwparser.payload", "System Config from flash to slot - %{fld2->} by admin %{p0}"); + + var all291 = all_match({ + processors: [ + part1320, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg836 = msg("00511:10", all291); + + var part1321 = match("MESSAGE#827:00511:11/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) to slot - %{fld3->} by admin %{p0}"); + + var all292 = all_match({ + processors: [ + part1321, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg837 = msg("00511:11", all292); + + var part1322 = match("MESSAGE#828:00511:12/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) by admin %{p0}"); + + var all293 = all_match({ + processors: [ + part1322, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg838 = msg("00511:12", all293); + + var part1323 = match("MESSAGE#829:00511:13/0", "nwparser.payload", "The system configuration was loaded from the slot by admin %{p0}"); + + var all294 = all_match({ + processors: [ + part1323, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg839 = msg("00511:13", all294); + + var part1324 = match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS shared secret with invalid length %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg840 = msg("00511:14", part1324); + + var select307 = linear_select([ + msg826, + msg827, + msg828, + msg829, + msg830, + msg831, + msg832, + msg833, + msg834, + msg835, + msg836, + msg837, + msg838, + msg839, + msg840, + ]); + + var part1325 = match("MESSAGE#831:00513/0", "nwparser.payload", "The physical state of %{p0}"); + + var part1326 = match("MESSAGE#831:00513/1_1", "nwparser.p0", "the Interface %{p0}"); + + var select308 = linear_select([ + dup123, + part1326, + dup122, + ]); + + var part1327 = match("MESSAGE#831:00513/2", "nwparser.p0", "%{interface->} has changed to %{p0}"); + + var part1328 = match("MESSAGE#831:00513/3_0", "nwparser.p0", "%{result}. (%{fld1})"); + + var part1329 = match_copy("MESSAGE#831:00513/3_1", "nwparser.p0", "result"); + + var select309 = linear_select([ + part1328, + part1329, + ]); + + var all295 = all_match({ + processors: [ + part1325, + select308, + part1327, + select309, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + dup9, + ]), + }); + + var msg841 = msg("00513", all295); + + var part1330 = match("MESSAGE#832:00515/0_0", "nwparser.payload", "Vsys Admin %{p0}"); + + var select310 = linear_select([ + part1330, + dup287, + ]); + + var part1331 = match("MESSAGE#832:00515/1", "nwparser.p0", "%{administrator->} has logged on via the %{logon_type->} ( HTTP%{p0}"); + + var part1332 = match("MESSAGE#832:00515/2_1", "nwparser.p0", "S%{p0}"); + + var select311 = linear_select([ + dup96, + part1332, + ]); + + var part1333 = match("MESSAGE#832:00515/3", "nwparser.p0", "%{}) to port %{interface->} from %{saddr}:%{sport}"); + + var all296 = all_match({ + processors: [ + select310, + part1331, + select311, + part1333, + ], + on_success: processor_chain([ + dup301, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg842 = msg("00515", all296); + + var part1334 = match("MESSAGE#833:00515:01/0", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{p0}"); + + var part1335 = match("MESSAGE#833:00515:01/1_0", "nwparser.p0", "the %{logon_type->} has failed %{p0}"); + + var part1336 = match("MESSAGE#833:00515:01/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} has failed %{p0}"); + + var select312 = linear_select([ + part1335, + part1336, + ]); + + var part1337 = match_copy("MESSAGE#833:00515:01/2", "nwparser.p0", "fld2"); + + var all297 = all_match({ + processors: [ + part1334, + select312, + part1337, + ], + on_success: processor_chain([ + dup206, + dup29, + dup30, + dup31, + dup54, + dup2, + dup4, + dup5, + dup302, + dup3, + ]), + }); + + var msg843 = msg("00515:01", all297); + + var part1338 = match("MESSAGE#834:00515:02/0", "nwparser.payload", "Management session via %{p0}"); + + var part1339 = match("MESSAGE#834:00515:02/1_0", "nwparser.p0", "the %{logon_type->} for %{p0}"); + + var part1340 = match("MESSAGE#834:00515:02/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} for %{p0}"); + + var select313 = linear_select([ + part1339, + part1340, + ]); + + var part1341 = match("MESSAGE#834:00515:02/2_0", "nwparser.p0", "[vsys] admin %{p0}"); + + var part1342 = match("MESSAGE#834:00515:02/2_1", "nwparser.p0", "vsys admin %{p0}"); + + var select314 = linear_select([ + part1341, + part1342, + dup15, + ]); + + var part1343 = match("MESSAGE#834:00515:02/3", "nwparser.p0", "%{administrator->} has timed out"); + + var all298 = all_match({ + processors: [ + part1338, + select313, + select314, + part1343, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg844 = msg("00515:02", all298); + + var part1344 = match("MESSAGE#835:00515:04/0_0", "nwparser.payload", "[Vsys] %{p0}"); + + var part1345 = match("MESSAGE#835:00515:04/0_1", "nwparser.payload", "Vsys %{p0}"); + + var select315 = linear_select([ + part1344, + part1345, + ]); + + var part1346 = match("MESSAGE#835:00515:04/1", "nwparser.p0", "Admin %{administrator->} has logged o%{p0}"); + + var part1347 = match_copy("MESSAGE#835:00515:04/4_1", "nwparser.p0", "logon_type"); + + var select316 = linear_select([ + dup304, + part1347, + ]); + + var all299 = all_match({ + processors: [ + select315, + part1346, + dup398, + dup40, + select316, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg845 = msg("00515:04", all299); + + var part1348 = match("MESSAGE#836:00515:06", "nwparser.payload", "Admin User %{administrator->} has logged on via %{logon_type->} from %{saddr}:%{sport}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg846 = msg("00515:06", part1348); + + var part1349 = match("MESSAGE#837:00515:05/0", "nwparser.payload", "%{}Admin %{p0}"); + + var select317 = linear_select([ + dup305, + dup16, + ]); + + var part1350 = match("MESSAGE#837:00515:05/2", "nwparser.p0", "%{administrator->} has logged o%{p0}"); + + var part1351 = match("MESSAGE#837:00515:05/5_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{fld2})"); + + var select318 = linear_select([ + dup306, + part1351, + dup304, + ]); + + var all300 = all_match({ + processors: [ + part1349, + select317, + part1350, + dup398, + dup40, + select318, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg847 = msg("00515:05", all300); + + var part1352 = match("MESSAGE#838:00515:07", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(http) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg848 = msg("00515:07", part1352); + + var part1353 = match("MESSAGE#839:00515:08/0", "nwparser.payload", "%{fld2->} Admin User \"%{administrator}\" logged in for %{logon_type}(http%{p0}"); + + var part1354 = match("MESSAGE#839:00515:08/1_0", "nwparser.p0", ") %{p0}"); + + var part1355 = match("MESSAGE#839:00515:08/1_1", "nwparser.p0", "s) %{p0}"); + + var select319 = linear_select([ + part1354, + part1355, + ]); + + var part1356 = match("MESSAGE#839:00515:08/2", "nwparser.p0", "management (port %{network_port}) from %{saddr}:%{sport}"); + + var all301 = all_match({ + processors: [ + part1353, + select319, + part1356, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg849 = msg("00515:08", all301); + + var part1357 = match("MESSAGE#840:00515:09", "nwparser.payload", "User %{username->} telnet management session from (%{saddr}:%{sport}) timed out", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg850 = msg("00515:09", part1357); + + var part1358 = match("MESSAGE#841:00515:10", "nwparser.payload", "User %{username->} logged out of telnet session from %{saddr}:%{sport}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg851 = msg("00515:10", part1358); + + var part1359 = match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on zone %{zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg852 = msg("00515:11", part1359); + + var part1360 = match("MESSAGE#843:00515:12/0", "nwparser.payload", "[ Vsys ] Admin User \"%{administrator}\" logged in for Web( http%{p0}"); + + var part1361 = match("MESSAGE#843:00515:12/2", "nwparser.p0", ") management (port %{network_port})"); + + var all302 = all_match({ + processors: [ + part1360, + dup399, + part1361, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg853 = msg("00515:12", all302); + + var select320 = linear_select([ + dup288, + dup287, + ]); + + var part1362 = match("MESSAGE#844:00515:13/1", "nwparser.p0", "user %{administrator->} has logged o%{p0}"); + + var select321 = linear_select([ + dup306, + dup304, + ]); + + var all303 = all_match({ + processors: [ + select320, + part1362, + dup398, + dup40, + select321, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg854 = msg("00515:13", all303); + + var part1363 = match("MESSAGE#845:00515:14/0_0", "nwparser.payload", "Admin user %{administrator->} has been forced to log o%{p0}"); + + var part1364 = match("MESSAGE#845:00515:14/0_1", "nwparser.payload", "%{username->} %{fld1->} has been forced to log o%{p0}"); + + var select322 = linear_select([ + part1363, + part1364, + ]); + + var part1365 = match("MESSAGE#845:00515:14/2", "nwparser.p0", "of the %{p0}"); + + var part1366 = match("MESSAGE#845:00515:14/3_0", "nwparser.p0", "serial %{logon_type->} session."); + + var part1367 = match("MESSAGE#845:00515:14/3_1", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port->} (%{event_time})"); + + var part1368 = match("MESSAGE#845:00515:14/3_2", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port}"); + + var select323 = linear_select([ + part1366, + part1367, + part1368, + ]); + + var all304 = all_match({ + processors: [ + select322, + dup398, + part1365, + select323, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg855 = msg("00515:14", all304); + + var part1369 = match("MESSAGE#846:00515:15/0", "nwparser.payload", "%{fld2}: Admin User %{administrator->} has logged o%{p0}"); + + var part1370 = match("MESSAGE#846:00515:15/3_0", "nwparser.p0", "the %{logon_type->} (%{p0}"); + + var part1371 = match("MESSAGE#846:00515:15/3_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{p0}"); + + var select324 = linear_select([ + part1370, + part1371, + ]); + + var all305 = all_match({ + processors: [ + part1369, + dup398, + dup40, + select324, + dup41, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg856 = msg("00515:15", all305); + + var part1372 = match("MESSAGE#847:00515:16/0_0", "nwparser.payload", "%{fld2}: Admin %{p0}"); + + var select325 = linear_select([ + part1372, + dup287, + ]); + + var part1373 = match("MESSAGE#847:00515:16/1", "nwparser.p0", "user %{administrator->} attempt access to %{url->} illegal from %{logon_type}( http%{p0}"); + + var part1374 = match("MESSAGE#847:00515:16/3", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}. (%{fld1})"); + + var all306 = all_match({ + processors: [ + select325, + part1373, + dup399, + part1374, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg857 = msg("00515:16", all306); + + var part1375 = match("MESSAGE#848:00515:17/0", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{p0}"); + + var part1376 = match("MESSAGE#848:00515:17/1_0", "nwparser.p0", "https %{p0}"); + + var part1377 = match("MESSAGE#848:00515:17/1_1", "nwparser.p0", " http %{p0}"); + + var select326 = linear_select([ + part1376, + part1377, + ]); + + var part1378 = match("MESSAGE#848:00515:17/2", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}"); + + var all307 = all_match({ + processors: [ + part1375, + select326, + part1378, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg858 = msg("00515:17", all307); + + var part1379 = match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(https) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ + dup240, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg859 = msg("00515:18", part1379); + + var part1380 = match("MESSAGE#850:00515:19/0", "nwparser.payload", "Vsys admin user %{administrator->} logged on via %{p0}"); + + var part1381 = match("MESSAGE#850:00515:19/1_0", "nwparser.p0", "%{logon_type->} from remote IP address %{saddr->} using port %{sport}. (%{p0}"); + + var part1382 = match("MESSAGE#850:00515:19/1_1", "nwparser.p0", "the console. (%{p0}"); + + var select327 = linear_select([ + part1381, + part1382, + ]); + + var all308 = all_match({ + processors: [ + part1380, + select327, + dup41, + ], + on_success: processor_chain([ + dup240, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg860 = msg("00515:19", all308); + + var part1383 = match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session via SCS from %{saddr}:%{sport->} for admin netscreen has timed out (%{fld1})", processor_chain([ + dup240, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg861 = msg("00515:20", part1383); + + var select328 = linear_select([ + msg842, + msg843, + msg844, + msg845, + msg846, + msg847, + msg848, + msg849, + msg850, + msg851, + msg852, + msg853, + msg854, + msg855, + msg856, + msg857, + msg858, + msg859, + msg860, + msg861, + ]); + + var part1384 = match("MESSAGE#852:00518", "nwparser.payload", "Admin user %{administrator->} %{fld1}at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg862 = msg("00518", part1384); + + var part1385 = match("MESSAGE#853:00518:17", "nwparser.payload", "Admin user %{administrator->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg863 = msg("00518:17", part1385); + + var part1386 = match("MESSAGE#854:00518:01", "nwparser.payload", "Local authentication for WebAuth user %{username->} was %{disposition}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg864 = msg("00518:01", part1386); + + var part1387 = match("MESSAGE#855:00518:02", "nwparser.payload", "Local authentication for user %{username->} was %{disposition}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg865 = msg("00518:02", part1387); + + var part1388 = match("MESSAGE#856:00518:03", "nwparser.payload", "User %{username->} at %{saddr->} must enter \"Next Code\" for SecurID %{hostip}", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg866 = msg("00518:03", part1388); + + var part1389 = match("MESSAGE#857:00518:04", "nwparser.payload", "WebAuth user %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup203, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg867 = msg("00518:04", part1389); + + var part1390 = match("MESSAGE#858:00518:05", "nwparser.payload", "User %{username->} at %{saddr->} has been challenged via the %{authmethod->} server at %{hostip->} (Rejected since challenge is not supported for %{logon_type})", processor_chain([ + dup203, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg868 = msg("00518:05", part1390); + + var part1391 = match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for WebAuth user %{username}", processor_chain([ + dup35, + dup29, + dup31, + dup54, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg869 = msg("00518:06", part1391); + + var part1392 = match("MESSAGE#860:00518:07/0", "nwparser.payload", "Authentication for user %{username->} was denied (long %{p0}"); + + var part1393 = match("MESSAGE#860:00518:07/1_1", "nwparser.p0", "username %{p0}"); + + var select329 = linear_select([ + dup24, + part1393, + ]); + + var part1394 = match("MESSAGE#860:00518:07/2", "nwparser.p0", ")%{}"); + + var all309 = all_match({ + processors: [ + part1392, + select329, + part1394, + ], + on_success: processor_chain([ + dup53, + dup29, + dup31, + dup54, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg870 = msg("00518:07", all309); + + var part1395 = match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr->} %{authmethod->} authentication attempt has timed out", processor_chain([ + dup35, + dup29, + dup31, + dup39, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg871 = msg("00518:08", part1395); + + var part1396 = match("MESSAGE#862:00518:09", "nwparser.payload", "User %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup203, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg872 = msg("00518:09", part1396); + + var part1397 = match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed due to %{result}. (%{fld1})", processor_chain([ + dup206, + dup29, + dup30, + dup31, + dup54, + dup2, + dup4, + dup9, + dup5, + dup3, + dup302, + ])); + + var msg873 = msg("00518:10", part1397); + + var part1398 = match("MESSAGE#864:00518:11/0", "nwparser.payload", "ADM: Local admin authentication failed for login name %{p0}"); + + var part1399 = match("MESSAGE#864:00518:11/1_0", "nwparser.p0", "'%{username}': %{p0}"); + + var part1400 = match("MESSAGE#864:00518:11/1_1", "nwparser.p0", "%{username}: %{p0}"); + + var select330 = linear_select([ + part1399, + part1400, + ]); + + var part1401 = match("MESSAGE#864:00518:11/2", "nwparser.p0", "%{result->} (%{fld1})"); + + var all310 = all_match({ + processors: [ + part1398, + select330, + part1401, + ], + on_success: processor_chain([ + dup206, + dup29, + dup30, + dup31, + dup54, + dup2, + dup9, + dup4, + dup5, + dup3, + ]), + }); + + var msg874 = msg("00518:11", all310); + + var part1402 = match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ + dup240, + dup2, + dup4, + dup9, + dup5, + dup3, + ])); + + var msg875 = msg("00518:12", part1402); + + var part1403 = match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr->} is rejected by the Radius server at %{hostip}. (%{fld1})", processor_chain([ + dup290, + dup2, + dup3, + dup4, + dup9, + dup5, + ])); + + var msg876 = msg("00518:13", part1403); + + var part1404 = match("MESSAGE#867:00518:14", "nwparser.payload", "%{fld2}: Admin user has been rejected via the Radius server at %{hostip->} (%{fld1})", processor_chain([ + dup290, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg877 = msg("00518:14", part1404); + + var select331 = linear_select([ + msg862, + msg863, + msg864, + msg865, + msg866, + msg867, + msg868, + msg869, + msg870, + msg871, + msg872, + msg873, + msg874, + msg875, + msg876, + msg877, + ]); + + var part1405 = match("MESSAGE#868:00519/0", "nwparser.payload", "Admin user %{administrator->} %{p0}"); + + var part1406 = match("MESSAGE#868:00519/1_1", "nwparser.p0", "of group %{group->} at %{saddr->} has %{p0}"); + + var part1407 = match("MESSAGE#868:00519/1_2", "nwparser.p0", "%{group->} at %{saddr->} has %{p0}"); + + var select332 = linear_select([ + dup194, + part1406, + part1407, + ]); + + var part1408 = match("MESSAGE#868:00519/2", "nwparser.p0", "been %{disposition->} via the %{logon_type->} server %{p0}"); + + var part1409 = match("MESSAGE#868:00519/3_0", "nwparser.p0", "at %{p0}"); + + var select333 = linear_select([ + part1409, + dup16, + ]); + + var part1410 = match("MESSAGE#868:00519/4", "nwparser.p0", "%{hostip}"); + + var all311 = all_match({ + processors: [ + part1405, + select332, + part1408, + select333, + part1410, + ], + on_success: processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg878 = msg("00519", all311); + + var part1411 = match("MESSAGE#869:00519:01/0", "nwparser.payload", "Local authentication for %{p0}"); + + var select334 = linear_select([ + dup307, + dup305, + ]); + + var part1412 = match("MESSAGE#869:00519:01/2", "nwparser.p0", "%{username->} was %{disposition}"); + + var all312 = all_match({ + processors: [ + part1411, + select334, + part1412, + ], + on_success: processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg879 = msg("00519:01", all312); + + var part1413 = match("MESSAGE#870:00519:02/1_1", "nwparser.p0", "User %{p0}"); + + var select335 = linear_select([ + dup307, + part1413, + ]); + + var part1414 = match("MESSAGE#870:00519:02/2", "nwparser.p0", "%{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}"); + + var all313 = all_match({ + processors: [ + dup160, + select335, + part1414, + ], + on_success: processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg880 = msg("00519:02", all313); + + var part1415 = match("MESSAGE#871:00519:03", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{fld4}", processor_chain([ + dup240, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg881 = msg("00519:03", part1415); + + var part1416 = match("MESSAGE#872:00519:04", "nwparser.payload", "ADM: Local admin authentication successful for login name %{username->} (%{fld1})", processor_chain([ + dup240, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg882 = msg("00519:04", part1416); + + var part1417 = match("MESSAGE#873:00519:05", "nwparser.payload", "%{fld2}Admin user %{administrator->} has been accepted via the Radius server at %{hostip}(%{fld1})", processor_chain([ + dup240, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg883 = msg("00519:05", part1417); + + var select336 = linear_select([ + msg878, + msg879, + msg880, + msg881, + msg882, + msg883, + ]); + + var part1418 = match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authentication attempt has timed out", processor_chain([ + dup35, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg884 = msg("00520", part1418); + + var part1419 = match("MESSAGE#875:00520:01/0", "nwparser.payload", "User %{username->} at %{hostip->} %{p0}"); + + var part1420 = match("MESSAGE#875:00520:01/1_0", "nwparser.p0", "RADIUS %{p0}"); + + var part1421 = match("MESSAGE#875:00520:01/1_1", "nwparser.p0", "SecurID %{p0}"); + + var part1422 = match("MESSAGE#875:00520:01/1_2", "nwparser.p0", "LDAP %{p0}"); + + var part1423 = match("MESSAGE#875:00520:01/1_3", "nwparser.p0", "Local %{p0}"); + + var select337 = linear_select([ + part1420, + part1421, + part1422, + part1423, + ]); + + var part1424 = match("MESSAGE#875:00520:01/2", "nwparser.p0", "authentication attempt has timed out%{}"); + + var all314 = all_match({ + processors: [ + part1419, + select337, + part1424, + ], + on_success: processor_chain([ + dup35, + dup31, + dup39, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg885 = msg("00520:01", all314); + + var part1425 = match("MESSAGE#876:00520:02/0", "nwparser.payload", "Trying %{p0}"); + + var part1426 = match("MESSAGE#876:00520:02/2", "nwparser.p0", "server %{fld2}"); + + var all315 = all_match({ + processors: [ + part1425, + dup400, + part1426, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg886 = msg("00520:02", all315); + + var part1427 = match("MESSAGE#877:00520:03/1_0", "nwparser.p0", "Primary %{p0}"); + + var part1428 = match("MESSAGE#877:00520:03/1_1", "nwparser.p0", "Backup1 %{p0}"); + + var part1429 = match("MESSAGE#877:00520:03/1_2", "nwparser.p0", "Backup2 %{p0}"); + + var select338 = linear_select([ + part1427, + part1428, + part1429, + ]); + + var part1430 = match("MESSAGE#877:00520:03/2", "nwparser.p0", "%{fld2}, %{p0}"); + + var part1431 = match("MESSAGE#877:00520:03/4", "nwparser.p0", "%{fld3}, and %{p0}"); + + var part1432 = match("MESSAGE#877:00520:03/6", "nwparser.p0", "%{fld4->} servers failed"); + + var all316 = all_match({ + processors: [ + dup160, + select338, + part1430, + dup400, + part1431, + dup400, + part1432, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg887 = msg("00520:03", all316); + + var part1433 = match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hostip->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg888 = msg("00520:04", part1433); + + var part1434 = match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: New requests for %{fld31->} server will try %{fld32->} from now on. (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg889 = msg("00520:05", part1434); + + var select339 = linear_select([ + msg884, + msg885, + msg886, + msg887, + msg888, + msg889, + ]); + + var part1435 = match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server %{hostip}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg890 = msg("00521", part1435); + + var part1436 = match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg891 = msg("00522", part1436); + + var part1437 = match("MESSAGE#881:00523", "nwparser.payload", "URL filtering received an error from %{fld2->} (error %{resultcode}).", processor_chain([ + dup232, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg892 = msg("00523", part1437); + + var part1438 = match("MESSAGE#882:00524", "nwparser.payload", "NetScreen device at %{hostip}:%{network_port->} has responded successfully to SNMP request from %{saddr}:%{sport}", processor_chain([ + dup209, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg893 = msg("00524", part1438); + + var part1439 = match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown SNMP community public at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg894 = msg("00524:02", part1439); + + var part1440 = match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has responded successfully to the SNMP request from %{saddr}:%{sport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg895 = msg("00524:03", part1440); + + var part1441 = match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown SNMP community admin at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg896 = msg("00524:04", part1441); + + var part1442 = match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ + dup18, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg897 = msg("00524:05", part1442); + + var part1443 = match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been received from an unknown host in SNMP community %{fld2->} at %{hostip}:%{network_port}. (%{fld1})", processor_chain([ + dup18, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg898 = msg("00524:06", part1443); + + var part1444 = match("MESSAGE#888:00524:12", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{saddr}:%{sport->} to %{daddr}:%{dport->} has been received", processor_chain([ + dup18, + dup2, + dup4, + dup5, + ])); + + var msg899 = msg("00524:12", part1444); + + var part1445 = match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{sport->} has been received, but the SNMP version type is incorrect. (%{fld1})", processor_chain([ + dup19, + dup2, + dup4, + setc("result","the SNMP version type is incorrect"), + dup5, + dup9, + ])); + + var msg900 = msg("00524:14", part1445); + + var part1446 = match("MESSAGE#890:00524:13/0", "nwparser.payload", "SNMP request has been received%{p0}"); + + var part1447 = match("MESSAGE#890:00524:13/2", "nwparser.p0", "%{}but %{result}"); + + var all317 = all_match({ + processors: [ + part1446, + dup401, + part1447, + ], + on_success: processor_chain([ + dup18, + dup2, + dup4, + dup5, + ]), + }); + + var msg901 = msg("00524:13", all317); + + var part1448 = match("MESSAGE#891:00524:07", "nwparser.payload", "Response to SNMP request from %{saddr}:%{sport->} to %{daddr}:%{dport->} has %{disposition->} due to %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + ])); + + var msg902 = msg("00524:07", part1448); + + var part1449 = match("MESSAGE#892:00524:08", "nwparser.payload", "SNMP community %{fld2->} cannot be added because %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + ])); + + var msg903 = msg("00524:08", part1449); + + var part1450 = match("MESSAGE#893:00524:09", "nwparser.payload", "SNMP host %{hostip->} cannot be added to community %{fld2->} because of %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + ])); + + var msg904 = msg("00524:09", part1450); + + var part1451 = match("MESSAGE#894:00524:10", "nwparser.payload", "SNMP host %{hostip->} cannot be added because %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + ])); + + var msg905 = msg("00524:10", part1451); + + var part1452 = match("MESSAGE#895:00524:11", "nwparser.payload", "SNMP host %{hostip->} cannot be removed from community %{fld2->} because %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + ])); + + var msg906 = msg("00524:11", part1452); + + var part1453 = match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34->} doesn't exist. (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg907 = msg("00524:16", part1453); + + var select340 = linear_select([ + msg893, + msg894, + msg895, + msg896, + msg897, + msg898, + msg899, + msg900, + msg901, + msg902, + msg903, + msg904, + msg905, + msg906, + msg907, + ]); + + var part1454 = match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username->} at %{hostip->} has been %{disposition->} by SecurID %{fld2}", processor_chain([ + dup203, + setc("ec_subject","Password"), + dup38, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg908 = msg("00525", part1454); + + var part1455 = match("MESSAGE#897:00525:01", "nwparser.payload", "User %{username->} at %{hostip->} has selected a system-generated PIN for authentication with SecurID %{fld2}", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg909 = msg("00525:01", part1455); + + var part1456 = match("MESSAGE#898:00525:02", "nwparser.payload", "User %{username->} at %{hostip->} must enter the \"new PIN\" for SecurID %{fld2}", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg910 = msg("00525:02", part1456); + + var part1457 = match("MESSAGE#899:00525:03", "nwparser.payload", "User %{username->} at %{hostip->} must make a \"New PIN\" choice for SecurID %{fld2}", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg911 = msg("00525:03", part1457); + + var select341 = linear_select([ + msg908, + msg909, + msg910, + msg911, + ]); + + var part1458 = match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded and %{hostip->} cannot be added", processor_chain([ + dup37, + dup219, + dup38, + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg912 = msg("00526", part1458); + + var part1459 = match("MESSAGE#901:00527/0", "nwparser.payload", "A DHCP-%{p0}"); + + var part1460 = match("MESSAGE#901:00527/1_1", "nwparser.p0", " assigned %{p0}"); + + var select342 = linear_select([ + dup311, + part1460, + ]); + + var part1461 = match("MESSAGE#901:00527/2", "nwparser.p0", "IP address %{hostip->} has been %{p0}"); + + var part1462 = match("MESSAGE#901:00527/3_1", "nwparser.p0", "freed from %{p0}"); + + var part1463 = match("MESSAGE#901:00527/3_2", "nwparser.p0", "freed %{p0}"); + + var select343 = linear_select([ + dup312, + part1462, + part1463, + ]); + + var all318 = all_match({ + processors: [ + part1459, + select342, + part1461, + select343, + dup108, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg913 = msg("00527", all318); + + var part1464 = match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address has been manually released%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg914 = msg("00527:01", part1464); + + var part1465 = match("MESSAGE#903:00527:02/0", "nwparser.payload", "DHCP server has %{p0}"); + + var part1466 = match("MESSAGE#903:00527:02/1_1", "nwparser.p0", "released %{p0}"); + + var part1467 = match("MESSAGE#903:00527:02/1_2", "nwparser.p0", "assigned or released %{p0}"); + + var select344 = linear_select([ + dup311, + part1466, + part1467, + ]); + + var part1468 = match("MESSAGE#903:00527:02/2", "nwparser.p0", "an IP address%{}"); + + var all319 = all_match({ + processors: [ + part1465, + select344, + part1468, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg915 = msg("00527:02", all319); + + var part1469 = match("MESSAGE#904:00527:03", "nwparser.payload", "MAC address %{macaddr->} has detected an IP conflict and has declined address %{hostip}", processor_chain([ + dup272, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg916 = msg("00527:03", part1469); + + var part1470 = match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP addresses have been manually released.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg917 = msg("00527:04", part1470); + + var part1471 = match("MESSAGE#906:00527:05/2", "nwparser.p0", "%{} %{interface->} is more than %{fld2->} allocated."); + + var all320 = all_match({ + processors: [ + dup210, + dup337, + part1471, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg918 = msg("00527:05", all320); + + var part1472 = match("MESSAGE#907:00527:06/0", "nwparser.payload", "IP address %{hostip->} %{p0}"); + + var select345 = linear_select([ + dup106, + dup127, + ]); + + var part1473 = match("MESSAGE#907:00527:06/3_1", "nwparser.p0", "released from %{p0}"); + + var select346 = linear_select([ + dup312, + part1473, + ]); + + var part1474 = match("MESSAGE#907:00527:06/4", "nwparser.p0", "%{fld2->} (%{fld1})"); + + var all321 = all_match({ + processors: [ + part1472, + select345, + dup23, + select346, + part1474, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg919 = msg("00527:06", all321); + + var part1475 = match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have expired. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg920 = msg("00527:07", part1475); + + var part1476 = match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{interface->} received %{protocol_detail->} from %{smacaddr->} requesting out-of-scope IP address %{hostip}/%{mask->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg921 = msg("00527:08", part1476); + + var part1477 = match("MESSAGE#910:00527:09/0", "nwparser.payload", "MAC address %{macaddr->} has %{disposition->} %{p0}"); + + var part1478 = match("MESSAGE#910:00527:09/1_0", "nwparser.p0", "address %{hostip->} (%{p0}"); + + var part1479 = match("MESSAGE#910:00527:09/1_1", "nwparser.p0", "%{hostip->} (%{p0}"); + + var select347 = linear_select([ + part1478, + part1479, + ]); + + var all322 = all_match({ + processors: [ + part1477, + select347, + dup41, + ], + on_success: processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg922 = msg("00527:09", all322); + + var part1480 = match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are expired. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg923 = msg("00527:10", part1480); + + var select348 = linear_select([ + msg913, + msg914, + msg915, + msg916, + msg917, + msg918, + msg919, + msg920, + msg921, + msg922, + msg923, + ]); + + var part1481 = match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenticated using password :", processor_chain([ + setc("eventcategory","1302010000"), + dup29, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg924 = msg("00528", part1481); + + var part1482 = match("MESSAGE#913:00528:01", "nwparser.payload", "SCS: Connection terminated for user %{username->} from", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg925 = msg("00528:01", part1482); + + var part1483 = match("MESSAGE#914:00528:02", "nwparser.payload", "SCS: Disabled for all root/vsys on device. Client host attempting connection to interface '%{interface}' with address %{hostip->} from %{saddr}", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg926 = msg("00528:02", part1483); + + var part1484 = match("MESSAGE#915:00528:03", "nwparser.payload", "SSH: NetScreen device %{disposition->} to identify itself to the SSH client at %{hostip}", processor_chain([ + dup203, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg927 = msg("00528:03", part1484); + + var part1485 = match("MESSAGE#916:00528:04", "nwparser.payload", "SSH: Incompatible SSH version string has been received from SSH client at %{hostip}", processor_chain([ + dup203, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg928 = msg("00528:04", part1485); + + var part1486 = match("MESSAGE#917:00528:05", "nwparser.payload", "SSH: %{disposition->} to send identification string to client host at %{hostip}", processor_chain([ + dup203, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg929 = msg("00528:05", part1486); + + var part1487 = match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} attempted to connect with invalid version string.", processor_chain([ + dup313, + dup2, + dup3, + dup4, + dup5, + setc("result","invalid version string"), + ])); + + var msg930 = msg("00528:06", part1487); + + var part1488 = match("MESSAGE#919:00528:07/0", "nwparser.payload", "SSH: %{disposition->} to negotiate %{p0}"); + + var part1489 = match("MESSAGE#919:00528:07/1_1", "nwparser.p0", "MAC %{p0}"); + + var part1490 = match("MESSAGE#919:00528:07/1_2", "nwparser.p0", "key exchange %{p0}"); + + var part1491 = match("MESSAGE#919:00528:07/1_3", "nwparser.p0", "host key %{p0}"); + + var select349 = linear_select([ + dup88, + part1489, + part1490, + part1491, + ]); + + var part1492 = match("MESSAGE#919:00528:07/2", "nwparser.p0", "algorithm with host %{hostip}"); + + var all323 = all_match({ + processors: [ + part1488, + select349, + part1492, + ], + on_success: processor_chain([ + dup314, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg931 = msg("00528:07", all323); + + var part1493 = match("MESSAGE#920:00528:08", "nwparser.payload", "SSH: Unsupported cipher type %{fld2->} requested from %{saddr}", processor_chain([ + dup314, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg932 = msg("00528:08", part1493); + + var part1494 = match("MESSAGE#921:00528:09", "nwparser.payload", "SSH: Host client has requested NO cipher from %{saddr}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg933 = msg("00528:09", part1494); + + var part1495 = match("MESSAGE#922:00528:10", "nwparser.payload", "SSH: Disabled for '%{vsys}'. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg934 = msg("00528:10", part1495); + + var part1496 = match("MESSAGE#923:00528:11", "nwparser.payload", "SSH: Disabled for %{fld2->} Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg935 = msg("00528:11", part1496); + + var part1497 = match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} at %{saddr->} tried unsuccessfully to log in to %{vsys->} using the shared untrusted interface. SSH disabled on that interface.", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + setc("disposition","disabled"), + ])); + + var msg936 = msg("00528:12", part1497); + + var part1498 = match("MESSAGE#925:00528:13/0", "nwparser.payload", "SSH: SSH client at %{saddr->} tried unsuccessfully to %{p0}"); + + var part1499 = match("MESSAGE#925:00528:13/1_0", "nwparser.p0", "make %{p0}"); + + var part1500 = match("MESSAGE#925:00528:13/1_1", "nwparser.p0", "establish %{p0}"); + + var select350 = linear_select([ + part1499, + part1500, + ]); + + var part1501 = match("MESSAGE#925:00528:13/2", "nwparser.p0", "an SSH connection to %{p0}"); + + var part1502 = match("MESSAGE#925:00528:13/4", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} SSH %{p0}"); + + var part1503 = match("MESSAGE#925:00528:13/5_0", "nwparser.p0", "not enabled %{p0}"); + + var select351 = linear_select([ + part1503, + dup157, + ]); + + var part1504 = match("MESSAGE#925:00528:13/6", "nwparser.p0", "on that interface.%{}"); + + var all324 = all_match({ + processors: [ + part1498, + select350, + part1501, + dup337, + part1502, + select351, + part1504, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg937 = msg("00528:13", all324); + + var part1505 = match("MESSAGE#926:00528:14", "nwparser.payload", "SSH: SSH client %{saddr->} unsuccessfully attempted to make an SSH connection to %{vsys->} SSH was not completely initialized for that system.", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg938 = msg("00528:14", part1505); + + var part1506 = match("MESSAGE#927:00528:15/0", "nwparser.payload", "SSH: Admin user %{p0}"); + + var part1507 = match("MESSAGE#927:00528:15/1_1", "nwparser.p0", "%{administrator->} %{p0}"); + + var select352 = linear_select([ + dup315, + part1507, + ]); + + var part1508 = match("MESSAGE#927:00528:15/2", "nwparser.p0", "at host %{saddr->} requested unsupported %{p0}"); + + var part1509 = match("MESSAGE#927:00528:15/3_0", "nwparser.p0", "PKA algorithm %{p0}"); + + var part1510 = match("MESSAGE#927:00528:15/3_1", "nwparser.p0", "authentication method %{p0}"); + + var select353 = linear_select([ + part1509, + part1510, + ]); + + var all325 = all_match({ + processors: [ + part1506, + select352, + part1508, + select353, + dup108, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg939 = msg("00528:15", all325); + + var part1511 = match("MESSAGE#928:00528:16", "nwparser.payload", "SCP: Admin '%{administrator}' at host %{saddr->} executed invalid scp command: '%{fld2}'", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg940 = msg("00528:16", part1511); + + var part1512 = match("MESSAGE#929:00528:17", "nwparser.payload", "SCP: Disabled for '%{username}'. Attempted file transfer failed from host %{saddr}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg941 = msg("00528:17", part1512); + + var part1513 = match("MESSAGE#930:00528:18/2", "nwparser.p0", "authentication successful for admin user %{p0}"); + + var all326 = all_match({ + processors: [ + dup316, + dup402, + part1513, + dup403, + dup320, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + setc("disposition","successful"), + setc("event_description","authentication successful for admin user"), + ]), + }); + + var msg942 = msg("00528:18", all326); + + var part1514 = match("MESSAGE#931:00528:26/2", "nwparser.p0", "authentication failed for admin user %{p0}"); + + var all327 = all_match({ + processors: [ + dup316, + dup402, + part1514, + dup403, + dup320, + ], + on_success: processor_chain([ + dup206, + dup29, + dup31, + dup54, + dup2, + dup4, + dup5, + dup302, + dup3, + setc("event_description","authentication failed for admin user"), + ]), + }); + + var msg943 = msg("00528:26", all327); + + var part1515 = match("MESSAGE#932:00528:19/2", "nwparser.p0", ": SSH user %{username->} has been %{disposition->} using password from %{saddr}:%{sport}"); + + var all328 = all_match({ + processors: [ + dup321, + dup404, + part1515, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg944 = msg("00528:19", all328); + + var part1516 = match("MESSAGE#933:00528:20/2", "nwparser.p0", ": Connection has been %{disposition->} for admin user %{administrator->} at %{saddr}:%{sport}"); + + var all329 = all_match({ + processors: [ + dup321, + dup404, + part1516, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg945 = msg("00528:20", all329); + + var part1517 = match("MESSAGE#934:00528:21", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has requested PKA RSA authentication, which is not supported for that client.", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg946 = msg("00528:21", part1517); + + var part1518 = match("MESSAGE#935:00528:22/0", "nwparser.payload", "SCS: SSH client at %{saddr->} has attempted to make an SCS connection to %{p0}"); + + var part1519 = match("MESSAGE#935:00528:22/2", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} but %{disposition->} because SCS is not enabled for that interface."); + + var all330 = all_match({ + processors: [ + part1518, + dup337, + part1519, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + setc("result","SCS is not enabled for that interface"), + ]), + }); + + var msg947 = msg("00528:22", all330); + + var part1520 = match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to vsys %{vsys->} because SCS cannot generate the host and server keys before timing out.", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + setc("result","SCS cannot generate the host and server keys before timing out"), + ])); + + var msg948 = msg("00528:23", part1520); + + var part1521 = match("MESSAGE#937:00528:24", "nwparser.payload", "SSH: %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup281, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg949 = msg("00528:24", part1521); + + var part1522 = match("MESSAGE#938:00528:25/0", "nwparser.payload", "SSH: Admin %{p0}"); + + var part1523 = match("MESSAGE#938:00528:25/2", "nwparser.p0", "at host %{saddr->} attempted to be authenticated with no authentication methods enabled."); + + var all331 = all_match({ + processors: [ + part1522, + dup403, + part1523, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + ]), + }); + + var msg950 = msg("00528:25", all331); + + var select354 = linear_select([ + msg924, + msg925, + msg926, + msg927, + msg928, + msg929, + msg930, + msg931, + msg932, + msg933, + msg934, + msg935, + msg936, + msg937, + msg938, + msg939, + msg940, + msg941, + msg942, + msg943, + msg944, + msg945, + msg946, + msg947, + msg948, + msg949, + msg950, + ]); + + var part1524 = match("MESSAGE#939:00529/1_0", "nwparser.p0", "manually %{p0}"); + + var part1525 = match("MESSAGE#939:00529/1_1", "nwparser.p0", "automatically %{p0}"); + + var select355 = linear_select([ + part1524, + part1525, + ]); + + var part1526 = match("MESSAGE#939:00529/2", "nwparser.p0", "refreshed%{}"); + + var all332 = all_match({ + processors: [ + dup63, + select355, + part1526, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg951 = msg("00529", all332); + + var part1527 = match("MESSAGE#940:00529:01/0", "nwparser.payload", "DNS entries have been refreshed by %{p0}"); + + var part1528 = match("MESSAGE#940:00529:01/1_0", "nwparser.p0", "state change%{}"); + + var part1529 = match("MESSAGE#940:00529:01/1_1", "nwparser.p0", "HA%{}"); + + var select356 = linear_select([ + part1528, + part1529, + ]); + + var all333 = all_match({ + processors: [ + part1527, + select356, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg952 = msg("00529:01", all333); + + var select357 = linear_select([ + msg951, + msg952, + ]); + + var part1530 = match("MESSAGE#941:00530", "nwparser.payload", "An IP conflict has been detected and the DHCP client has declined address %{hostip}", processor_chain([ + dup272, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg953 = msg("00530", part1530); + + var part1531 = match("MESSAGE#942:00530:01/0", "nwparser.payload", "DHCP client IP %{hostip->} for the %{p0}"); + + var part1532 = match("MESSAGE#942:00530:01/2", "nwparser.p0", "%{} %{interface->} has been manually released"); + + var all334 = all_match({ + processors: [ + part1531, + dup337, + part1532, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg954 = msg("00530:01", all334); + + var part1533 = match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get an IP address for the %{interface->} interface", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg955 = msg("00530:02", part1533); + + var part1534 = match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hostip->} has expired", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg956 = msg("00530:03", part1534); + + var part1535 = match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has assigned the untrust Interface %{interface->} with lease %{fld2}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg957 = msg("00530:04", part1535); + + var part1536 = match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has assigned the %{interface->} interface %{fld2->} with lease %{fld3}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg958 = msg("00530:05", part1536); + + var part1537 = match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get IP address for the untrust interface.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg959 = msg("00530:06", part1537); + + var select358 = linear_select([ + msg953, + msg954, + msg955, + msg956, + msg957, + msg958, + msg959, + ]); + + var part1538 = match("MESSAGE#948:00531/0", "nwparser.payload", "System clock configurations have been changed by admin %{p0}"); + + var all335 = all_match({ + processors: [ + part1538, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg960 = msg("00531", all335); + + var part1539 = match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg961 = msg("00531:01", part1539); + + var part1540 = match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been updated through NTP.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg962 = msg("00531:02", part1540); + + var part1541 = match("MESSAGE#951:00531:03/0", "nwparser.payload", "The system clock was updated from %{type->} NTP server type %{hostname->} with a%{p0}"); + + var part1542 = match("MESSAGE#951:00531:03/1_0", "nwparser.p0", " ms %{p0}"); + + var select359 = linear_select([ + part1542, + dup115, + ]); + + var part1543 = match("MESSAGE#951:00531:03/2", "nwparser.p0", "adjustment of %{fld3}. Authentication was %{fld4}. Update mode was %{p0}"); + + var part1544 = match("MESSAGE#951:00531:03/3_0", "nwparser.p0", "%{fld5}(%{fld2})"); + + var part1545 = match_copy("MESSAGE#951:00531:03/3_1", "nwparser.p0", "fld5"); + + var select360 = linear_select([ + part1544, + part1545, + ]); + + var all336 = all_match({ + processors: [ + part1541, + select359, + part1543, + select360, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup146, + ]), + }); + + var msg963 = msg("00531:03", all336); + + var part1546 = match("MESSAGE#952:00531:04/0", "nwparser.payload", "The NetScreen device is attempting to contact the %{p0}"); + + var part1547 = match("MESSAGE#952:00531:04/1_0", "nwparser.p0", "primary backup %{p0}"); + + var part1548 = match("MESSAGE#952:00531:04/1_1", "nwparser.p0", "secondary backup %{p0}"); + + var select361 = linear_select([ + part1547, + part1548, + dup189, + ]); + + var part1549 = match("MESSAGE#952:00531:04/2", "nwparser.p0", "NTP server %{hostname}"); + + var all337 = all_match({ + processors: [ + part1546, + select361, + part1549, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg964 = msg("00531:04", all337); + + var part1550 = match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contacted. (%{fld1})", processor_chain([ + dup86, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg965 = msg("00531:05", part1550); + + var part1551 = match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustment of %{fld2->} from NTP server %{hostname->} exceeds the allowed adjustment of %{fld3}. (%{fld1})", processor_chain([ + dup86, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg966 = msg("00531:06", part1551); + + var part1552 = match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be obtained from any NTP server. (%{fld1})", processor_chain([ + dup86, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg967 = msg("00531:07", part1552); + + var part1553 = match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator->} changed the %{change_attribute->} from %{change_old->} to %{change_new->} (by %{fld3->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}) (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg968 = msg("00531:08", part1553); + + var part1554 = match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol settings changed. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg969 = msg("00531:09", part1554); + + var part1555 = match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition->} on interface %{interface->} (%{fld1})", processor_chain([ + dup86, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg970 = msg("00531:10", part1555); + + var part1556 = match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be changed from %{change_old->} to %{change_new->} received from primary NTP server %{hostip->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","system clock changed based on receive from primary NTP server"), + ])); + + var msg971 = msg("00531:11", part1556); + + var part1557 = match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{saddr->} could not be contacted. (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg972 = msg("00531:12", part1557); + + var select362 = linear_select([ + msg960, + msg961, + msg962, + msg963, + msg964, + msg965, + msg966, + msg967, + msg968, + msg969, + msg970, + msg971, + msg972, + ]); + + var part1558 = match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now responding", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg973 = msg("00533", part1558); + + var part1559 = match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg974 = msg("00534", part1559); + + var part1560 = match("MESSAGE#962:00535", "nwparser.payload", "Cannot find the CA certificate with distinguished name %{fld2}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg975 = msg("00535", part1560); + + var part1561 = match("MESSAGE#963:00535:01", "nwparser.payload", "Distinguished name %{dn->} in the X509 certificate request is %{disposition}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg976 = msg("00535:01", part1561); + + var part1562 = match("MESSAGE#964:00535:02", "nwparser.payload", "Local certificate with distinguished name %{dn->} is %{disposition}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg977 = msg("00535:02", part1562); + + var part1563 = match("MESSAGE#965:00535:03", "nwparser.payload", "PKCS #7 data cannot be decapsulated%{}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg978 = msg("00535:03", part1563); + + var part1564 = match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been received from the CA%{}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + setc("result","SCEP_FAILURE message"), + ])); + + var msg979 = msg("00535:04", part1564); + + var part1565 = match("MESSAGE#967:00535:05", "nwparser.payload", "PKI error message has been received: %{result}", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg980 = msg("00535:05", part1565); + + var part1566 = match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration (CA cert subject name %{dn}). (%{event_time_string})", processor_chain([ + dup314, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Saved CA configuration - cert subject name"), + ])); + + var msg981 = msg("00535:06", part1566); + + var select363 = linear_select([ + msg975, + msg976, + msg977, + msg978, + msg979, + msg980, + msg981, + ]); + + var part1567 = match("MESSAGE#969:00536:49/0", "nwparser.payload", "IKE %{hostip->} %{p0}"); + + var part1568 = match("MESSAGE#969:00536:49/1_0", "nwparser.p0", "Phase 2 msg ID %{sessionid}: %{disposition}. %{p0}"); + + var part1569 = match("MESSAGE#969:00536:49/1_1", "nwparser.p0", "Phase 1: %{disposition->} %{p0}"); + + var part1570 = match("MESSAGE#969:00536:49/1_2", "nwparser.p0", "phase 2:%{disposition}. %{p0}"); + + var part1571 = match("MESSAGE#969:00536:49/1_3", "nwparser.p0", "phase 1:%{disposition}. %{p0}"); + + var select364 = linear_select([ + part1568, + part1569, + part1570, + part1571, + ]); + + var all338 = all_match({ + processors: [ + part1567, + select364, + dup10, + ], + on_success: processor_chain([ + dup44, + dup2, + dup9, + dup3, + dup4, + dup5, + ]), + }); + + var msg982 = msg("00536:49", all338); + + var part1572 = match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received from %{saddr}/%{sport->} at interface %{interface->} at %{daddr}/%{dport}", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup3, + dup61, + ])); + + var msg983 = msg("00536", part1572); + + var part1573 = match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2}) without IP address at both end points! Check outgoing interface.", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg984 = msg("00536:01", part1573); + + var part1574 = match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip->} in %{fld4->} mode with ID: %{fld3->} has been %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg985 = msg("00536:02", part1574); + + var part1575 = match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has been %{disposition}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg986 = msg("00536:03", part1575); + + var part1576 = match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{group->} has deactivated the SA with ID %{fld2}.", processor_chain([ + setc("eventcategory","1801010100"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg987 = msg("00536:04", part1576); + + var part1577 = match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assigned%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg988 = msg("00536:05", part1577); + + var part1578 = match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has changed to %{fld2}. VPNs cannot terminate at an interface with IP %{hostip}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg989 = msg("00536:06", part1578); + + var part1579 = match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has changed from %{change_old->} to another setting", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg990 = msg("00536:07", part1579); + + var part1580 = match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification message", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg991 = msg("00536:08", part1580); + + var part1581 = match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg992 = msg("00536:09", part1581); + + var part1582 = match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a packet with a bad SPI after rebooting", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg993 = msg("00536:10", part1582); + + var part1583 = match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase 2 SAs after receiving a notification message", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg994 = msg("00536:11", part1583); + + var part1584 = match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first Phase 1 packet from an unrecognized source", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg995 = msg("00536:12", part1584); + + var part1585 = match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an initial Phase 1 packet from an unrecognized peer gateway", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg996 = msg("00536:13", part1585); + + var part1586 = match("MESSAGE#984:00536:14/0", "nwparser.payload", "IKE %{hostip}: Received initial contact notification and removed Phase %{p0}"); + + var part1587 = match("MESSAGE#984:00536:14/2", "nwparser.p0", "SAs%{}"); + + var all339 = all_match({ + processors: [ + part1586, + dup383, + part1587, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg997 = msg("00536:14", all339); + + var part1588 = match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a notification message for %{disposition}. (%{fld1})", processor_chain([ + dup44, + dup2, + dup9, + dup3, + dup4, + dup5, + ])); + + var msg998 = msg("00536:50", part1588); + + var part1589 = match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incorrect ID payload: IP address %{fld2->} instead of IP address %{fld3}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg999 = msg("00536:15", part1589); + + var part1590 = match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negotiation request is already in the task list", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1000 = msg("00536:16", part1590); + + var part1591 = match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats have been lost %{fld2->} times", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1001 = msg("00536:17", part1591); + + var part1592 = match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer packet because no policy uses the peer configuration", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1002 = msg("00536:18", part1592); + + var part1593 = match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1003 = msg("00536:19", part1593); + + var part1594 = match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the initial contact task to the task list", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1004 = msg("00536:20", part1594); + + var part1595 = match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 session tasks to the task list", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1005 = msg("00536:21", part1595); + + var part1596 = match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{disposition->} proposals from peer. Negotiations failed", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + setc("result","Negotiations failed"), + ])); + + var msg1006 = msg("00536:22", part1596); + + var part1597 = match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Aborted negotiations because the time limit has elapsed", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + setc("result","The time limit has elapsed"), + setc("disposition","Aborted"), + ])); + + var msg1007 = msg("00536:23", part1597); + + var part1598 = match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1008 = msg("00536:24", part1598); + + var part1599 = match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Received DH group %{fld2->} instead of expected group %{fld3->} for PFS", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1009 = msg("00536:25", part1599); + + var part1600 = match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No policy exists for the proxy ID received: local ID %{fld2->} remote ID %{fld3}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1010 = msg("00536:26", part1600); + + var part1601 = match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA private key is needed to sign packets", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1011 = msg("00536:27", part1601); + + var part1602 = match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggressive mode negotiations have %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1012 = msg("00536:28", part1602); + + var part1603 = match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Vendor ID payload indicates that the peer does not support NAT-T", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1013 = msg("00536:29", part1603); + + var part1604 = match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Retransmission limit has been reached", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1014 = msg("00536:30", part1604); + + var part1605 = match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an invalid RSA signature", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1015 = msg("00536:31", part1605); + + var part1606 = match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an incorrect public key authentication method", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1016 = msg("00536:32", part1606); + + var part1607 = match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No private key exists to sign packets", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1017 = msg("00536:33", part1607); + + var part1608 = match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1018 = msg("00536:34", part1608); + + var part1609 = match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE initiator has detected NAT in front of the local device", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1019 = msg("00536:35", part1609); + + var part1610 = match("MESSAGE#1007:00536:36/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Discarded a second initial packet%{p0}"); + + var part1611 = match("MESSAGE#1007:00536:36/2", "nwparser.p0", "%{}which arrived within %{fld2->} after the first"); + + var all340 = all_match({ + processors: [ + part1610, + dup401, + part1611, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1020 = msg("00536:36", all340); + + var part1612 = match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Completed Aggressive mode negotiations with a %{fld2->} lifetime", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1021 = msg("00536:37", part1612); + + var part1613 = match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a subject name that does not match the ID payload", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1022 = msg("00536:38", part1613); + + var part1614 = match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a different IP address %{fld2->} than expected", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1023 = msg("00536:39", part1614); + + var part1615 = match("MESSAGE#1011:00536:40", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot use a preshared key because the peer%{quote}s gateway has a dynamic IP address and negotiations are in Main mode", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1024 = msg("00536:40", part1615); + + var part1616 = match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated negotiations in Aggressive mode", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1025 = msg("00536:47", part1616); + + var part1617 = match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot verify RSA signature", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1026 = msg("00536:41", part1617); + + var part1618 = match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated Main mode negotiations", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1027 = msg("00536:42", part1618); + + var part1619 = match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Initiated negotiations", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1028 = msg("00536:43", part1619); + + var part1620 = match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heartbeat interval to %{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1029 = msg("00536:44", part1620); + + var part1621 = match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats have been %{disposition->} because %{result}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1030 = msg("00536:45", part1621); + + var part1622 = match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{interface->} from %{saddr}:%{sport->} to %{daddr}:%{dport}/%{fld1}. Cookies: %{ike_cookie1}, %{ike_cookie2}. (%{event_time_string})", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Received an IKE packet on interface"), + ])); + + var msg1031 = msg("00536:48", part1622); + + var part1623 = match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a bad SPI", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1032 = msg("00536:46", part1623); + + var select365 = linear_select([ + msg982, + msg983, + msg984, + msg985, + msg986, + msg987, + msg988, + msg989, + msg990, + msg991, + msg992, + msg993, + msg994, + msg995, + msg996, + msg997, + msg998, + msg999, + msg1000, + msg1001, + msg1002, + msg1003, + msg1004, + msg1005, + msg1006, + msg1007, + msg1008, + msg1009, + msg1010, + msg1011, + msg1012, + msg1013, + msg1014, + msg1015, + msg1016, + msg1017, + msg1018, + msg1019, + msg1020, + msg1021, + msg1022, + msg1023, + msg1024, + msg1025, + msg1026, + msg1027, + msg1028, + msg1029, + msg1030, + msg1031, + msg1032, + ]); + + var part1624 = match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to establish a session: %{info}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg1033 = msg("00537", part1624); + + var part1625 = match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{result}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1034 = msg("00537:01", part1625); + + var part1626 = match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: %{result}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1035 = msg("00537:02", part1626); + + var part1627 = match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successfully established%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1036 = msg("00537:03", part1627); + + var select366 = linear_select([ + msg1033, + msg1034, + msg1035, + msg1036, + ]); + + var part1628 = match("MESSAGE#1024:00538/0", "nwparser.payload", "NACN failed to register to Policy Manager %{fld2->} because %{p0}"); + + var select367 = linear_select([ + dup111, + dup119, + ]); + + var part1629 = match("MESSAGE#1024:00538/2", "nwparser.p0", "%{result}"); + + var all341 = all_match({ + processors: [ + part1628, + select367, + part1629, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1037 = msg("00538", all341); + + var part1630 = match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered to Policy Manager %{fld2}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1038 = msg("00538:01", part1630); + + var part1631 = match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has started for Policy Manager %{fld2->} on hostname %{hostname->} IP address %{hostip->} port %{network_port}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1039 = msg("00538:02", part1631); + + var part1632 = match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server at %{hostip->} (%{fld2->} connect attempt(s)) %{fld3}", processor_chain([ + dup19, + dup2, + dup4, + dup5, + dup3, + ])); + + var msg1040 = msg("00538:03", part1632); + + var part1633 = match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Global PRO data collector at %{hostip}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1041 = msg("00538:04", part1633); + + var part1634 = match("MESSAGE#1029:00538:05/0", "nwparser.payload", "Lost %{p0}"); + + var part1635 = match("MESSAGE#1029:00538:05/1_0", "nwparser.p0", "socket connection%{p0}"); + + var part1636 = match("MESSAGE#1029:00538:05/1_1", "nwparser.p0", "connection%{p0}"); + + var select368 = linear_select([ + part1635, + part1636, + ]); + + var part1637 = match("MESSAGE#1029:00538:05/2", "nwparser.p0", "%{}to Global PRO data collector at %{hostip}"); + + var all342 = all_match({ + processors: [ + part1634, + select368, + part1637, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1042 = msg("00538:05", all342); + + var part1638 = match("MESSAGE#1030:00538:06/0", "nwparser.payload", "Device has connected to the Global PRO%{p0}"); + + var part1639 = match("MESSAGE#1030:00538:06/1_0", "nwparser.p0", " %{fld2->} primary data collector at %{p0}"); + + var part1640 = match("MESSAGE#1030:00538:06/1_1", "nwparser.p0", " primary data collector at %{p0}"); + + var select369 = linear_select([ + part1639, + part1640, + ]); + + var part1641 = match_copy("MESSAGE#1030:00538:06/2", "nwparser.p0", "hostip"); + + var all343 = all_match({ + processors: [ + part1638, + select369, + part1641, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1043 = msg("00538:06", all343); + + var part1642 = match("MESSAGE#1031:00538:07/0", "nwparser.payload", "Connection to Global PRO data collector at %{hostip->} has%{p0}"); + + var part1643 = match("MESSAGE#1031:00538:07/1_0", "nwparser.p0", " been%{p0}"); + + var select370 = linear_select([ + part1643, + dup16, + ]); + + var all344 = all_match({ + processors: [ + part1642, + select370, + dup136, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1044 = msg("00538:07", all344); + + var part1644 = match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO data collector at %{hostip}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1045 = msg("00538:08", part1644); + + var part1645 = match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server at %{hostip->} (%{info}) (%{fld1})", processor_chain([ + dup301, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","Connected to NSM server"), + ])); + + var msg1046 = msg("00538:09", part1645); + + var part1646 = match("MESSAGE#1034:00538:10/0", "nwparser.payload", "NSM: Connection to NSM server at %{hostip->} is down. Reason: %{resultcode}, %{result->} (%{p0}"); + + var part1647 = match("MESSAGE#1034:00538:10/1_0", "nwparser.p0", "%{info}) (%{fld1})"); + + var select371 = linear_select([ + part1647, + dup41, + ]); + + var all345 = all_match({ + processors: [ + part1646, + select371, + ], + on_success: processor_chain([ + dup198, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","Connection to NSM server is down"), + ]), + }); + + var msg1047 = msg("00538:10", all345); + + var part1648 = match("MESSAGE#1035:00538:11", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld2->} connect attempt(s)) (%{fld1})", processor_chain([ + dup198, + dup2, + dup3, + dup9, + dup4, + dup5, + dup323, + ])); + + var msg1048 = msg("00538:11", part1648); + + var part1649 = match("MESSAGE#1036:00538:12", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld1})", processor_chain([ + dup198, + dup2, + dup3, + dup9, + dup4, + dup5, + dup323, + ])); + + var msg1049 = msg("00538:12", part1649); + + var part1650 = match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","Sent 2B message"), + ])); + + var msg1050 = msg("00538:13", part1650); + + var select372 = linear_select([ + msg1037, + msg1038, + msg1039, + msg1040, + msg1041, + msg1042, + msg1043, + msg1044, + msg1045, + msg1046, + msg1047, + msg1048, + msg1049, + msg1050, + ]); + + var part1651 = match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool for user %{username}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1051 = msg("00539", part1651); + + var part1652 = match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{username}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1052 = msg("00539:01", part1652); + + var part1653 = match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from Pool %{group_object->} for user %{username}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1053 = msg("00539:02", part1653); + + var part1654 = match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to establish a session: %{fld2}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1054 = msg("00539:03", part1654); + + var part1655 = match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has successfully established.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1055 = msg("00539:04", part1655); + + var part1656 = match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned. You cannot allocate an IP address%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1056 = msg("00539:05", part1656); + + var part1657 = match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1057 = msg("00539:06", part1657); + + var select373 = linear_select([ + msg1051, + msg1052, + msg1053, + msg1054, + msg1055, + msg1056, + msg1057, + ]); + + var part1658 = match("MESSAGE#1045:00541", "nwparser.payload", "ScreenOS %{fld2->} serial # %{serial_number}: Asset recovery has been %{disposition}", processor_chain([ + dup324, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1058 = msg("00541", part1658); + + var part1659 = match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2->} IP address - %{hostip->} changed its state to %{change_new}. (%{fld1})", processor_chain([ + dup273, + dup9, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1059 = msg("00541:01", part1659); + + var part1660 = match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from %{change_old->} to %{change_new->} state, (neighbor router-id 1%{fld2}, ip-address %{hostip}). (%{fld1})", processor_chain([ + dup273, + dup9, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1060 = msg("00541:02", part1660); + + var part1661 = match("MESSAGE#1219:00541:03/0", "nwparser.payload", "LSA in following area aged out: LSA area ID %{fld3}, LSA ID %{fld4}, router ID %{fld2}, type %{fld7->} in OSPF. (%{fld1})%{p0}"); + + var part1662 = match("MESSAGE#1219:00541:03/1_0", "nwparser.p0", "\u003c\u003c%{fld16}>"); + + var select374 = linear_select([ + part1662, + dup21, + ]); + + var all346 = all_match({ + processors: [ + part1661, + select374, + ], + on_success: processor_chain([ + dup44, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1061 = msg("00541:03", all346); + + var select375 = linear_select([ + msg1058, + msg1059, + msg1060, + msg1061, + ]); + + var part1663 = match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix adding: %{fld2}, ribin overflow %{fld3->} times (max rib-in %{fld4})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1062 = msg("00542", part1663); + + var part1664 = match("MESSAGE#1047:00543/0", "nwparser.payload", "Access for %{p0}"); + + var part1665 = match("MESSAGE#1047:00543/1_0", "nwparser.p0", "WebAuth firewall %{p0}"); + + var part1666 = match("MESSAGE#1047:00543/1_1", "nwparser.p0", "firewall %{p0}"); + + var select376 = linear_select([ + part1665, + part1666, + ]); + + var part1667 = match("MESSAGE#1047:00543/2", "nwparser.p0", "user %{username->} %{space}at %{hostip->} (accepted at %{fld2->} for duration %{duration->} via the %{logon_type}) %{p0}"); + + var part1668 = match("MESSAGE#1047:00543/3_0", "nwparser.p0", "by policy id %{policy_id->} is %{p0}"); + + var select377 = linear_select([ + part1668, + dup106, + ]); + + var part1669 = match("MESSAGE#1047:00543/4", "nwparser.p0", "now over (%{fld1})"); + + var all347 = all_match({ + processors: [ + part1664, + select376, + part1667, + select377, + part1669, + ], + on_success: processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup9, + dup3, + ]), + }); + + var msg1063 = msg("00543", all347); + + var part1670 = match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group %{group->} ] at %{hostip->} has been challenged by the RADIUS server at %{daddr}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup3, + dup60, + setc("action","RADIUS server challenge"), + ])); + + var msg1064 = msg("00544", part1670); + + var part1671 = match("MESSAGE#1049:00546", "nwparser.payload", "delete-route-> trust-vr: %{fld2}", processor_chain([ + dup281, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1065 = msg("00546", part1671); + + var part1672 = match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned because max content size was exceeded.", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup3, + dup61, + ])); + + var msg1066 = msg("00547", part1672); + + var part1673 = match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned due to a scan engine error or constraint.", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup3, + dup61, + ])); + + var msg1067 = msg("00547:01", part1673); + + var part1674 = match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has been %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1068 = msg("00547:02", part1674); + + var part1675 = match("MESSAGE#1053:00547:03/0", "nwparser.payload", "AV: Content from %{location_desc}, http url: %{url}, is passed %{p0}"); + + var part1676 = match("MESSAGE#1053:00547:03/1_0", "nwparser.p0", "due to %{p0}"); + + var part1677 = match("MESSAGE#1053:00547:03/1_1", "nwparser.p0", "because %{p0}"); + + var select378 = linear_select([ + part1676, + part1677, + ]); + + var part1678 = match("MESSAGE#1053:00547:03/2", "nwparser.p0", "%{result}. (%{event_time_string})"); + + var all348 = all_match({ + processors: [ + part1675, + select378, + part1678, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Content is bypassed for connection"), + ]), + }); + + var msg1069 = msg("00547:03", all348); + + var select379 = linear_select([ + msg1066, + msg1067, + msg1068, + msg1069, + ]); + + var part1679 = match("MESSAGE#1054:00549", "nwparser.payload", "add-route-> untrust-vr: %{fld2}", processor_chain([ + dup281, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1070 = msg("00549", part1679); + + var part1680 = match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred during configlet file processing.", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1071 = msg("00551", part1680); + + var part1681 = match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurred, causing failure to establish secure management with Management System.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1072 = msg("00551:01", part1681); + + var part1682 = match("MESSAGE#1057:00551:02/0", "nwparser.payload", "Configlet file %{p0}"); + + var part1683 = match("MESSAGE#1057:00551:02/1_0", "nwparser.p0", "decryption %{p0}"); + + var select380 = linear_select([ + part1683, + dup89, + ]); + + var all349 = all_match({ + processors: [ + part1682, + select380, + dup128, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1073 = msg("00551:02", all349); + + var part1684 = match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot start because gateway has undergone configuration changes. (%{fld1})", processor_chain([ + dup18, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1074 = msg("00551:03", part1684); + + var part1685 = match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management established successfully with remote server. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1075 = msg("00551:04", part1685); + + var select381 = linear_select([ + msg1071, + msg1072, + msg1073, + msg1074, + msg1075, + ]); + + var part1686 = match("MESSAGE#1060:00553/0", "nwparser.payload", "SCAN-MGR: Failed to get %{p0}"); + + var part1687 = match("MESSAGE#1060:00553/1_0", "nwparser.p0", "AltServer %{p0}"); + + var part1688 = match("MESSAGE#1060:00553/1_1", "nwparser.p0", "Version %{p0}"); + + var part1689 = match("MESSAGE#1060:00553/1_2", "nwparser.p0", "Path_GateLockCE %{p0}"); + + var select382 = linear_select([ + part1687, + part1688, + part1689, + ]); + + var all350 = all_match({ + processors: [ + part1686, + select382, + dup325, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1076 = msg("00553", all350); + + var part1690 = match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size from server.ini.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1077 = msg("00553:01", part1690); + + var part1691 = match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from server.ini is too large: %{bytes->} (bytes).", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1078 = msg("00553:02", part1691); + + var part1692 = match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from server.ini is too long: %{fld2}; max is %{fld3}.", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1079 = msg("00553:03", part1692); + + var part1693 = match("MESSAGE#1064:00553:04/0", "nwparser.payload", "SCAN-MGR: Failed to retrieve %{p0}"); + + var select383 = linear_select([ + dup326, + dup327, + ]); + + var part1694 = match("MESSAGE#1064:00553:04/2", "nwparser.p0", "file: %{fld2}; http status code: %{resultcode}."); + + var all351 = all_match({ + processors: [ + part1693, + select383, + part1694, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1080 = msg("00553:04", all351); + + var part1695 = match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pattern into a RAM file.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1081 = msg("00553:05", part1695); + + var part1696 = match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File failed: code from VSAPI: %{resultcode}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1082 = msg("00553:06", part1696); + + var part1697 = match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pattern into flash.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1083 = msg("00553:07", part1697); + + var part1698 = match("MESSAGE#1068:00553:08/0", "nwparser.payload", "SCAN-MGR: Internal error while setting up for retrieving %{p0}"); + + var select384 = linear_select([ + dup327, + dup326, + ]); + + var all352 = all_match({ + processors: [ + part1698, + select384, + dup328, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1084 = msg("00553:08", all352); + + var part1699 = match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{disposition}: Err: %{resultcode}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1085 = msg("00553:09", part1699); + + var part1700 = match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{disposition->} due to %{result}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1086 = msg("00553:10", part1700); + + var part1701 = match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern Creation Date(%{fld2}) is after AV Key Expiration date(%{fld3}).", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1087 = msg("00553:11", part1701); + + var part1702 = match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompressLayer %{disposition}: Layer: %{fld2}, Err: %{resultcode}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1088 = msg("00553:12", part1702); + + var part1703 = match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFileSizeLimit %{disposition}: Limit: %{fld2}, Err: %{resultcode}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1089 = msg("00553:13", part1703); + + var part1704 = match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{disposition}: ret: %{fld2}; cpapiErrCode: %{resultcode}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1090 = msg("00553:14", part1704); + + var part1705 = match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usage error. Left usage: %{fld2}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1091 = msg("00553:15", part1705); + + var part1706 = match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress layer to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1092 = msg("00553:16", part1706); + + var part1707 = match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum content size to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1093 = msg("00553:17", part1707); + + var part1708 = match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number of concurrent messages to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1094 = msg("00553:18", part1708); + + var part1709 = match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1095 = msg("00553:19", part1709); + + var part1710 = match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to %{fld2}; update interval is %{fld3}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1096 = msg("00553:20", part1710); + + var part1711 = match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1097 = msg("00553:21", part1711); + + var part1712 = match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern updated: version: %{version}, size: %{bytes->} (bytes).", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1098 = msg("00553:22", part1712); + + var select385 = linear_select([ + msg1076, + msg1077, + msg1078, + msg1079, + msg1080, + msg1081, + msg1082, + msg1083, + msg1084, + msg1085, + msg1086, + msg1087, + msg1088, + msg1089, + msg1090, + msg1091, + msg1092, + msg1093, + msg1094, + msg1095, + msg1096, + msg1097, + msg1098, + ]); + + var part1713 = match("MESSAGE#1083:00554/0", "nwparser.payload", "SCAN-MGR: Cannot get %{p0}"); + + var part1714 = match("MESSAGE#1083:00554/1_0", "nwparser.p0", "AltServer info %{p0}"); + + var part1715 = match("MESSAGE#1083:00554/1_1", "nwparser.p0", "Version number %{p0}"); + + var part1716 = match("MESSAGE#1083:00554/1_2", "nwparser.p0", "Path_GateLockCE info %{p0}"); + + var select386 = linear_select([ + part1714, + part1715, + part1716, + ]); + + var all353 = all_match({ + processors: [ + part1713, + select386, + dup325, + ], + on_success: processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1099 = msg("00554", all353); + + var part1717 = match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini file, the AV pattern file size is zero.%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1100 = msg("00554:01", part1717); + + var part1718 = match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file size is too large (%{bytes->} bytes).", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1101 = msg("00554:02", part1718); + + var part1719 = match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV pattern file server URL is too long: %{bytes->} bytes. Max: %{fld2->} bytes.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1102 = msg("00554:03", part1719); + + var part1720 = match("MESSAGE#1087:00554:04/0", "nwparser.payload", "SCAN-MGR: Cannot retrieve %{p0}"); + + var part1721 = match("MESSAGE#1087:00554:04/2", "nwparser.p0", "file from %{hostip}:%{network_port}. HTTP status code: %{fld2}."); + + var all354 = all_match({ + processors: [ + part1720, + dup405, + part1721, + ], + on_success: processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1103 = msg("00554:04", all354); + + var part1722 = match("MESSAGE#1088:00554:05/0", "nwparser.payload", "SCAN-MGR: Cannot write AV pattern file to %{p0}"); + + var part1723 = match("MESSAGE#1088:00554:05/1_0", "nwparser.p0", "RAM %{p0}"); + + var part1724 = match("MESSAGE#1088:00554:05/1_1", "nwparser.p0", "flash %{p0}"); + + var select387 = linear_select([ + part1723, + part1724, + ]); + + var all355 = all_match({ + processors: [ + part1722, + select387, + dup116, + ], + on_success: processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1104 = msg("00554:05", all355); + + var part1725 = match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pattern file. VSAPI code: %{fld2}", processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1105 = msg("00554:06", part1725); + + var part1726 = match("MESSAGE#1090:00554:07/0", "nwparser.payload", "SCAN-MGR: Internal error occurred while retrieving %{p0}"); + + var all356 = all_match({ + processors: [ + part1726, + dup405, + dup328, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1106 = msg("00554:07", all356); + + var part1727 = match("MESSAGE#1091:00554:08/0", "nwparser.payload", "SCAN-MGR: Internal error occurred when calling this function: %{fld2}. %{fld3->} %{p0}"); + + var part1728 = match("MESSAGE#1091:00554:08/1_0", "nwparser.p0", "Error: %{resultcode->} %{p0}"); + + var part1729 = match("MESSAGE#1091:00554:08/1_1", "nwparser.p0", "Returned a NULL VSC handler %{p0}"); + + var part1730 = match("MESSAGE#1091:00554:08/1_2", "nwparser.p0", "cpapiErrCode: %{resultcode->} %{p0}"); + + var select388 = linear_select([ + part1728, + part1729, + part1730, + ]); + + var all357 = all_match({ + processors: [ + part1727, + select388, + dup116, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1107 = msg("00554:08", all357); + + var part1731 = match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompression layers has been set to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1108 = msg("00554:09", part1731); + + var part1732 = match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content size has been set to %{fld2->} KB.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1109 = msg("00554:10", part1732); + + var part1733 = match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of concurrent messages has been set to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1110 = msg("00554:11", part1733); + + var part1734 = match("MESSAGE#1095:00554:12/0", "nwparser.payload", "SCAN-MGR: Fail mode has been set to %{p0}"); + + var part1735 = match("MESSAGE#1095:00554:12/1_0", "nwparser.p0", "drop %{p0}"); + + var part1736 = match("MESSAGE#1095:00554:12/1_1", "nwparser.p0", "pass %{p0}"); + + var select389 = linear_select([ + part1735, + part1736, + ]); + + var part1737 = match("MESSAGE#1095:00554:12/2", "nwparser.p0", "unexamined traffic if %{p0}"); + + var part1738 = match("MESSAGE#1095:00554:12/3_0", "nwparser.p0", "content size %{p0}"); + + var part1739 = match("MESSAGE#1095:00554:12/3_1", "nwparser.p0", "number of concurrent messages %{p0}"); + + var select390 = linear_select([ + part1738, + part1739, + ]); + + var part1740 = match("MESSAGE#1095:00554:12/4", "nwparser.p0", "exceeds max.%{}"); + + var all358 = all_match({ + processors: [ + part1734, + select389, + part1737, + select390, + part1740, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1111 = msg("00554:12", all358); + + var part1741 = match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been set to %{fld2}, and the update interval to %{fld3->} minutes.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1112 = msg("00554:13", part1741); + + var part1742 = match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1113 = msg("00554:14", part1742); + + var part1743 = match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern file has been updated. Version: %{version}; size: %{bytes->} bytes.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1114 = msg("00554:15", part1743); + + var part1744 = match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: %{fld2}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1115 = msg("00554:16", part1744); + + var part1745 = match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load AV pattern file created %{fld2->} after the AV subscription expired. (Exp: %{fld3})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1116 = msg("00554:17", part1745); + + var select391 = linear_select([ + msg1099, + msg1100, + msg1101, + msg1102, + msg1103, + msg1104, + msg1105, + msg1106, + msg1107, + msg1108, + msg1109, + msg1110, + msg1111, + msg1112, + msg1113, + msg1114, + msg1115, + msg1116, + ]); + + var part1746 = match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot process non-multicast address %{hostip}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1117 = msg("00555", part1746); + + var part1747 = match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a request. Reason: %{result}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1118 = msg("00556", part1747); + + var part1748 = match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a transaction. Reason: %{result}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1119 = msg("00556:01", part1748); + + var part1749 = match("MESSAGE#1104:00556:02/0", "nwparser.payload", "UF-MGR: UF %{p0}"); + + var part1750 = match("MESSAGE#1104:00556:02/1_0", "nwparser.p0", "K%{p0}"); + + var part1751 = match("MESSAGE#1104:00556:02/1_1", "nwparser.p0", "k%{p0}"); + + var select392 = linear_select([ + part1750, + part1751, + ]); + + var part1752 = match("MESSAGE#1104:00556:02/2", "nwparser.p0", "ey %{p0}"); + + var part1753 = match("MESSAGE#1104:00556:02/3_0", "nwparser.p0", "Expired%{p0}"); + + var part1754 = match("MESSAGE#1104:00556:02/3_1", "nwparser.p0", "expired%{p0}"); + + var select393 = linear_select([ + part1753, + part1754, + ]); + + var part1755 = match("MESSAGE#1104:00556:02/4", "nwparser.p0", "%{}(expiration date: %{fld2}; current date: %{fld3})."); + + var all359 = all_match({ + processors: [ + part1749, + select392, + part1752, + select393, + part1755, + ], + on_success: processor_chain([ + dup254, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1120 = msg("00556:02", all359); + + var part1756 = match("MESSAGE#1105:00556:03/0", "nwparser.payload", "UF-MGR: Failed to %{p0}"); + + var part1757 = match("MESSAGE#1105:00556:03/1_0", "nwparser.p0", "enable %{p0}"); + + var part1758 = match("MESSAGE#1105:00556:03/1_1", "nwparser.p0", "disable %{p0}"); + + var select394 = linear_select([ + part1757, + part1758, + ]); + + var part1759 = match("MESSAGE#1105:00556:03/2", "nwparser.p0", "cache.%{}"); + + var all360 = all_match({ + processors: [ + part1756, + select394, + part1759, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1121 = msg("00556:03", all360); + + var part1760 = match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{resultcode}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1122 = msg("00556:04", part1760); + + var part1761 = match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed to %{fld2}(K).", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1123 = msg("00556:05", part1761); + + var part1762 = match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout changes to %{fld2->} (hours).", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1124 = msg("00556:06", part1762); + + var part1763 = match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update interval changed to %{fld2->} (weeks).", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1125 = msg("00556:07", part1763); + + var part1764 = match("MESSAGE#1110:00556:08/0", "nwparser.payload", "UF-MGR: Cache %{p0}"); + + var all361 = all_match({ + processors: [ + part1764, + dup358, + dup116, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1126 = msg("00556:08", all361); + + var part1765 = match("MESSAGE#1111:00556:09", "nwparser.payload", "UF-MGR: URL BLOCKED: ip_addr (%{fld2}) -> ip_addr (%{fld3}), %{fld4->} action: %{disposition}, category: %{fld5}, reason %{result}", processor_chain([ + dup232, + dup2, + dup3, + dup4, + dup5, + dup282, + ])); + + var msg1127 = msg("00556:09", part1765); + + var part1766 = match("MESSAGE#1112:00556:10", "nwparser.payload", "UF-MGR: URL FILTER ERR: ip_addr (%{fld2}) -> ip_addr (%{fld3}), host: %{fld5->} page: %{fld4->} code: %{resultcode->} reason: %{result}.", processor_chain([ + dup232, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1128 = msg("00556:10", part1766); + + var part1767 = match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server changed to %{fld2}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1129 = msg("00556:11", part1767); + + var part1768 = match("MESSAGE#1114:00556:12/0", "nwparser.payload", "UF-MGR: %{fld2->} CPA server %{p0}"); + + var select395 = linear_select([ + dup140, + dup169, + ]); + + var part1769 = match("MESSAGE#1114:00556:12/2", "nwparser.p0", "changed to %{fld3}."); + + var all362 = all_match({ + processors: [ + part1768, + select395, + part1769, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1130 = msg("00556:12", all362); + + var part1770 = match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filtering %{disposition}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1131 = msg("00556:13", part1770); + + var part1771 = match("MESSAGE#1116:00556:14/0", "nwparser.payload", "UF-MGR: The url %{url->} was %{p0}"); + + var part1772 = match("MESSAGE#1116:00556:14/2", "nwparser.p0", "category %{fld2}."); + + var all363 = all_match({ + processors: [ + part1771, + dup406, + part1772, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1132 = msg("00556:14", all363); + + var part1773 = match("MESSAGE#1117:00556:15/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was %{p0}"); + + var part1774 = match("MESSAGE#1117:00556:15/2", "nwparser.p0", "profile %{fld3->} with action %{disposition}."); + + var all364 = all_match({ + processors: [ + part1773, + dup406, + part1774, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + dup282, + ]), + }); + + var msg1133 = msg("00556:15", all364); + + var part1775 = match("MESSAGE#1118:00556:16/0", "nwparser.payload", "UF-MGR: The %{p0}"); + + var part1776 = match("MESSAGE#1118:00556:16/1_0", "nwparser.p0", "profile %{p0}"); + + var part1777 = match("MESSAGE#1118:00556:16/1_1", "nwparser.p0", "category %{p0}"); + + var select396 = linear_select([ + part1776, + part1777, + ]); + + var part1778 = match("MESSAGE#1118:00556:16/2", "nwparser.p0", "%{fld2->} was %{p0}"); + + var select397 = linear_select([ + dup104, + dup120, + ]); + + var all365 = all_match({ + processors: [ + part1775, + select396, + part1778, + select397, + dup116, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1134 = msg("00556:16", all365); + + var part1779 = match("MESSAGE#1119:00556:17/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was set in profile %{profile->} as the %{p0}"); + + var part1780 = match("MESSAGE#1119:00556:17/1_0", "nwparser.p0", "black %{p0}"); + + var part1781 = match("MESSAGE#1119:00556:17/1_1", "nwparser.p0", "white %{p0}"); + + var select398 = linear_select([ + part1780, + part1781, + ]); + + var part1782 = match("MESSAGE#1119:00556:17/2", "nwparser.p0", "list.%{}"); + + var all366 = all_match({ + processors: [ + part1779, + select398, + part1782, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1135 = msg("00556:17", all366); + + var part1783 = match("MESSAGE#1120:00556:18/0", "nwparser.payload", "UF-MGR: The action for %{fld2->} in profile %{profile->} was %{p0}"); + + var part1784 = match("MESSAGE#1120:00556:18/1_1", "nwparser.p0", "changed %{p0}"); + + var select399 = linear_select([ + dup101, + part1784, + ]); + + var part1785 = match("MESSAGE#1120:00556:18/2", "nwparser.p0", "to %{fld3}."); + + var all367 = all_match({ + processors: [ + part1783, + select399, + part1785, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1136 = msg("00556:18", all367); + + var part1786 = match("MESSAGE#1121:00556:20/0", "nwparser.payload", "UF-MGR: The category list from the CPA server %{p0}"); + + var part1787 = match("MESSAGE#1121:00556:20/2", "nwparser.p0", "updated on%{p0}"); + + var select400 = linear_select([ + dup103, + dup96, + ]); + + var part1788 = match("MESSAGE#1121:00556:20/4", "nwparser.p0", "the device.%{}"); + + var all368 = all_match({ + processors: [ + part1786, + dup355, + part1787, + select400, + part1788, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1137 = msg("00556:20", all368); + + var part1789 = match("MESSAGE#1122:00556:21", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} action: %{disposition}, category: %{category}, reason: %{result->} (%{fld1})", processor_chain([ + dup232, + dup2, + dup3, + dup9, + dup4, + dup5, + dup282, + ])); + + var msg1138 = msg("00556:21", part1789); + + var part1790 = match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} (%{fld1})", processor_chain([ + dup232, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1139 = msg("00556:22", part1790); + + var select401 = linear_select([ + msg1118, + msg1119, + msg1120, + msg1121, + msg1122, + msg1123, + msg1124, + msg1125, + msg1126, + msg1127, + msg1128, + msg1129, + msg1130, + msg1131, + msg1132, + msg1133, + msg1134, + msg1135, + msg1136, + msg1137, + msg1138, + msg1139, + ]); + + var part1791 = match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interface->} is %{fld2}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1140 = msg("00572", part1791); + + var part1792 = match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on interface %{interface}: %{result}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1141 = msg("00572:01", part1792); + + var part1793 = match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface->} is %{disposition->} by receiving Terminate-Request. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1142 = msg("00572:03", part1793); + + var select402 = linear_select([ + msg1140, + msg1141, + msg1142, + ]); + + var part1794 = match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" rebuilding lookup tree for virtual router \"%{node}\". (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg1143 = msg("00615", part1794); + + var part1795 = match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" lookup tree rebuilt successfully in virtual router \"%{node}\". (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg1144 = msg("00615:01", part1795); + + var select403 = linear_select([ + msg1143, + msg1144, + ]); + + var part1796 = match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}, through policy %{policyname}. Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup9, + dup4, + dup5, + dup61, + ])); + + var msg1145 = msg("00601", part1796); + + var part1797 = match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detected from %{saddr}/%{sport->} to %{daddr}/%{dport->} through policy %{policyname->} %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup9, + dup4, + dup5, + dup61, + ])); + + var msg1146 = msg("00601:01", part1797); + + var part1798 = match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multicast.%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1147 = msg("00601:18", part1798); + + var select404 = linear_select([ + msg1145, + msg1146, + msg1147, + ]); + + var part1799 = match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing interface state change%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1148 = msg("00602", part1799); + + var part1800 = match("MESSAGE#1133:00612/0", "nwparser.payload", "Switch event: the status of ethernet port %{fld2->} changed to link %{p0}"); + + var part1801 = match("MESSAGE#1133:00612/2", "nwparser.p0", ", duplex %{p0}"); + + var part1802 = match("MESSAGE#1133:00612/3_0", "nwparser.p0", "full %{p0}"); + + var part1803 = match("MESSAGE#1133:00612/3_1", "nwparser.p0", "half %{p0}"); + + var select405 = linear_select([ + part1802, + part1803, + ]); + + var part1804 = match("MESSAGE#1133:00612/4", "nwparser.p0", ", speed 10%{p0}"); + + var part1805 = match("MESSAGE#1133:00612/5_0", "nwparser.p0", "0 %{p0}"); + + var select406 = linear_select([ + part1805, + dup96, + ]); + + var part1806 = match("MESSAGE#1133:00612/6", "nwparser.p0", "M. (%{fld1})"); + + var all369 = all_match({ + processors: [ + part1800, + dup353, + part1801, + select405, + part1804, + select406, + part1806, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1149 = msg("00612", all369); + + var part1807 = match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send all the DRP routes to backup device. (%{fld1})", processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1150 = msg("00620", part1807); + + var part1808 = match("MESSAGE#1135:00620:01/0", "nwparser.payload", "RTSYNC: %{p0}"); + + var part1809 = match("MESSAGE#1135:00620:01/1_0", "nwparser.p0", "Serviced%{p0}"); + + var part1810 = match("MESSAGE#1135:00620:01/1_1", "nwparser.p0", "Recieved%{p0}"); + + var select407 = linear_select([ + part1809, + part1810, + ]); + + var part1811 = match("MESSAGE#1135:00620:01/2", "nwparser.p0", "%{}coldstart request for route synchronization from NSRP peer. (%{fld1})"); + + var all370 = all_match({ + processors: [ + part1808, + select407, + part1811, + ], + on_success: processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1151 = msg("00620:01", all370); + + var part1812 = match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to purge all the DRP backup routes - %{fld2->} (%{fld1})", processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1152 = msg("00620:02", part1812); + + var part1813 = match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purge backup routes in all vrouters. (%{fld1})", processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1153 = msg("00620:03", part1813); + + var part1814 = match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the DRP backup routes is stopped. (%{fld1})", processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1154 = msg("00620:04", part1814); + + var select408 = linear_select([ + msg1150, + msg1151, + msg1152, + msg1153, + msg1154, + ]); + + var part1815 = match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual router %{node->} is created. (%{fld1})", processor_chain([ + dup273, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1155 = msg("00622", part1815); + + var part1816 = match("MESSAGE#1140:00625/0", "nwparser.payload", "Session (id %{sessionid->} src-ip %{saddr->} dst-ip %{daddr->} dst port %{dport}) route is %{p0}"); + + var part1817 = match("MESSAGE#1140:00625/1_0", "nwparser.p0", "invalid%{p0}"); + + var part1818 = match("MESSAGE#1140:00625/1_1", "nwparser.p0", "valid%{p0}"); + + var select409 = linear_select([ + part1817, + part1818, + ]); + + var all371 = all_match({ + processors: [ + part1816, + select409, + dup49, + ], + on_success: processor_chain([ + dup273, + dup2, + dup4, + dup5, + dup9, + ]), + }); + + var msg1156 = msg("00625", all371); + + var part1819 = match("MESSAGE#1141:00628/0", "nwparser.payload", "audit log queue %{p0}"); + + var part1820 = match("MESSAGE#1141:00628/1_0", "nwparser.p0", "Traffic Log %{p0}"); + + var part1821 = match("MESSAGE#1141:00628/1_1", "nwparser.p0", "Event Alarm Log %{p0}"); + + var part1822 = match("MESSAGE#1141:00628/1_2", "nwparser.p0", "Event Log %{p0}"); + + var select410 = linear_select([ + part1820, + part1821, + part1822, + ]); + + var part1823 = match("MESSAGE#1141:00628/2", "nwparser.p0", "is overwritten (%{fld1})"); + + var all372 = all_match({ + processors: [ + part1819, + select410, + part1823, + ], + on_success: processor_chain([ + dup223, + dup2, + dup4, + dup5, + dup9, + ]), + }); + + var msg1157 = msg("00628", all372); + + var part1824 = match("MESSAGE#1142:00767:50", "nwparser.payload", "Log setting was modified to %{disposition->} %{fld2->} level by admin %{administrator->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, + dup282, + ])); + + var msg1158 = msg("00767:50", part1824); + + var part1825 = match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg1159 = msg("00767:51", part1825); + + var part1826 = match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg1160 = msg("00767:52", part1826); + + var part1827 = match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is added to attack group %{group->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup9, + ])); + + var msg1161 = msg("00767:53", part1827); + + var part1828 = match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID server%{}", processor_chain([ + dup27, + setc("ec_theme","Communication"), + dup39, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1162 = msg("00767", part1828); + + var part1829 = match("MESSAGE#1147:00767:01/0", "nwparser.payload", "System auto-config of file %{fld2->} from TFTP server %{hostip->} has %{p0}"); + + var part1830 = match("MESSAGE#1147:00767:01/1_0", "nwparser.p0", "been loaded successfully%{}"); + + var part1831 = match("MESSAGE#1147:00767:01/1_1", "nwparser.p0", "failed%{}"); + + var select411 = linear_select([ + part1830, + part1831, + ]); + + var all373 = all_match({ + processors: [ + part1829, + select411, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1163 = msg("00767:01", all373); + + var part1832 = match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config saved from host %{saddr}", processor_chain([ + setc("eventcategory","1702000000"), + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1164 = msg("00767:02", part1832); + + var part1833 = match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filename %{filename}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1165 = msg("00767:03", part1833); + + var part1834 = match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1166 = msg("00767:04", part1834); + + var part1835 = match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact the SecurID server%{}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1167 = msg("00767:05", part1835); + + var part1836 = match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data to the SecurID server%{}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1168 = msg("00767:06", part1836); + + var part1837 = match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was saved from peer unit by admin%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1169 = msg("00767:07", part1837); + + var part1838 = match("MESSAGE#1154:00767:08/0", "nwparser.payload", "The system configuration was saved by admin %{p0}"); + + var all374 = all_match({ + processors: [ + part1838, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1170 = msg("00767:08", all374); + + var part1839 = match("MESSAGE#1155:00767:09/0", "nwparser.payload", "traffic shaping is turned O%{p0}"); + + var part1840 = match("MESSAGE#1155:00767:09/1_0", "nwparser.p0", "N%{}"); + + var part1841 = match("MESSAGE#1155:00767:09/1_1", "nwparser.p0", "FF%{}"); + + var select412 = linear_select([ + part1840, + part1841, + ]); + + var all375 = all_match({ + processors: [ + part1839, + select412, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1171 = msg("00767:09", all375); + + var part1842 = match("MESSAGE#1156:00767:10/0", "nwparser.payload", "The system configuration was saved from host %{saddr->} by admin %{p0}"); + + var all376 = all_match({ + processors: [ + part1842, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1172 = msg("00767:10", all376); + + var part1843 = match("MESSAGE#1157:00767:11/0", "nwparser.payload", "Fatal error. The NetScreen device was unable to upgrade the %{p0}"); + + var part1844 = match("MESSAGE#1157:00767:11/1_1", "nwparser.p0", "file system %{p0}"); + + var select413 = linear_select([ + dup331, + part1844, + ]); + + var part1845 = match("MESSAGE#1157:00767:11/2", "nwparser.p0", ", and the %{p0}"); + + var part1846 = match("MESSAGE#1157:00767:11/3_1", "nwparser.p0", "old file system %{p0}"); + + var select414 = linear_select([ + dup331, + part1846, + ]); + + var part1847 = match("MESSAGE#1157:00767:11/4", "nwparser.p0", "is damaged.%{}"); + + var all377 = all_match({ + processors: [ + part1843, + select413, + part1845, + select414, + part1847, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1173 = msg("00767:11", all377); + + var part1848 = match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1174 = msg("00767:12", part1848); + + var part1849 = match("MESSAGE#1159:00767:13/0", "nwparser.payload", "%{fld2}Environment variable %{fld3->} is changed to %{fld4->} by admin %{p0}"); + + var all378 = all_match({ + processors: [ + part1849, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1175 = msg("00767:13", all378); + + var part1850 = match("MESSAGE#1160:00767:14/0", "nwparser.payload", "System was %{p0}"); + + var part1851 = match("MESSAGE#1160:00767:14/1_0", "nwparser.p0", "reset %{p0}"); + + var select415 = linear_select([ + part1851, + dup262, + ]); + + var part1852 = match("MESSAGE#1160:00767:14/2", "nwparser.p0", "at %{fld2->} by %{p0}"); + + var part1853 = match("MESSAGE#1160:00767:14/3_0", "nwparser.p0", "admin %{administrator}"); + + var part1854 = match_copy("MESSAGE#1160:00767:14/3_1", "nwparser.p0", "username"); + + var select416 = linear_select([ + part1853, + part1854, + ]); + + var all379 = all_match({ + processors: [ + part1850, + select415, + part1852, + select416, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1176 = msg("00767:14", all379); + + var part1855 = match("MESSAGE#1161:00767:15/1_0", "nwparser.p0", "System %{p0}"); + + var part1856 = match("MESSAGE#1161:00767:15/1_1", "nwparser.p0", "Event %{p0}"); + + var part1857 = match("MESSAGE#1161:00767:15/1_2", "nwparser.p0", "Traffic %{p0}"); + + var select417 = linear_select([ + part1855, + part1856, + part1857, + ]); + + var part1858 = match("MESSAGE#1161:00767:15/2", "nwparser.p0", "log was reviewed by %{p0}"); + + var part1859 = match("MESSAGE#1161:00767:15/4", "nwparser.p0", "%{} %{username}."); + + var all380 = all_match({ + processors: [ + dup183, + select417, + part1858, + dup336, + part1859, + ], + on_success: processor_chain([ + dup223, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1177 = msg("00767:15", all380); + + var part1860 = match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administrator->} issued command %{info->} to redirect output.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1178 = msg("00767:16", part1860); + + var part1861 = match("MESSAGE#1163:00767:17/0", "nwparser.payload", "%{fld2->} Save new software from %{fld3->} to flash by admin %{p0}"); + + var all381 = all_match({ + processors: [ + part1861, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1179 = msg("00767:17", all381); + + var part1862 = match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{version->} has been %{fld2->} saved to flash.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1180 = msg("00767:18", part1862); + + var part1863 = match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{version->} was rejected because the authentication check failed.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1181 = msg("00767:19", part1863); + + var part1864 = match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version of the RADIUS server %{hostname->} does not match %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1182 = msg("00767:20", part1864); + + var part1865 = match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, %{fld4}) cleared %{fld5}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1183 = msg("00767:21", part1865); + + var part1866 = match("MESSAGE#1168:00767:22/0", "nwparser.payload", "The system configuration was not saved %{p0}"); + + var part1867 = match("MESSAGE#1168:00767:22/1_0", "nwparser.p0", "%{fld2->} by admin %{administrator->} via NSRP Peer %{p0}"); + + var part1868 = match("MESSAGE#1168:00767:22/1_1", "nwparser.p0", "%{fld2->} %{p0}"); + + var select418 = linear_select([ + part1867, + part1868, + ]); + + var part1869 = match("MESSAGE#1168:00767:22/2", "nwparser.p0", "by administrator %{fld3}. %{p0}"); + + var part1870 = match("MESSAGE#1168:00767:22/3_0", "nwparser.p0", "It was locked %{p0}"); + + var part1871 = match("MESSAGE#1168:00767:22/3_1", "nwparser.p0", "Locked %{p0}"); + + var select419 = linear_select([ + part1870, + part1871, + ]); + + var part1872 = match("MESSAGE#1168:00767:22/4", "nwparser.p0", "by administrator %{fld4->} %{p0}"); + + var all382 = all_match({ + processors: [ + part1866, + select418, + part1869, + select419, + part1872, + dup354, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1184 = msg("00767:22", all382); + + var part1873 = match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot filename %{filename->} to flash memory by administrator %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var msg1185 = msg("00767:23", part1873); + + var part1874 = match("MESSAGE#1170:00767:25/0", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from %{p0}"); + + var select420 = linear_select([ + dup169, + dup16, + ]); + + var part1875 = match("MESSAGE#1170:00767:25/3_0", "nwparser.p0", "%{saddr}:%{sport->} by %{p0}"); + + var part1876 = match("MESSAGE#1170:00767:25/3_1", "nwparser.p0", "%{saddr->} by %{p0}"); + + var select421 = linear_select([ + part1875, + part1876, + ]); + + var all383 = all_match({ + processors: [ + part1874, + select420, + dup23, + select421, + dup108, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var msg1186 = msg("00767:25", all383); + + var part1877 = match("MESSAGE#1171:00767:26/0", "nwparser.payload", "Lock configuration %{p0}"); + + var part1878 = match("MESSAGE#1171:00767:26/1_0", "nwparser.p0", "started%{p0}"); + + var part1879 = match("MESSAGE#1171:00767:26/1_1", "nwparser.p0", "ended%{p0}"); + + var select422 = linear_select([ + part1878, + part1879, + ]); + + var part1880 = match("MESSAGE#1171:00767:26/2", "nwparser.p0", "%{}by task %{p0}"); + + var part1881 = match("MESSAGE#1171:00767:26/3_0", "nwparser.p0", "%{fld3}, with a timeout value of %{fld2}"); + + var part1882 = match("MESSAGE#1171:00767:26/3_1", "nwparser.p0", "%{fld2->} (%{fld1})"); + + var select423 = linear_select([ + part1881, + part1882, + ]); + + var all384 = all_match({ + processors: [ + part1877, + select422, + part1880, + select423, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1187 = msg("00767:26", all384); + + var part1883 = match("MESSAGE#1172:00767:27/0", "nwparser.payload", "Environment variable %{fld2->} changed to %{p0}"); + + var part1884 = match("MESSAGE#1172:00767:27/1_0", "nwparser.p0", "%{fld3->} by %{username->} (%{fld1})"); + + var part1885 = match_copy("MESSAGE#1172:00767:27/1_1", "nwparser.p0", "fld3"); + + var select424 = linear_select([ + part1884, + part1885, + ]); + + var all385 = all_match({ + processors: [ + part1883, + select424, + ], + on_success: processor_chain([ + dup223, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1188 = msg("00767:27", all385); + + var part1886 = match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was loaded from IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1189 = msg("00767:28", part1886); + + var part1887 = match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1190 = msg("00767:29", part1887); + + var part1888 = match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configuration was saved from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1191 = msg("00767:30", part1888); + + var part1889 = match("MESSAGE#1176:00767:31/1_0", "nwparser.p0", "logged events or alarms %{p0}"); + + var part1890 = match("MESSAGE#1176:00767:31/1_1", "nwparser.p0", "traffic logs %{p0}"); + + var select425 = linear_select([ + part1889, + part1890, + ]); + + var part1891 = match("MESSAGE#1176:00767:31/2", "nwparser.p0", "were cleared by admin %{p0}"); + + var all386 = all_match({ + processors: [ + dup186, + select425, + part1891, + dup397, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1192 = msg("00767:31", all386); + + var part1892 = match("MESSAGE#1177:00767:32/0", "nwparser.payload", "SIP parser error %{p0}"); + + var part1893 = match("MESSAGE#1177:00767:32/1_0", "nwparser.p0", "SIP-field%{p0}"); + + var part1894 = match("MESSAGE#1177:00767:32/1_1", "nwparser.p0", "Message%{p0}"); + + var select426 = linear_select([ + part1893, + part1894, + ]); + + var part1895 = match("MESSAGE#1177:00767:32/2", "nwparser.p0", ": %{result}(%{fld1})"); + + var all387 = all_match({ + processors: [ + part1892, + select426, + part1895, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1193 = msg("00767:32", all387); + + var part1896 = match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has started. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1194 = msg("00767:33", part1896); + + var part1897 = match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not support multiple IP addresses %{hostip->} or ports %{network_port->} in SIP headers RESPONSE (%{fld1})", processor_chain([ + dup313, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1195 = msg("00767:34", part1897); + + var part1898 = match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2->} set to %{fld3->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1196 = msg("00767:35", part1898); + + var part1899 = match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved from %{fld2->} by %{username->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1197 = msg("00767:36", part1899); + + var part1900 = match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to download to enable advanced features. %{space->} To find out, please visit %{url->} (%{fld1})", processor_chain([ + dup254, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1198 = msg("00767:37", part1900); + + var part1901 = match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and remaining messages were sent to external destination. %{fld2->} packets were dropped. (%{fld1})", processor_chain([ + setc("eventcategory","1602000000"), + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1199 = msg("00767:38", part1901); + + var part1902 = match("MESSAGE#1184:00767:39/0", "nwparser.payload", "Cannot %{p0}"); + + var part1903 = match("MESSAGE#1184:00767:39/1_0", "nwparser.p0", "download %{p0}"); + + var part1904 = match("MESSAGE#1184:00767:39/1_1", "nwparser.p0", "parse %{p0}"); + + var select427 = linear_select([ + part1903, + part1904, + ]); + + var part1905 = match("MESSAGE#1184:00767:39/2", "nwparser.p0", "attack database %{p0}"); + + var part1906 = match("MESSAGE#1184:00767:39/3_0", "nwparser.p0", "from %{url->} (%{result}). %{p0}"); + + var part1907 = match("MESSAGE#1184:00767:39/3_1", "nwparser.p0", "%{fld2->} %{p0}"); + + var select428 = linear_select([ + part1906, + part1907, + ]); + + var all388 = all_match({ + processors: [ + part1902, + select427, + part1905, + select428, + dup10, + ], + on_success: processor_chain([ + dup324, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1200 = msg("00767:39", all388); + + var part1908 = match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key is %{disposition}. (%{fld1})", processor_chain([ + dup62, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1201 = msg("00767:40", part1908); + + var part1909 = match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1202 = msg("00767:42", part1909); + + var part1910 = match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1203 = msg("00767:43", part1910); + + var part1911 = match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind by %{fld2->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1204 = msg("00767:44", part1911); + + var part1912 = match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{version->} is saved to flash. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1205 = msg("00767:45", part1912); + + var part1913 = match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved by netscreen via %{logon_type->} by netscreen. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1206 = msg("00767:46", part1913); + + var part1914 = match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs to a different group in the RADIUS server than that allowed in the device. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup9, + ])); + + var msg1207 = msg("00767:47", part1914); + + var part1915 = match("MESSAGE#1192:00767:24/0", "nwparser.payload", "System configuration saved by %{p0}"); + + var part1916 = match("MESSAGE#1192:00767:24/2", "nwparser.p0", "%{logon_type->} by %{fld2->} (%{fld1})"); + + var all389 = all_match({ + processors: [ + part1915, + dup364, + part1916, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), + }); + + var msg1208 = msg("00767:24", all389); + + var part1917 = match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. (%{fld1})", processor_chain([ + dup272, + dup2, + dup3, + dup9, + dup4, + dup5, + ])); + + var msg1209 = msg("00767:48", part1917); + + var part1918 = match("MESSAGE#1194:00767:49/0", "nwparser.payload", "%{fld2->} turn o%{p0}"); + + var part1919 = match("MESSAGE#1194:00767:49/1_0", "nwparser.p0", "n%{p0}"); + + var part1920 = match("MESSAGE#1194:00767:49/1_1", "nwparser.p0", "ff%{p0}"); + + var select429 = linear_select([ + part1919, + part1920, + ]); + + var part1921 = match("MESSAGE#1194:00767:49/2", "nwparser.p0", "%{}debug switch for %{fld3->} (%{fld1})"); + + var all390 = all_match({ + processors: [ + part1918, + select429, + part1921, + ], + on_success: processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, + ]), + }); + + var msg1210 = msg("00767:49", all390); + + var select430 = linear_select([ + msg1158, + msg1159, + msg1160, + msg1161, + msg1162, + msg1163, + msg1164, + msg1165, + msg1166, + msg1167, + msg1168, + msg1169, + msg1170, + msg1171, + msg1172, + msg1173, + msg1174, + msg1175, + msg1176, + msg1177, + msg1178, + msg1179, + msg1180, + msg1181, + msg1182, + msg1183, + msg1184, + msg1185, + msg1186, + msg1187, + msg1188, + msg1189, + msg1190, + msg1191, + msg1192, + msg1193, + msg1194, + msg1195, + msg1196, + msg1197, + msg1198, + msg1199, + msg1200, + msg1201, + msg1202, + msg1203, + msg1204, + msg1205, + msg1206, + msg1207, + msg1208, + msg1209, + msg1210, + ]); + + var part1922 = match("MESSAGE#1195:01269", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup277, + dup3, + dup275, + dup60, + ])); + + var msg1211 = msg("01269", part1922); + + var msg1212 = msg("01269:01", dup407); + + var msg1213 = msg("01269:02", dup408); + + var msg1214 = msg("01269:03", dup409); + + var select431 = linear_select([ + msg1211, + msg1212, + msg1213, + msg1214, + ]); + + var part1923 = match("MESSAGE#1199:17852", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup276, + dup277, + dup275, + dup332, + ])); + + var msg1215 = msg("17852", part1923); + + var part1924 = match("MESSAGE#1200:17852:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup332, + dup282, + ])); + + var msg1216 = msg("17852:01", part1924); + + var part1925 = match("MESSAGE#1201:17852:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup276, + dup277, + dup61, + ])); + + var msg1217 = msg("17852:02", part1925); + + var part1926 = match("MESSAGE#1202:17852:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup332, + dup282, + ])); + + var msg1218 = msg("17852:03", part1926); + + var select432 = linear_select([ + msg1215, + msg1216, + msg1217, + msg1218, + ]); + + var msg1219 = msg("23184", dup410); + + var part1927 = match("MESSAGE#1204:23184:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup61, + dup282, + ])); + + var msg1220 = msg("23184:01", part1927); + + var part1928 = match("MESSAGE#1205:23184:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup276, + dup277, + dup275, + dup61, + ])); + + var msg1221 = msg("23184:02", part1928); + + var part1929 = match("MESSAGE#1206:23184:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup332, + dup282, + ])); + + var msg1222 = msg("23184:03", part1929); + + var select433 = linear_select([ + msg1219, + msg1220, + msg1221, + msg1222, + ]); + + var msg1223 = msg("27052", dup410); + + var part1930 = match("MESSAGE#1208:27052:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol}direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup61, + dup282, + ])); + + var msg1224 = msg("27052:01", part1930); + + var select434 = linear_select([ + msg1223, + msg1224, + ]); + + var part1931 = match("MESSAGE#1209:39568", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, + dup2, + dup4, + dup277, + dup5, + dup274, + dup3, + dup275, + dup276, + dup60, + ])); + + var msg1225 = msg("39568", part1931); + + var msg1226 = msg("39568:01", dup407); + + var msg1227 = msg("39568:02", dup408); + + var msg1228 = msg("39568:03", dup409); + + var select435 = linear_select([ + msg1225, + msg1226, + msg1227, + msg1228, + ]); + + var chain1 = processor_chain([ + select2, + msgid_select({ + "00001": select6, + "00002": select29, + "00003": select31, + "00004": select33, + "00005": select39, + "00006": select40, + "00007": select63, + "00008": select66, + "00009": select83, + "00010": select86, + "00011": select100, + "00012": select101, + "00013": select102, + "00014": select104, + "00015": select114, + "00016": select115, + "00017": select125, + "00018": select138, + "00019": select147, + "00020": select150, + "00021": select151, + "00022": select163, + "00023": select164, + "00024": select170, + "00025": select171, + "00026": select176, + "00027": select184, + "00028": msg469, + "00029": select188, + "00030": select197, + "00031": select205, + "00032": select207, + "00033": select214, + "00034": select225, + "00035": select232, + "00036": select234, + "00037": select241, + "00038": msg660, + "00039": msg661, + "00040": select244, + "00041": select245, + "00042": select246, + "00043": msg668, + "00044": select248, + "00045": msg671, + "00047": msg672, + "00048": select257, + "00049": select258, + "00050": msg682, + "00051": msg683, + "00052": msg684, + "00055": select265, + "00056": msg696, + "00057": msg697, + "00058": msg698, + "00059": select272, + "00062": select273, + "00063": msg713, + "00064": select274, + "00070": select276, + "00071": select277, + "00072": select278, + "00073": select279, + "00074": msg726, + "00075": select280, + "00076": select281, + "00077": select282, + "00084": msg735, + "00090": msg736, + "00200": msg737, + "00201": msg738, + "00202": msg739, + "00203": msg740, + "00206": select285, + "00207": select286, + "00257": select291, + "00259": select294, + "00262": msg778, + "00263": msg779, + "00400": msg780, + "00401": msg781, + "00402": select296, + "00403": msg784, + "00404": msg785, + "00405": msg786, + "00406": msg787, + "00407": msg788, + "00408": msg789, + "00409": msg790, + "00410": select297, + "00411": msg793, + "00413": select298, + "00414": select299, + "00415": msg799, + "00423": msg800, + "00429": select300, + "00430": select301, + "00431": msg805, + "00432": msg806, + "00433": msg807, + "00434": msg808, + "00435": select302, + "00436": select303, + "00437": select304, + "00438": select305, + "00440": select306, + "00441": msg823, + "00442": msg824, + "00443": msg825, + "00511": select307, + "00513": msg841, + "00515": select328, + "00518": select331, + "00519": select336, + "00520": select339, + "00521": msg890, + "00522": msg891, + "00523": msg892, + "00524": select340, + "00525": select341, + "00526": msg912, + "00527": select348, + "00528": select354, + "00529": select357, + "00530": select358, + "00531": select362, + "00533": msg973, + "00534": msg974, + "00535": select363, + "00536": select365, + "00537": select366, + "00538": select372, + "00539": select373, + "00541": select375, + "00542": msg1062, + "00543": msg1063, + "00544": msg1064, + "00546": msg1065, + "00547": select379, + "00549": msg1070, + "00551": select381, + "00553": select385, + "00554": select391, + "00555": msg1117, + "00556": select401, + "00572": select402, + "00601": select404, + "00602": msg1148, + "00612": msg1149, + "00615": select403, + "00620": select408, + "00622": msg1155, + "00625": msg1156, + "00628": msg1157, + "00767": select430, + "01269": select431, + "17852": select432, + "23184": select433, + "27052": select434, + "39568": select435, + }), + ]); + + var part1932 = match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); + + var part1933 = match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); + + var part1934 = match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); + + var part1935 = match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); + + var part1936 = match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); + + var part1937 = match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); + + var part1938 = match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); + + var part1939 = match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); + + var part1940 = match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); + + var part1941 = match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); + + var part1942 = match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); + + var part1943 = match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); + + var part1944 = match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); + + var part1945 = match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); + + var part1946 = match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); + + var part1947 = match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); + + var part1948 = match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); + + var part1949 = match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); + + var part1950 = match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); + + var part1951 = match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); + + var part1952 = match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); + + var part1953 = match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); + + var part1954 = match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); + + var part1955 = match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); + + var part1956 = match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); + + var part1957 = match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); + + var part1958 = match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); + + var part1959 = match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); + + var part1960 = match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); + + var part1961 = match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); + + var part1962 = match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); + + var part1963 = match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); + + var part1964 = match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); + + var part1965 = match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); + + var part1966 = match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); + + var part1967 = match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); + + var part1968 = match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); + + var part1969 = match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); + + var part1970 = match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); + + var part1971 = match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); + + var part1972 = match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); + + var part1973 = match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); + + var part1974 = match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); + + var part1975 = match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); + + var part1976 = match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); + + var part1977 = match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var part1978 = match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); + + var part1979 = match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); + + var part1980 = match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); + + var part1981 = match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); + + var part1982 = match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); + + var part1983 = match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); + + var part1984 = match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); + + var part1985 = match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); + + var part1986 = match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); + + var part1987 = match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); + + var part1988 = match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); + + var part1989 = match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); + + var part1990 = match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); + + var part1991 = match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); + + var part1992 = match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); + + var part1993 = match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); + + var part1994 = match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); + + var part1995 = match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); + + var part1996 = match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); + + var part1997 = match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); + + var part1998 = match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); + + var part1999 = match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); + + var part2000 = match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); + + var part2001 = match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); + + var part2002 = match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); + + var part2003 = match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); + + var part2004 = match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); + + var part2005 = match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); + + var part2006 = match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); + + var part2007 = match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); + + var part2008 = match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); + + var part2009 = match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); + + var part2010 = match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); + + var part2011 = match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); + + var part2012 = match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); + + var part2013 = match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); + + var part2014 = match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); + + var part2015 = match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); + + var part2016 = match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); + + var part2017 = match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); + + var part2018 = match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); + + var part2019 = match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); + + var part2020 = match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); + + var part2021 = match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); + + var part2022 = match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var part2023 = match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); + + var part2024 = match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); + + var part2025 = match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); + + var part2026 = match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); + + var part2027 = match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); + + var part2028 = match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); + + var part2029 = match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); + + var part2030 = match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); + + var part2031 = match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); + + var part2032 = match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); + + var part2033 = match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); + + var part2034 = match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); + + var part2035 = match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); + + var part2036 = match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); + + var part2037 = match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); + + var part2038 = match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); + + var part2039 = match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); + + var part2040 = match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); + + var part2041 = match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); + + var part2042 = match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); + + var part2043 = match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); + + var part2044 = match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); + + var part2045 = match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); + + var part2046 = match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); + + var part2047 = match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); + + var part2048 = match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); + + var part2049 = match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); + + var part2050 = match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); + + var part2051 = match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); + + var part2052 = match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); + + var part2053 = match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); + + var part2054 = match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); + + var part2055 = match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); + + var part2056 = match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); + + var part2057 = match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); + + var part2058 = match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); + + var part2059 = match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); + + var part2060 = match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); + + var part2061 = match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); + + var part2062 = match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); + + var part2063 = match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); + + var part2064 = match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); + + var part2065 = match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); + + var part2066 = match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); + + var part2067 = match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); + + var part2068 = match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); + + var part2069 = match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); + + var part2070 = match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); + + var part2071 = match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); + + var part2072 = match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); + + var part2073 = match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); + + var part2074 = match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); + + var part2075 = match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); + + var part2076 = match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); + + var part2077 = match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); + + var part2078 = match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); + + var part2079 = match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); + + var part2080 = match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); + + var part2081 = match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); + + var part2082 = match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); + + var part2083 = match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); + + var part2084 = match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); + + var part2085 = match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); + + var part2086 = match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); + + var part2087 = match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); + + var part2088 = match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); + + var part2089 = match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); + + var part2090 = match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); + + var part2091 = match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); + + var part2092 = match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); + + var part2093 = match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); + + var part2094 = match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); + + var part2095 = match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); + + var part2096 = match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); + + var part2097 = match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); + + var part2098 = match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); + + var part2099 = match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); + + var part2100 = match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); + + var part2101 = match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); + + var part2102 = match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); + + var part2103 = match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); + + var part2104 = match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); + + var part2105 = match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); + + var part2106 = match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var part2107 = match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); + + var part2108 = match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); + + var part2109 = match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); + + var part2110 = match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); + + var part2111 = match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); + + var part2112 = match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); + + var part2113 = match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); + + var part2114 = match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); + + var part2115 = match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); + + var part2116 = match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); + + var part2117 = match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); + + var part2118 = match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); + + var part2119 = match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); + + var part2120 = match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); + + var part2121 = match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); + + var part2122 = match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); + + var part2123 = match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); + + var part2124 = match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); + + var part2125 = match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); + + var part2126 = match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); + + var part2127 = match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); + + var part2128 = match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); + + var part2129 = match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); + + var part2130 = match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); + + var part2131 = match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); + + var part2132 = match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); + + var part2133 = match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); + + var part2134 = match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); + + var part2135 = match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); + + var part2136 = match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); + + var part2137 = match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); + + var part2138 = match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); + + var part2139 = match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); + + var part2140 = match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); + + var part2141 = match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); + + var part2142 = match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); + + var part2143 = match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); + + var part2144 = match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); + + var part2145 = match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); + + var part2146 = match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); + + var part2147 = match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var part2148 = match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + + var part2149 = match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); + + var part2150 = match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); + + var part2151 = match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); + + var part2152 = match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); + + var part2153 = match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); + + var part2154 = match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); + + var part2155 = match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); + + var part2156 = match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); + + var part2157 = match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); + + var part2158 = match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); + + var part2159 = match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); + + var part2160 = match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); + + var part2161 = match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); + + var part2162 = match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); + + var part2163 = match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); + + var part2164 = match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); + + var part2165 = match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); + + var part2166 = match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); + + var part2167 = match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); + + var part2168 = match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); + + var part2169 = match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); + + var part2170 = match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); + + var part2171 = match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); + + var part2172 = match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); + + var part2173 = match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); + + var part2174 = match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); + + var part2175 = match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); + + var select436 = linear_select([ + dup10, + dup11, + ]); + + var part2176 = match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var select437 = linear_select([ + dup13, + dup14, + ]); + + var select438 = linear_select([ + dup15, + dup16, + ]); + + var select439 = linear_select([ + dup56, + dup57, + ]); + + var select440 = linear_select([ + dup65, + dup66, + ]); + + var select441 = linear_select([ + dup68, + dup69, + ]); + + var select442 = linear_select([ + dup71, + dup72, + ]); + + var part2177 = match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, + ])); + + var select443 = linear_select([ + dup74, + dup75, + ]); + + var select444 = linear_select([ + dup81, + dup82, + ]); + + var select445 = linear_select([ + dup24, + dup90, + ]); + + var select446 = linear_select([ + dup94, + dup95, + ]); + + var select447 = linear_select([ + dup98, + dup99, + ]); + + var select448 = linear_select([ + dup100, + dup101, + dup102, + ]); + + var select449 = linear_select([ + dup113, + dup114, + ]); + + var select450 = linear_select([ + dup111, + dup16, + ]); + + var select451 = linear_select([ + dup127, + dup107, + ]); + + var select452 = linear_select([ + dup8, + dup21, + ]); + + var select453 = linear_select([ + dup122, + dup133, + ]); + + var select454 = linear_select([ + dup142, + dup143, + ]); + + var select455 = linear_select([ + dup145, + dup21, + ]); + + var select456 = linear_select([ + dup127, + dup106, + ]); + + var select457 = linear_select([ + dup152, + dup96, + ]); + + var select458 = linear_select([ + dup154, + dup155, + ]); + + var select459 = linear_select([ + dup156, + dup157, + ]); + + var select460 = linear_select([ + dup99, + dup134, + ]); + + var select461 = linear_select([ + dup158, + dup159, + ]); + + var select462 = linear_select([ + dup161, + dup162, + ]); + + var select463 = linear_select([ + dup163, + dup103, + ]); + + var select464 = linear_select([ + dup162, + dup161, + ]); + + var select465 = linear_select([ + dup46, + dup47, + ]); + + var select466 = linear_select([ + dup166, + dup167, + ]); + + var select467 = linear_select([ + dup172, + dup173, + ]); + + var select468 = linear_select([ + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + ]); + + var select469 = linear_select([ + dup49, + dup21, + ]); + + var select470 = linear_select([ + dup189, + dup190, + ]); + + var select471 = linear_select([ + dup96, + dup152, + ]); + + var select472 = linear_select([ + dup196, + dup197, + ]); + + var select473 = linear_select([ + dup24, + dup200, + ]); + + var select474 = linear_select([ + dup103, + dup163, + ]); + + var select475 = linear_select([ + dup205, + dup118, + ]); + + var part2178 = match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var select476 = linear_select([ + dup212, + dup213, + ]); + + var select477 = linear_select([ + dup215, + dup216, + ]); + + var select478 = linear_select([ + dup222, + dup215, + ]); + + var select479 = linear_select([ + dup224, + dup225, + ]); + + var select480 = linear_select([ + dup231, + dup124, + ]); + + var select481 = linear_select([ + dup229, + dup230, + ]); + + var select482 = linear_select([ + dup233, + dup234, + ]); + + var select483 = linear_select([ + dup236, + dup237, + ]); + + var select484 = linear_select([ + dup242, + dup243, + ]); + + var select485 = linear_select([ + dup245, + dup246, + ]); + + var select486 = linear_select([ + dup247, + dup248, + ]); + + var select487 = linear_select([ + dup249, + dup250, + ]); + + var select488 = linear_select([ + dup251, + dup252, + ]); + + var select489 = linear_select([ + dup260, + dup261, + ]); + + var select490 = linear_select([ + dup264, + dup265, + ]); + + var select491 = linear_select([ + dup268, + dup269, + ]); + + var part2179 = match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ])); + + var select492 = linear_select([ + dup284, + dup285, + ]); + + var select493 = linear_select([ + dup287, + dup288, + ]); + + var part2180 = match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup60, + ])); + + var part2181 = match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup4, + dup59, + dup5, + dup9, + dup2, + dup3, + dup60, + ])); + + var select494 = linear_select([ + dup300, + dup26, + ]); + + var select495 = linear_select([ + dup115, + dup303, + ]); + + var select496 = linear_select([ + dup125, + dup96, + ]); + + var select497 = linear_select([ + dup189, + dup308, + dup309, + ]); + + var select498 = linear_select([ + dup310, + dup16, + ]); + + var select499 = linear_select([ + dup317, + dup318, + ]); + + var select500 = linear_select([ + dup319, + dup315, + ]); + + var select501 = linear_select([ + dup322, + dup250, + ]); + + var select502 = linear_select([ + dup327, + dup329, + ]); + + var select503 = linear_select([ + dup330, + dup129, + ]); + + var part2182 = match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup60, + dup282, + ])); + + var part2183 = match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup276, + dup277, + dup60, + ])); + + var part2184 = match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup281, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup60, + dup282, + ])); + + var part2185 = match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup185, + dup2, + dup4, + dup5, + dup274, + dup3, + dup275, + dup276, + dup277, + dup61, + ])); + + var all391 = all_match({ + processors: [ + dup263, + dup390, + dup266, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var all392 = all_match({ + processors: [ + dup267, + dup391, + dup270, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), + }); + + var all393 = all_match({ + processors: [ + dup80, + dup343, + dup293, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), + }); + + var all394 = all_match({ + processors: [ + dup296, + dup343, + dup131, + ], + on_success: processor_chain([ + dup297, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup61, + ]), + }); + + var all395 = all_match({ + processors: [ + dup298, + dup343, + dup131, + ], + on_success: processor_chain([ + dup297, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup61, + ]), + }); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/juniper/1.1.1/data_stream/netscreen/elasticsearch/ingest_pipeline/default.yml b/packages/juniper/1.1.1/data_stream/netscreen/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..c21920bdee --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/netscreen/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,72 @@ +--- +description: Pipeline for Netscreen + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: ecs.version + value: '8.0.0' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/juniper/1.1.1/data_stream/netscreen/fields/agent.yml b/packages/juniper/1.1.1/data_stream/netscreen/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/netscreen/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/juniper/1.1.1/data_stream/netscreen/fields/base-fields.yml b/packages/juniper/1.1.1/data_stream/netscreen/fields/base-fields.yml new file mode 100755 index 0000000000..db5ff9a4da --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/netscreen/fields/base-fields.yml @@ -0,0 +1,46 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: juniper +- name: event.dataset + type: constant_keyword + description: Event dataset + value: juniper.netscreen +- name: '@timestamp' + type: date + description: Event timestamp. +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/juniper/1.1.1/data_stream/netscreen/fields/ecs.yml b/packages/juniper/1.1.1/data_stream/netscreen/fields/ecs.yml new file mode 100755 index 0000000000..78ddffacce --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/netscreen/fields/ecs.yml @@ -0,0 +1,541 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/juniper/1.1.1/data_stream/netscreen/fields/fields.yml b/packages/juniper/1.1.1/data_stream/netscreen/fields/fields.yml new file mode 100755 index 0000000000..ea69cd79e3 --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/netscreen/fields/fields.yml @@ -0,0 +1,1754 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + ignore_above: 1024 + description: Server domain. +- name: network.interface.name + type: keyword diff --git a/packages/juniper/1.1.1/data_stream/netscreen/manifest.yml b/packages/juniper/1.1.1/data_stream/netscreen/manifest.yml new file mode 100755 index 0000000000..c091c6e06e --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/netscreen/manifest.yml @@ -0,0 +1,205 @@ +title: Netscreen logs +release: experimental +type: logs +streams: + - input: udp + title: Netscreen logs + description: Collect Netscreen logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - juniper-netscreen + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9523 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Netscreen logs + description: Collect Netscreen logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - juniper-netscreen + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9523 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Netscreen logs + description: Collect Netscreen logs from file + template_path: logfile.yml.hbs + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/juniper-netscreen.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - juniper-netscreen + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/juniper/1.1.1/data_stream/netscreen/sample_event.json b/packages/juniper/1.1.1/data_stream/netscreen/sample_event.json new file mode 100755 index 0000000000..09fd125dac --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/netscreen/sample_event.json @@ -0,0 +1,61 @@ +{ + "@timestamp": "2016-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "7fac277a-278c-4dfd-baba-dd447e01094c", + "hostname": "docker-fleet-agent", + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.2" + }, + "data_stream": { + "dataset": "juniper.netscreen", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "1.12.0" + }, + "elastic_agent": { + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "snapshot": false, + "version": "7.16.2" + }, + "event": { + "agent_id_status": "verified", + "code": "00628", + "dataset": "juniper.netscreen", + "ingested": "2022-01-25T08:50:17Z", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "low", + "source": { + "address": "172.19.0.4:42674" + } + }, + "observer": { + "product": "Netscreen", + "type": "Firewall", + "vendor": "Juniper" + }, + "rsa": { + "internal": { + "messageid": "00628" + }, + "misc": { + "hardware_id": "olab", + "severity": "low" + }, + "time": { + "event_time": "2016-01-29T06:09:59.000Z" + } + }, + "tags": [ + "juniper-netscreen", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/juniper/1.1.1/data_stream/srx/agent/stream/logfile.yml.hbs b/packages/juniper/1.1.1/data_stream/srx/agent/stream/logfile.yml.hbs new file mode 100755 index 0000000000..9fd98fa47e --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/srx/agent/stream/logfile.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- add_locale: ~ diff --git a/packages/juniper/1.1.1/data_stream/srx/agent/stream/tcp.yml.hbs b/packages/juniper/1.1.1/data_stream/srx/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..0696ac9d89 --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/srx/agent/stream/tcp.yml.hbs @@ -0,0 +1,16 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- add_locale: ~ diff --git a/packages/juniper/1.1.1/data_stream/srx/agent/stream/udp.yml.hbs b/packages/juniper/1.1.1/data_stream/srx/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..0696ac9d89 --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/srx/agent/stream/udp.yml.hbs @@ -0,0 +1,16 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- add_locale: ~ diff --git a/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/atp.yml b/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/atp.yml new file mode 100755 index 0000000000..44d01d3639 --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/atp.yml @@ -0,0 +1,364 @@ +--- +description: Pipeline for parsing junipersrx firewall logs (atp pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.juniper?.srx?.tag) && ctx.juniper?.srx?.action != "PERMIT"' +- append: + field: event.category + value: malware + if: '["SRX_AAMW_ACTION_LOG", "AAMW_MALWARE_EVENT_LOG", "AAMW_HOST_INFECTED_EVENT_LOG", "AAMW_ACTION_LOG"].contains(ctx.juniper?.srx?.tag) && ctx.juniper?.srx?.action != "PERMIT"' +- append: + field: event.type + value: + - info + - denied + - connection + if: "ctx.juniper?.srx?.action == 'BLOCK' || ctx.juniper?.srx?.tag == 'AAMW_MALWARE_EVENT_LOG'" +- append: + field: event.type + value: + - allowed + - connection + if: "ctx.juniper?.srx?.action != 'BLOCK' && ctx.juniper?.srx?.tag != 'AAMW_MALWARE_EVENT_LOG'" +- set: + field: event.action + value: malware_detected + if: "ctx.juniper?.srx?.action == 'BLOCK' || ctx.juniper?.srx?.tag == 'AAMW_MALWARE_EVENT_LOG'" + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server != null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" +- rename: + field: juniper.srx.hostname + target_field: source.domain + ignore_missing: true + if: "ctx.juniper?.srx?.hostname != null" +- rename: + field: juniper.srx.client_ip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.client_ip != null" + +###################### +## ECS URL Mapping ## +###################### +- rename: + field: juniper.srx.http_host + target_field: url.domain + ignore_missing: true + if: "ctx.juniper?.srx?.http_host != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +############### +## Timestamp ## +############### +- date: + if: 'ctx.juniper.srx?.timestamp != null' + field: juniper.srx.timestamp + target_field: juniper.srx.timestamp + formats: + - 'EEE MMM dd HH:mm:ss yyyy' + - 'EEE MMM d HH:mm:ss yyyy' + on_failure: + - remove: + field: + - juniper.srx.timestamp + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/default.yml b/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..891dd4c68f --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,298 @@ +--- +# This module only supports syslog messages in the format "structured-data + brief" +# https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html +description: Pipeline for parsing junipersrx firewall logs +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: ecs.version + value: '8.0.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - grok: + field: event.original + patterns: + - '^<%{POSINT:syslog_pri}>(\d{1,3}\s)?(?:%{TIMESTAMP_ISO8601:_temp_.raw_date})\s%{SYSLOGHOST:syslog_hostname}\s%{PROG:syslog_program}\s(?:%{POSINT:syslog_pid}|-)?\s%{WORD:log_type}\s\[.+?\s%{GREEDYDATA:_temp_.original}\]$' + +# split Juniper-SRX fields + - kv: + field: _temp_.original + field_split: " (?=[a-z0-9\\_\\-]+=)" + value_split: "=" + prefix: "juniper.srx." + ignore_missing: true + ignore_failure: false + trim_value: "\"" + +# Converts all kebab-case key names to snake_case + - script: + lang: painless + source: >- + ctx.juniper.srx = ctx?.juniper?.srx.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace('-', '_'), e -> e.getValue())); + +# +# Parse the date +# + - date: + if: "ctx?.event?.timezone == null" + field: _temp_.raw_date + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss z + - yyyy-MM-dd HH:mm:ss Z + - ISO8601 + - date: + if: "ctx?.event?.timezone != null" + timezone: "{{ event.timezone }}" + field: _temp_.raw_date + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss z + - yyyy-MM-dd HH:mm:ss Z + - ISO8601 + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + +# Can possibly be omitted if there is a solution for the equal signs and the calculation of the start time. +# -> juniper.srx.elapsed_time + - rename: + field: juniper.srx.elapsed_time + target_field: juniper.srx.duration + if: "ctx?.juniper?.srx?.elapsed_time != null" + +# Sets starts, end and duration when start and duration is known + - script: + lang: painless + if: ctx?.juniper?.srx?.duration != null + source: >- + ctx.event.duration = Integer.parseInt(ctx.juniper.srx.duration) * 1000000000L; + ctx.event.start = ctx['@timestamp']; + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); + +# Removes all empty fields + - script: + lang: painless + params: + values: + - "None" + - "UNKNOWN" + - "N/A" + - "-" + source: >- + ctx?.juniper?.srx.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + +####################### +## ECS Event Mapping ## +####################### + - convert: + field: syslog_pri + type: long + target_field: event.severity + ignore_failure: true + +##################### +## ECS Log Mapping ## +##################### +# https://www.juniper.net/documentation/en_US/junos/topics/reference/general/syslog-interpreting-msg-generated-structured-data-format.html#fac_sev_codes + - set: + field: "log.level" + if: '["0", "8", "16", "24", "32", "40", "48", "56", "64", "72", "80", "88", "96", "104", "112", "128", "136", "144", "152", "160", "168", "176", "184"].contains(ctx.syslog_pri)' + value: emergency + - set: + field: "log.level" + if: '["1", "9", "17", "25", "33", "41", "49", "57", "65", "73", "81", "89", "97", "105", "113", "129", "137", "145", "153", "161", "169", "177", "185"].contains(ctx.syslog_pri)' + value: alert + - set: + field: "log.level" + if: '["2", "10", "18", "26", "34", "42", "50", "58", "66", "74", "82", "90", "98", "106", "114", "130", "138", "146", "154", "162", "170", "178", "186"].contains(ctx.syslog_pri)' + value: critical + - set: + field: "log.level" + if: '["3", "11", "19", "27", "35", "43", "51", "59", "67", "75", "83", "91", "99", "107", "115", "131", "139", "147", "155", "163", "171", "179", "187"].contains(ctx.syslog_pri)' + value: error + - set: + field: "log.level" + if: '["4", "12", "20", "28", "36", "44", "52", "60", "68", "76", "84", "92", "100", "108", "116", "132", "140", "148", "156", "164", "172", "180", "188"].contains(ctx.syslog_pri)' + value: warning + - set: + field: "log.level" + if: '["5", "13", "21", "29", "37", "45", "53", "61", "69", "77", "85", "93", "101", "109", "117", "133", "141", "149", "157", "165", "173", "181", "189"].contains(ctx.syslog_pri)' + value: notification + - set: + field: "log.level" + if: '["6", "14", "22", "30", "38", "46", "54", "62", "70", "78", "86", "94", "102", "110", "118", "134", "142", "150", "158", "166", "174", "182", "190"].contains(ctx.syslog_pri)' + value: informational + - set: + field: "log.level" + if: '["7", "15", "23", "31", "39", "47", "55", "63", "71", "79", "87", "95", "103", "111", "119", "135", "143", "151", "159", "167", "175", "183", "191"].contains(ctx.syslog_pri)' + value: debug + +########################## +## ECS Observer Mapping ## +########################## + - set: + field: observer.vendor + value: Juniper + - set: + field: observer.product + value: SRX + - set: + field: observer.type + value: firewall + - rename: + field: syslog_hostname + target_field: observer.name + ignore_missing: true + - rename: + field: juniper.srx.packet_incoming_interface + target_field: observer.ingress.interface.name + ignore_missing: true + - rename: + field: juniper.srx.destination_interface_name + target_field: observer.egress.interface.name + ignore_missing: true + - rename: + field: juniper.srx.source_interface_name + target_field: observer.ingress.interface.name + ignore_missing: true + - rename: + field: juniper.srx.interface_name + target_field: observer.ingress.interface.name + ignore_missing: true + - rename: + field: juniper.srx.source_zone_name + target_field: observer.ingress.zone + ignore_missing: true + - rename: + field: juniper.srx.source_zone + target_field: observer.ingress.zone + ignore_missing: true + - rename: + field: juniper.srx.destination_zone_name + target_field: observer.egress.zone + ignore_missing: true + - rename: + field: juniper.srx.destination_zone + target_field: observer.egress.zone + ignore_missing: true + - rename: + field: syslog_program + target_field: juniper.srx.process + ignore_missing: true + - rename: + field: log_type + target_field: juniper.srx.tag + ignore_missing: true + + +############# +## Cleanup ## +############# + - remove: + field: + - message + - _temp_ + - juniper.srx.duration + - juniper.srx.dir_disp + - juniper.srx.srczone + - juniper.srx.dstzone + - juniper.srx.duration + - syslog_pri + ignore_missing: true + +################################ +## Product Specific Pipelines ## +################################ + - pipeline: + name: '{{ IngestPipeline "flow" }}' + if: "ctx.juniper?.srx?.process == 'RT_FLOW'" + - pipeline: + name: '{{ IngestPipeline "utm" }}' + if: "ctx.juniper?.srx?.process == 'RT_UTM'" + - pipeline: + name: '{{ IngestPipeline "idp" }}' + if: "ctx.juniper?.srx?.process == 'RT_IDP'" + - pipeline: + name: '{{ IngestPipeline "ids" }}' + if: "ctx.juniper?.srx?.process == 'RT_IDS'" + - pipeline: + name: '{{ IngestPipeline "atp" }}' + if: "ctx.juniper?.srx?.process == 'RT_AAMW'" + - pipeline: + name: '{{ IngestPipeline "secintel" }}' + if: "ctx.juniper?.srx?.process == 'RT_SECINTEL'" + +######################### +## ECS Related Mapping ## +######################### + - append: + if: 'ctx.source?.ip != null' + field: related.ip + value: '{{source.ip}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx.destination?.ip != null' + field: related.ip + value: '{{destination.ip}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx.source?.nat?.ip != null' + field: related.ip + value: '{{source.nat.ip}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx?.destination?.nat?.ip != null' + field: related.ip + value: '{{destination.nat.ip}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx.url?.domain != null' + field: related.hosts + value: '{{url.domain}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx.source?.domain != null' + field: related.hosts + value: '{{source.domain}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx.destination?.domain != null' + field: related.hosts + value: '{{destination.domain}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx?.source?.user?.name != null' + field: related.user + value: '{{source.user.name}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx?.destination?.user?.name != null' + field: related.user + value: '{{destination.user.name}}' + ignore_failure: true + allow_duplicates: false + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/flow.yml b/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/flow.yml new file mode 100755 index 0000000000..bf9fcbeb05 --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/flow.yml @@ -0,0 +1,363 @@ +--- +description: Pipeline for parsing junipersrx firewall logs (flow pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- convert: + field: juniper.srx.application_risk + type: float + target_field: event.risk_score + ignore_missing: true + ignore_failure: true +- append: + field: event.type + value: + - start + - allowed + - connection + if: "ctx.juniper?.srx?.tag.endsWith('CREATE') || ctx.juniper?.srx?.tag.endsWith('UPDATE') || ctx.juniper?.srx?.tag.endsWith('CREATE_LS') || ctx.juniper?.srx?.tag.endsWith('UPDATE_LS')" +- append: + field: event.type + value: + - end + - allowed + - connection + if: "ctx.juniper?.srx?.tag.endsWith('CLOSE') || ctx.juniper?.srx?.tag.endsWith('CLOSE_LS')" +- append: + field: event.type + value: + - denied + - connection + if: "ctx.juniper?.srx?.tag.endsWith('DENY') || ctx.juniper?.srx?.tag.endsWith('DENY_LS')" +- set: + field: event.action + value: flow_started + if: "ctx.juniper?.srx?.tag.endsWith('CREATE') || ctx.juniper?.srx?.tag.endsWith('UPDATE') || ctx.juniper?.srx?.tag.endsWith('CREATE_LS') || ctx.juniper?.srx?.tag.endsWith('UPDATE_LS')" +- set: + field: event.action + value: flow_close + if: "ctx.juniper?.srx?.tag.endsWith('CLOSE') || ctx.juniper?.srx?.tag.endsWith('CLOSE_LS')" +- set: + field: event.action + value: flow_deny + if: "ctx.juniper?.srx?.tag.endsWith('DENY') || ctx.juniper?.srx?.tag.endsWith('DENY_LS')" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx?.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server != null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: juniper.srx.policy_name + target_field: rule.name + ignore_missing: true + if: "ctx.juniper?.srx?.policy_name != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.client.packets + ctx.server.packets" + if: "ctx?.client?.packets != null && ctx?.server?.packets != null" + ignore_failure: true + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.application_risk + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/idp.yml b/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/idp.yml new file mode 100755 index 0000000000..0b26118a9f --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/idp.yml @@ -0,0 +1,288 @@ +--- +description: Pipeline for parsing junipersrx firewall logs (idp pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.category + value: intrusion_detection + if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - info + - denied + - connection + if: '["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - allowed + - connection + if: '!["IDP_ATTACK_LOG_EVENT", "IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_ATTACK_LOG_EVENT_LS", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: application_ddos + if: '["IDP_APPDDOS_APP_STATE_EVENT", "IDP_APPDDOS_APP_ATTACK_EVENT", "IDP_APPDDOS_APP_STATE_EVENT_LS", "IDP_APPDDOS_APP_ATTACK_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: security_threat + if: '["IDP_ATTACK_LOG_EVENT", "IDP_ATTACK_LOG_EVENT_LS"].contains(ctx.juniper?.srx?.tag)' + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx['nat_destination_port'] != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.inbound_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.inbound_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.inbound_packets + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.inbound_packets !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.outbound_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.outbound_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.outbound_packets + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.outbound_packets != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: juniper.srx.rulebase_name + target_field: rule.name + ignore_missing: true + if: "ctx.juniper?.srx?.rulebase_name != null" +- rename: + field: juniper.srx.rule_name + target_field: rule.id + ignore_missing: true + if: "ctx.juniper?.srx?.rule_name != null" + +######################### +## ECS Network Mapping ## +######################### +- rename: + field: juniper.srx.protocol_name + target_field: network.protocol + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_name != null" + +######################### +## ECS message Mapping ## +######################### +- rename: + field: juniper.srx.message + target_field: message + ignore_missing: true + if: "ctx.juniper?.srx?.message != null" + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.outbound_bytes + - juniper.srx.outbound_packets + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.inbound_bytes + - juniper.srx.inbound_packets + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/ids.yml b/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/ids.yml new file mode 100755 index 0000000000..9b39206834 --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/ids.yml @@ -0,0 +1,364 @@ +--- +description: Pipeline for parsing junipersrx firewall logs (ids pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.category + value: intrusion_detection + if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - info + - denied + - connection + if: '["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - allowed + - connection + if: '!["RT_SCREEN_TCP", "RT_SCREEN_UDP", "RT_SCREEN_ICMP", "RT_SCREEN_IP", "RT_SCREEN_TCP_DST_IP", "RT_SCREEN_TCP_SRC_IP", "RT_SCREEN_TCP_LS", "RT_SCREEN_UDP_LS", "RT_SCREEN_ICMP_LS", "RT_SCREEN_IP_LS", "RT_SCREEN_TCP_DST_IP_LS", "RT_SCREEN_TCP_SRC_IP_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: flood_detected + if: '["ICMP flood!", "UDP flood!", "SYN flood!", "SYN flood Src-IP based!", "SYN flood Dst-IP based!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: scan_detected + if: "ctx.juniper?.srx?.attack_name == 'TCP port scan!'" +- set: + field: event.action + value: sweep_detected + if: '["TCP sweep!", "IP sweep!", "UDP sweep!", "Address sweep!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: fragment_detected + if: '["ICMP fragment!", "SYN fragment!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: spoofing_detected + if: "ctx.juniper?.srx?.attack_name == 'IP spoofing!'" +- set: + field: event.action + value: session_limit_detected + if: '["Src IP session limit!", "Dst IP session limit!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: attack_detected + if: '["Land attack!", "WinNuke attack!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: illegal_tcp_flag_detected + if: '["No TCP flag!", "SYN and FIN bits!", "FIN but no ACK bit!"].contains(ctx.juniper?.srx?.attack_name)' +- set: + field: event.action + value: tunneling_screen + if: "ctx.juniper?.srx?.attack_name.startsWith('Tunnel')" + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/secintel.yml b/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/secintel.yml new file mode 100755 index 0000000000..790a8aa9cb --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/secintel.yml @@ -0,0 +1,350 @@ +--- +description: Pipeline for parsing junipersrx firewall logs (secintel pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- set: + field: event.kind + value: alert + if: 'ctx.juniper?.srx?.tag == "SECINTEL_ACTION_LOG" && ctx.juniper?.srx?.action != "PERMIT"' +- append: + field: event.category + value: malware + if: 'ctx.juniper?.srx?.tag == "SECINTEL_ACTION_LOG" && ctx.juniper?.srx?.action != "PERMIT"' +- append: + field: event.type + value: + - info + - denied + - connection + if: "ctx.juniper?.srx?.action == 'BLOCK'" +- append: + field: event.type + value: + - allowed + - connection + if: "ctx.juniper?.srx?.action != 'BLOCK'" +- set: + field: event.action + value: malware_detected + if: "ctx.juniper?.srx?.action == 'BLOCK'" + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" +- rename: + field: juniper.srx.hostname + target_field: source.address + ignore_missing: true + if: "ctx.juniper?.srx?.hostname != null" +- rename: + field: juniper.srx.client_ip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.client_ip != null" + +###################### +## ECS URL Mapping ## +###################### +- rename: + field: juniper.srx.http_host + target_field: url.domain + ignore_missing: true + if: "ctx.juniper?.srx?.http_host != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/utm.yml b/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/utm.yml new file mode 100755 index 0000000000..056f23dbe1 --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/srx/elasticsearch/ingest_pipeline/utm.yml @@ -0,0 +1,391 @@ +--- +description: Pipeline for parsing junipersrx firewall logs (utm pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: "ctx.juniper?.srx?.tag != null" +- append: + field: event.category + value: network +- convert: + field: juniper.srx.urlcategory_risk + type: float + target_field: event.risk_score + ignore_missing: true + ignore_failure: true +- set: + field: event.kind + value: alert + if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.category + value: malware + if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - info + - denied + - connection + if: '["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- append: + field: event.type + value: + - allowed + - connection + if: '!["AV_VIRUS_DETECTED_MT", "WEBFILTER_URL_BLOCKED", "ANTISPAM_SPAM_DETECTED_MT", "CONTENT_FILTERING_BLOCKED_MT", "AV_VIRUS_DETECTED_MT_LS", "WEBFILTER_URL_BLOCKED_LS", "ANTISPAM_SPAM_DETECTED_MT_LS", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: web_filter + if: '["WEBFILTER_URL_BLOCKED", "WEBFILTER_URL_BLOCKED_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: content_filter + if: '["CONTENT_FILTERING_BLOCKED_MT", "CONTENT_FILTERING_BLOCKED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: antispam_filter + if: '["ANTISPAM_SPAM_DETECTED_MT", "ANTISPAM_SPAM_DETECTED_MT_LS"].contains(ctx.juniper?.srx?.tag)' +- set: + field: event.action + value: virus_detected + if: '["AV_VIRUS_DETECTED_MT", "AV_VIRUS_DETECTED_MT_LS"].contains(ctx.juniper?.srx?.tag)' + + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: juniper.srx.destination_address + target_field: destination.ip + ignore_missing: true + if: "ctx.juniper?.srx?.destination_address != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: juniper.srx.nat_destination_address + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_address != null" +- convert: + field: juniper.srx.destination_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.destination_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: juniper.srx.nat_destination_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_destination_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_server + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_server != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: juniper.srx.packets_from_server + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_server !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: juniper.srx.source_address + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.source_address != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: juniper.srx.nat_source_address + target_field: source.nat.ip + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_address != null" +- rename: + field: juniper.srx.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.juniper?.srx?.sourceip != null" +- convert: + field: juniper.srx.source_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.source_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: juniper.srx.nat_source_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.nat_source_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- convert: + field: juniper.srx.bytes_from_client + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.bytes_from_client != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- convert: + field: juniper.srx.packets_from_client + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.juniper?.srx?.packets_from_client != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: juniper.srx.username + target_field: source.user.name + ignore_missing: true + if: "ctx.juniper?.srx?.username != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: juniper.srx.policy_name + target_field: rule.name + ignore_missing: true + if: "ctx.juniper?.srx?.policy_name != null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: juniper.srx.url + target_field: url.domain + ignore_missing: true + if: "ctx.juniper?.srx?.url != null" +- rename: + field: juniper.srx.obj + target_field: url.path + ignore_missing: true + if: "ctx.juniper?.srx?.obj != null" + +###################### +## ECS File Mapping ## +###################### +- rename: + field: juniper.srx.filename + target_field: file.name + ignore_missing: true + if: "ctx.juniper?.srx?.filename != null" + +######################### +## ECS Network Mapping ## +######################### +- rename: + field: juniper.srx.protocol + target_field: network.protocol + ignore_missing: true + if: "ctx.juniper?.srx?.protocol != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: juniper.srx.protocol_id + target_field: network.iana_number + ignore_missing: true + if: "ctx.juniper?.srx?.protocol_id != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############# +## Cleanup ## +############# +- remove: + field: + - juniper.srx.destination_port + - juniper.srx.nat_destination_port + - juniper.srx.bytes_from_client + - juniper.srx.packets_from_client + - juniper.srx.source_port + - juniper.srx.nat_source_port + - juniper.srx.bytes_from_server + - juniper.srx.packets_from_server + - juniper.srx.urlcategory_risk + ignore_missing: true + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper/1.1.1/data_stream/srx/fields/agent.yml b/packages/juniper/1.1.1/data_stream/srx/fields/agent.yml new file mode 100755 index 0000000000..c5d5959b5a --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/srx/fields/agent.yml @@ -0,0 +1,207 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. +- name: log.offset + type: long + description: Byte offset of the log line within its file. +- name: log.source.address + type: keyword + description: Source address of the syslog message. diff --git a/packages/juniper/1.1.1/data_stream/srx/fields/base-fields.yml b/packages/juniper/1.1.1/data_stream/srx/fields/base-fields.yml new file mode 100755 index 0000000000..2b9703542a --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/srx/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: juniper +- name: event.dataset + type: constant_keyword + description: Event dataset + value: juniper.srx +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/juniper/1.1.1/data_stream/srx/fields/ecs.yml b/packages/juniper/1.1.1/data_stream/srx/fields/ecs.yml new file mode 100755 index 0000000000..1f1abf751c --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/srx/fields/ecs.yml @@ -0,0 +1,2594 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + Extended build information for the agent. + This field is intended to contain any build information that a data source may provide, no specific formatting is required. + name: agent.build.original + type: keyword +- description: |- + Ephemeral identifier of this agent (if one exists). + This id normally changes across restarts, but `agent.id` does not. + name: agent.ephemeral_id + type: keyword +- description: |- + Unique identifier of this agent (if one exists). + Example: For Beats this would be beat.id. + name: agent.id + type: keyword +- description: |- + Custom name of the agent. + This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. + If no name is given, the name is often left empty. + name: agent.name + type: keyword +- description: |- + Type of the agent. + The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. + name: agent.type + type: keyword +- description: Version of the agent. + name: agent.version + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: as.organization.name + type: keyword +- description: |- + Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: client.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: client.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: client.as.organization.name + type: keyword +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: City name. + name: client.geo.city_name + type: keyword +- description: Name of the continent. + name: client.geo.continent_name + type: keyword +- description: Country ISO code. + name: client.geo.country_iso_code + type: keyword +- description: Country name. + name: client.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: client.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: client.geo.name + type: keyword +- description: Region ISO code. + name: client.geo.region_iso_code + type: keyword +- description: Region name. + name: client.geo.region_name + type: keyword +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: |- + MAC address of the client. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: client.mac + type: keyword +- description: |- + Translated IP of source based NAT sessions (e.g. internal client to internet). + Typically connections traversing load balancers, firewalls, or routers. + name: client.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions (e.g. internal client to internet). + Typically connections traversing load balancers, firewalls, or routers. + name: client.nat.port + type: long +- description: Packets sent from the client to the server. + name: client.packets + type: long +- description: Port of the client. + name: client.port + type: long +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: client.user.domain + type: keyword +- description: User email address. + name: client.user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: client.user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: client.user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: client.user.group.id + type: keyword +- description: Name of the group. + name: client.user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: client.user.hash + type: keyword +- description: Unique identifier of the user. + name: client.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: client.user.name + type: keyword +- description: Array of user roles at the time of the event. + name: client.user.roles + type: keyword +- description: |- + The cloud account or organization id used to identify different entities in a multi-tenant environment. + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + name: cloud.account.id + type: keyword +- description: |- + The cloud account name or alias used to identify different entities in a multi-tenant environment. + Examples: AWS account name, Google Cloud ORG display name. + name: cloud.account.name + type: keyword +- description: Availability zone in which this host, resource, or service is located. + name: cloud.availability_zone + type: keyword +- description: Instance ID of the host machine. + name: cloud.instance.id + type: keyword +- description: Instance name of the host machine. + name: cloud.instance.name + type: keyword +- description: Machine type of the host machine. + name: cloud.machine.type + type: keyword +- description: |- + The cloud project identifier. + Examples: Google Cloud Project id, Azure Project id. + name: cloud.project.id + type: keyword +- description: |- + The cloud project name. + Examples: Google Cloud Project name, Azure Project name. + name: cloud.project.name + type: keyword +- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + name: cloud.provider + type: keyword +- description: Region in which this host, resource, or service is located. + name: cloud.region + type: keyword +- description: Boolean to capture if a signature is present. + name: code_signature.exists + type: boolean +- description: |- + Additional information about the certificate status. + This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + name: code_signature.status + type: keyword +- description: Subject name of the code signer + name: code_signature.subject_name + type: keyword +- description: |- + Stores the trust status of the certificate chain. + Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + name: code_signature.trusted + type: boolean +- description: |- + Boolean to capture if the digital signature is verified against the binary content. + Leave unpopulated if a certificate was unchecked. + name: code_signature.valid + type: boolean +- description: Unique container id. + name: container.id + type: keyword +- description: Name of the image the container was built on. + name: container.image.name + type: keyword +- description: Container image tags. + name: container.image.tag + type: keyword +- description: Image labels. + name: container.labels + type: object +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Packets sent from the destination to the source. + name: destination.packets + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: destination.user.domain + type: keyword +- description: User email address. + name: destination.user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: destination.user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: destination.user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: destination.user.group.id + type: keyword +- description: Name of the group. + name: destination.user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: destination.user.hash + type: keyword +- description: Unique identifier of the user. + name: destination.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: Array of user roles at the time of the event. + name: destination.user.roles + type: keyword +- description: Boolean to capture if a signature is present. + name: dll.code_signature.exists + type: boolean +- description: |- + Additional information about the certificate status. + This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + name: dll.code_signature.status + type: keyword +- description: Subject name of the code signer + name: dll.code_signature.subject_name + type: keyword +- description: |- + Stores the trust status of the certificate chain. + Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + name: dll.code_signature.trusted + type: boolean +- description: |- + Boolean to capture if the digital signature is verified against the binary content. + Leave unpopulated if a certificate was unchecked. + name: dll.code_signature.valid + type: boolean +- description: MD5 hash. + name: dll.hash.md5 + type: keyword +- description: SHA1 hash. + name: dll.hash.sha1 + type: keyword +- description: SHA256 hash. + name: dll.hash.sha256 + type: keyword +- description: SHA512 hash. + name: dll.hash.sha512 + type: keyword +- description: |- + Name of the library. + This generally maps to the name of the file on disk. + name: dll.name + type: keyword +- description: Full file path of the library. + name: dll.path + type: keyword +- description: CPU architecture target for the file. + name: dll.pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: dll.pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: dll.pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: dll.pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: dll.pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: dll.pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: dll.pe.product + type: keyword +- description: |- + An array containing an object for each answer section returned by the server. + The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. + Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + name: dns.answers + type: object +- description: The class of DNS data contained in this resource record. + name: dns.answers.class + type: keyword +- description: |- + The data describing the resource. + The meaning of this data depends on the type and class of the resource record. + name: dns.answers.data + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + name: dns.answers.ttl + type: long +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + Array of 2 letter DNS header flags. + Expected values are: AA, TC, RD, RA, AD, CD, DO. + name: dns.header_flags + type: keyword +- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + name: dns.id + type: keyword +- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + name: dns.op_code + type: keyword +- description: The class of records being queried. + name: dns.question.class + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + Array containing all IPs seen in `answers.data`. + The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + name: dns.resolved_ip + type: ip +- description: The DNS response code. + name: dns.response_code + type: keyword +- description: |- + The type of DNS event captured, query or answer. + If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. + If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + name: dns.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error code describing the error. + name: error.code + type: keyword +- description: Unique identifier for the error. + name: error.id + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: The stack trace of this error in plain text. + multi_fields: + - name: text + type: match_only_text + name: error.stack_trace + type: wildcard +- description: The type of the error, for example the class name of the exception. + name: error.type + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + name: event.hash + type: keyword +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + Reason why this event happened, according to the source. + This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + name: event.reason + type: keyword +- description: |- + Reference URL linking to additional information about this event. + This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + name: event.reference + type: keyword +- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + name: event.risk_score + type: float +- description: |- + Normalized risk score or priority of the event, on a scale of 0 to 100. + This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. + name: event.risk_score_norm + type: float +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + URL linking to an external system to continue investigation of this event. + This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + name: event.url + type: keyword +- description: |- + Last time the file was accessed. + Note that not all filesystems keep track of access time. + name: file.accessed + type: date +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + type: keyword +- description: Boolean to capture if a signature is present. + name: file.code_signature.exists + type: boolean +- description: |- + Additional information about the certificate status. + This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + name: file.code_signature.status + type: keyword +- description: Subject name of the code signer + name: file.code_signature.subject_name + type: keyword +- description: |- + Stores the trust status of the certificate chain. + Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + name: file.code_signature.trusted + type: boolean +- description: |- + Boolean to capture if the digital signature is verified against the binary content. + Leave unpopulated if a certificate was unchecked. + name: file.code_signature.valid + type: boolean +- description: |- + File creation time. + Note that not all filesystems store the creation time. + name: file.created + type: date +- description: |- + Last time the file attributes or metadata changed. + Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + name: file.ctime + type: date +- description: Device that is the source of the file. + name: file.device + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + Drive letter where the file is located. This field is only relevant on Windows. + The value should be uppercase, and not include the colon. + name: file.drive_letter + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Primary group ID (GID) of the file. + name: file.gid + type: keyword +- description: Primary group name of the file. + name: file.group + type: keyword +- description: MD5 hash. + name: file.hash.md5 + type: keyword +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: SHA512 hash. + name: file.hash.sha512 + type: keyword +- description: Inode representing the file in the filesystem. + name: file.inode + type: keyword +- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + name: file.mime_type + type: keyword +- description: Mode of the file in octal representation. + name: file.mode + type: keyword +- description: Last time the file content was modified. + name: file.mtime + type: date +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: File owner's username. + name: file.owner + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: CPU architecture target for the file. + name: file.pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: file.pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: file.pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: file.pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: file.pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: file.pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: file.pe.product + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: Target path for symlinks. + multi_fields: + - name: text + type: match_only_text + name: file.target_path + type: keyword +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: The user ID (UID) or security identifier (SID) of the file owner. + name: file.uid + type: keyword +- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + name: file.x509.alternative_names + type: keyword +- description: List of common name (CN) of issuing certificate authority. + name: file.x509.issuer.common_name + type: keyword +- description: List of country (C) codes + name: file.x509.issuer.country + type: keyword +- description: Distinguished name (DN) of issuing certificate authority. + name: file.x509.issuer.distinguished_name + type: keyword +- description: List of locality names (L) + name: file.x509.issuer.locality + type: keyword +- description: List of organizations (O) of issuing certificate authority. + name: file.x509.issuer.organization + type: keyword +- description: List of organizational units (OU) of issuing certificate authority. + name: file.x509.issuer.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: file.x509.issuer.state_or_province + type: keyword +- description: Time at which the certificate is no longer considered valid. + name: file.x509.not_after + type: date +- description: Time at which the certificate is first considered valid. + name: file.x509.not_before + type: date +- description: Algorithm used to generate the public key. + name: file.x509.public_key_algorithm + type: keyword +- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. + name: file.x509.public_key_curve + type: keyword +- description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + index: false + name: file.x509.public_key_exponent + type: long +- description: The size of the public key space in bits. + name: file.x509.public_key_size + type: long +- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + name: file.x509.serial_number + type: keyword +- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + name: file.x509.signature_algorithm + type: keyword +- description: List of common names (CN) of subject. + name: file.x509.subject.common_name + type: keyword +- description: List of country (C) code + name: file.x509.subject.country + type: keyword +- description: Distinguished name (DN) of the certificate subject entity. + name: file.x509.subject.distinguished_name + type: keyword +- description: List of locality names (L) + name: file.x509.subject.locality + type: keyword +- description: List of organizations (O) of subject. + name: file.x509.subject.organization + type: keyword +- description: List of organizational units (OU) of subject. + name: file.x509.subject.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: file.x509.subject.state_or_province + type: keyword +- description: Version of x509 format. + name: file.x509.version_number + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Name of the continent. + name: geo.continent_name + type: keyword +- description: Country ISO code. + name: geo.country_iso_code + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: Longitude and latitude. + name: geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region ISO code. + name: geo.region_iso_code + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: MD5 hash. + name: hash.md5 + type: keyword +- description: SHA1 hash. + name: hash.sha1 + type: keyword +- description: SHA256 hash. + name: hash.sha256 + type: keyword +- description: SHA512 hash. + name: hash.sha512 + type: keyword +- description: Operating system architecture. + name: host.architecture + type: keyword +- description: |- + Name of the domain of which the host is a member. + For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + name: host.domain + type: keyword +- description: City name. + name: host.geo.city_name + type: keyword +- description: Name of the continent. + name: host.geo.continent_name + type: keyword +- description: Country ISO code. + name: host.geo.country_iso_code + type: keyword +- description: Country name. + name: host.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: host.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: host.geo.name + type: keyword +- description: Region ISO code. + name: host.geo.region_iso_code + type: keyword +- description: Region name. + name: host.geo.region_name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: |- + Unique host id. + As hostname is not always unique, use values that are meaningful in your environment. + Example: The current usage of `beat.name`. + name: host.id + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: host.os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: host.os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: host.os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: host.os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: host.os.platform + type: keyword +- description: Operating system version as a raw string. + name: host.os.version + type: keyword +- description: |- + Type of host. + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. + name: host.type + type: keyword +- description: Seconds the host has been up. + name: host.uptime + type: long +- description: Size in bytes of the request body. + name: http.request.body.bytes + type: long +- description: The full HTTP request body. + multi_fields: + - name: text + type: match_only_text + name: http.request.body.content + type: wildcard +- description: Total size in bytes of the request (body and headers). + name: http.request.bytes + type: long +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: Size in bytes of the response body. + name: http.response.body.bytes + type: long +- description: The full HTTP response body. + multi_fields: + - name: text + type: match_only_text + name: http.response.body.content + type: wildcard +- description: Total size in bytes of the response (body and headers). + name: http.response.bytes + type: long +- description: HTTP response status code. + name: http.response.status_code + type: long +- description: HTTP version. + name: http.version + type: keyword +- description: Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + name: interface.alias + type: keyword +- description: Interface ID as reported by an observer (typically SNMP interface ID). + name: interface.id + type: keyword +- description: Interface name as reported by the system. + name: interface.name + type: keyword +- description: |- + Custom key/value pairs. + Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. + Example: `docker` and `k8s` labels. + name: labels + type: object +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + name: log.logger + type: keyword +- description: The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. + name: log.syslog + type: object +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: The Syslog text-based facility of the log event, if available. + name: log.syslog.facility.name + type: keyword +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. + name: log.syslog.severity.name + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + name: network.inner + type: object +- description: VLAN ID as reported by the observer. + name: network.inner.vlan.id + type: keyword +- description: Optional VLAN name as reported by the observer. + name: network.inner.vlan.name + type: keyword +- description: Name given by operators to sections of their network. + name: network.name + type: keyword +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: VLAN ID as reported by the observer. + name: network.vlan.id + type: keyword +- description: Optional VLAN name as reported by the observer. + name: network.vlan.name + type: keyword +- description: Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + name: observer.egress + type: object +- description: Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + name: observer.egress.interface.alias + type: keyword +- description: Interface ID as reported by an observer (typically SNMP interface ID). + name: observer.egress.interface.id + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: VLAN ID as reported by the observer. + name: observer.egress.vlan.id + type: keyword +- description: Optional VLAN name as reported by the observer. + name: observer.egress.vlan.name + type: keyword +- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + name: observer.egress.zone + type: keyword +- description: City name. + name: observer.geo.city_name + type: keyword +- description: Name of the continent. + name: observer.geo.continent_name + type: keyword +- description: Country ISO code. + name: observer.geo.country_iso_code + type: keyword +- description: Country name. + name: observer.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: observer.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: observer.geo.name + type: keyword +- description: Region ISO code. + name: observer.geo.region_iso_code + type: keyword +- description: Region name. + name: observer.geo.region_name + type: keyword +- description: Hostname of the observer. + name: observer.hostname + type: keyword +- description: Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + name: observer.ingress + type: object +- description: Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + name: observer.ingress.interface.alias + type: keyword +- description: Interface ID as reported by an observer (typically SNMP interface ID). + name: observer.ingress.interface.id + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: VLAN ID as reported by the observer. + name: observer.ingress.vlan.id + type: keyword +- description: Optional VLAN name as reported by the observer. + name: observer.ingress.vlan.name + type: keyword +- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + name: observer.ingress.zone + type: keyword +- description: IP addresses of the observer. + name: observer.ip + type: ip +- description: |- + MAC addresses of the observer. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: observer.mac + type: keyword +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: observer.os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: observer.os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: observer.os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: observer.os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: observer.os.platform + type: keyword +- description: Operating system version as a raw string. + name: observer.os.version + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: Observer serial number. + name: observer.serial_number + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: Unique identifier for the organization. + name: organization.id + type: keyword +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: organization.name + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: os.platform + type: keyword +- description: Operating system version as a raw string. + name: os.version + type: keyword +- description: Package architecture. + name: package.architecture + type: keyword +- description: |- + Additional information about the build version of the installed package. + For example use the commit SHA of a non-released package. + name: package.build_version + type: keyword +- description: Checksum of the installed package for verification. + name: package.checksum + type: keyword +- description: Description of the package. + name: package.description + type: keyword +- description: Indicating how the package was installed, e.g. user-local, global. + name: package.install_scope + type: keyword +- description: Time when package was installed. + name: package.installed + type: date +- description: |- + License under which the package was released. + Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). + name: package.license + type: keyword +- description: Package name + name: package.name + type: keyword +- description: Path where the package is installed. + name: package.path + type: keyword +- description: Home page or reference URL of the software in this package, if available. + name: package.reference + type: keyword +- description: Package size in bytes. + name: package.size + type: long +- description: |- + Type of package. + This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. + name: package.type + type: keyword +- description: Package version + name: package.version + type: keyword +- description: CPU architecture target for the file. + name: pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: pe.product + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.args_count + type: long +- description: Boolean to capture if a signature is present. + name: process.code_signature.exists + type: boolean +- description: |- + Additional information about the certificate status. + This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + name: process.code_signature.status + type: keyword +- description: Subject name of the code signer + name: process.code_signature.subject_name + type: keyword +- description: |- + Stores the trust status of the certificate chain. + Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + name: process.code_signature.trusted + type: boolean +- description: |- + Boolean to capture if the digital signature is verified against the binary content. + Leave unpopulated if a certificate was unchecked. + name: process.code_signature.valid + type: boolean +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: |- + The exit code of the process, if this is a termination event. + The field should be absent if there is no exit code for the event (e.g. process start). + name: process.exit_code + type: long +- description: MD5 hash. + name: process.hash.md5 + type: keyword +- description: SHA1 hash. + name: process.hash.sha1 + type: keyword +- description: SHA256 hash. + name: process.hash.sha256 + type: keyword +- description: SHA512 hash. + name: process.hash.sha512 + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.parent.args + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.parent.args_count + type: long +- description: Boolean to capture if a signature is present. + name: process.parent.code_signature.exists + type: boolean +- description: |- + Additional information about the certificate status. + This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + name: process.parent.code_signature.status + type: keyword +- description: Subject name of the code signer + name: process.parent.code_signature.subject_name + type: keyword +- description: |- + Stores the trust status of the certificate chain. + Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + name: process.parent.code_signature.trusted + type: boolean +- description: |- + Boolean to capture if the digital signature is verified against the binary content. + Leave unpopulated if a certificate was unchecked. + name: process.parent.code_signature.valid + type: boolean +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.parent.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.parent.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.parent.executable + type: keyword +- description: |- + The exit code of the process, if this is a termination event. + The field should be absent if there is no exit code for the event (e.g. process start). + name: process.parent.exit_code + type: long +- description: MD5 hash. + name: process.parent.hash.md5 + type: keyword +- description: SHA1 hash. + name: process.parent.hash.sha1 + type: keyword +- description: SHA256 hash. + name: process.parent.hash.sha256 + type: keyword +- description: SHA512 hash. + name: process.parent.hash.sha512 + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: CPU architecture target for the file. + name: process.parent.pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: process.parent.pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: process.parent.pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: process.parent.pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: process.parent.pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: process.parent.pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: process.parent.pe.product + type: keyword +- description: Identifier of the group of processes the process belongs to. + name: process.parent.pgid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: The time the process started. + name: process.parent.start + type: date +- description: Thread ID. + name: process.parent.thread.id + type: long +- description: Thread name. + name: process.parent.thread.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Seconds the process has been up. + name: process.parent.uptime + type: long +- description: The working directory of the process. + multi_fields: + - name: text + type: match_only_text + name: process.parent.working_directory + type: keyword +- description: CPU architecture target for the file. + name: process.pe.architecture + type: keyword +- description: Internal company name of the file, provided at compile-time. + name: process.pe.company + type: keyword +- description: Internal description of the file, provided at compile-time. + name: process.pe.description + type: keyword +- description: Internal version of the file, provided at compile-time. + name: process.pe.file_version + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: process.pe.imphash + type: keyword +- description: Internal name of the file, provided at compile-time. + name: process.pe.original_file_name + type: keyword +- description: Internal product name of the file, provided at compile-time. + name: process.pe.product + type: keyword +- description: Identifier of the group of processes the process belongs to. + name: process.pgid + type: long +- description: Process id. + name: process.pid + type: long +- description: The time the process started. + name: process.start + type: date +- description: Thread ID. + name: process.thread.id + type: long +- description: Thread name. + name: process.thread.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: Seconds the process has been up. + name: process.uptime + type: long +- description: The working directory of the process. + multi_fields: + - name: text + type: match_only_text + name: process.working_directory + type: keyword +- description: |- + Original bytes written with base64 encoding. + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. + name: registry.data.bytes + type: keyword +- description: |- + Content when writing string types. + Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). + name: registry.data.strings + type: wildcard +- description: Standard registry type for encoding contents + name: registry.data.type + type: keyword +- description: Abbreviated name for the hive. + name: registry.hive + type: keyword +- description: Hive-relative path of keys. + name: registry.key + type: keyword +- description: Full path, including hive, key and value + name: registry.path + type: keyword +- description: Name of the value written. + name: registry.value + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + name: rule.author + type: keyword +- description: A categorization value keyword used by the entity using the rule for detection of this event. + name: rule.category + type: keyword +- description: The description of the rule generating the event. + name: rule.description + type: keyword +- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + name: rule.id + type: keyword +- description: Name of the license under which the rule used to generate this event is made available. + name: rule.license + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + Reference URL to additional information about the rule used to generate this event. + The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. + name: rule.reference + type: keyword +- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. + name: rule.ruleset + type: keyword +- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + name: rule.uuid + type: keyword +- description: The version / revision of the rule being used for analysis. + name: rule.version + type: keyword +- description: |- + Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: server.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: server.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: server.as.organization.name + type: keyword +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: City name. + name: server.geo.city_name + type: keyword +- description: Name of the continent. + name: server.geo.continent_name + type: keyword +- description: Country ISO code. + name: server.geo.country_iso_code + type: keyword +- description: Country name. + name: server.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: server.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: server.geo.name + type: keyword +- description: Region ISO code. + name: server.geo.region_iso_code + type: keyword +- description: Region name. + name: server.geo.region_name + type: keyword +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: |- + MAC address of the server. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: server.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: server.nat.ip + type: ip +- description: |- + Translated port of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: server.nat.port + type: long +- description: Packets sent from the server to the client. + name: server.packets + type: long +- description: Port of the server. + name: server.port + type: long +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: server.user.domain + type: keyword +- description: User email address. + name: server.user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: server.user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: server.user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: server.user.group.id + type: keyword +- description: Name of the group. + name: server.user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: server.user.hash + type: keyword +- description: Unique identifier of the user. + name: server.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: server.user.name + type: keyword +- description: Array of user roles at the time of the event. + name: server.user.roles + type: keyword +- description: |- + Ephemeral identifier of this service (if one exists). + This id normally changes across restarts, but `service.id` does not. + name: service.ephemeral_id + type: keyword +- description: |- + Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. + This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. + Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. + name: service.id + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Name of a service node. + This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. + In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. + name: service.node.name + type: keyword +- description: Current state of the service. + name: service.state + type: keyword +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword +- description: |- + Version of the service the data was collected from. + This allows to look at a data set only for a specific version of a service. + name: service.version + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: User email address. + name: source.user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: source.user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: source.user.group.id + type: keyword +- description: Name of the group. + name: source.user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: source.user.hash + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: Array of user roles at the time of the event. + name: source.user.roles + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. + name: threat.framework + type: keyword +- description: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) + name: threat.tactic.id + type: keyword +- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) + name: threat.tactic.name + type: keyword +- description: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) + name: threat.tactic.reference + type: keyword +- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + name: threat.technique.id + type: keyword +- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + multi_fields: + - name: text + type: match_only_text + name: threat.technique.name + type: keyword +- description: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + name: threat.technique.reference + type: keyword +- description: String indicating the cipher used during the current connection. + name: tls.cipher + type: keyword +- description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. + name: tls.client.certificate + type: keyword +- description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. + name: tls.client.certificate_chain + type: keyword +- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + name: tls.client.hash.md5 + type: keyword +- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + name: tls.client.hash.sha1 + type: keyword +- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + name: tls.client.hash.sha256 + type: keyword +- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + name: tls.client.issuer + type: keyword +- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. + name: tls.client.ja3 + type: keyword +- description: Date/Time indicating when client certificate is no longer considered valid. + name: tls.client.not_after + type: date +- description: Date/Time indicating when client certificate is first considered valid. + name: tls.client.not_before + type: date +- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. + name: tls.client.server_name + type: keyword +- description: Distinguished name of subject of the x.509 certificate presented by the client. + name: tls.client.subject + type: keyword +- description: Array of ciphers offered by the client during the client hello. + name: tls.client.supported_ciphers + type: keyword +- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + name: tls.client.x509.alternative_names + type: keyword +- description: List of common name (CN) of issuing certificate authority. + name: tls.client.x509.issuer.common_name + type: keyword +- description: List of country (C) codes + name: tls.client.x509.issuer.country + type: keyword +- description: Distinguished name (DN) of issuing certificate authority. + name: tls.client.x509.issuer.distinguished_name + type: keyword +- description: List of locality names (L) + name: tls.client.x509.issuer.locality + type: keyword +- description: List of organizations (O) of issuing certificate authority. + name: tls.client.x509.issuer.organization + type: keyword +- description: List of organizational units (OU) of issuing certificate authority. + name: tls.client.x509.issuer.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: tls.client.x509.issuer.state_or_province + type: keyword +- description: Time at which the certificate is no longer considered valid. + name: tls.client.x509.not_after + type: date +- description: Time at which the certificate is first considered valid. + name: tls.client.x509.not_before + type: date +- description: Algorithm used to generate the public key. + name: tls.client.x509.public_key_algorithm + type: keyword +- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. + name: tls.client.x509.public_key_curve + type: keyword +- description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + index: false + name: tls.client.x509.public_key_exponent + type: long +- description: The size of the public key space in bits. + name: tls.client.x509.public_key_size + type: long +- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + name: tls.client.x509.serial_number + type: keyword +- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + name: tls.client.x509.signature_algorithm + type: keyword +- description: List of common names (CN) of subject. + name: tls.client.x509.subject.common_name + type: keyword +- description: List of country (C) code + name: tls.client.x509.subject.country + type: keyword +- description: Distinguished name (DN) of the certificate subject entity. + name: tls.client.x509.subject.distinguished_name + type: keyword +- description: List of locality names (L) + name: tls.client.x509.subject.locality + type: keyword +- description: List of organizations (O) of subject. + name: tls.client.x509.subject.organization + type: keyword +- description: List of organizational units (OU) of subject. + name: tls.client.x509.subject.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: tls.client.x509.subject.state_or_province + type: keyword +- description: Version of x509 format. + name: tls.client.x509.version_number + type: keyword +- description: String indicating the curve used for the given cipher, when applicable. + name: tls.curve + type: keyword +- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + name: tls.established + type: boolean +- description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. + name: tls.next_protocol + type: keyword +- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. + name: tls.resumed + type: boolean +- description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. + name: tls.server.certificate + type: keyword +- description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + name: tls.server.certificate_chain + type: keyword +- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + name: tls.server.hash.md5 + type: keyword +- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + name: tls.server.hash.sha1 + type: keyword +- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + name: tls.server.hash.sha256 + type: keyword +- description: Subject of the issuer of the x.509 certificate presented by the server. + name: tls.server.issuer + type: keyword +- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. + name: tls.server.ja3s + type: keyword +- description: Timestamp indicating when server certificate is no longer considered valid. + name: tls.server.not_after + type: date +- description: Timestamp indicating when server certificate is first considered valid. + name: tls.server.not_before + type: date +- description: Subject of the x.509 certificate presented by the server. + name: tls.server.subject + type: keyword +- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + name: tls.server.x509.alternative_names + type: keyword +- description: List of common name (CN) of issuing certificate authority. + name: tls.server.x509.issuer.common_name + type: keyword +- description: List of country (C) codes + name: tls.server.x509.issuer.country + type: keyword +- description: Distinguished name (DN) of issuing certificate authority. + name: tls.server.x509.issuer.distinguished_name + type: keyword +- description: List of locality names (L) + name: tls.server.x509.issuer.locality + type: keyword +- description: List of organizations (O) of issuing certificate authority. + name: tls.server.x509.issuer.organization + type: keyword +- description: List of organizational units (OU) of issuing certificate authority. + name: tls.server.x509.issuer.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: tls.server.x509.issuer.state_or_province + type: keyword +- description: Time at which the certificate is no longer considered valid. + name: tls.server.x509.not_after + type: date +- description: Time at which the certificate is first considered valid. + name: tls.server.x509.not_before + type: date +- description: Algorithm used to generate the public key. + name: tls.server.x509.public_key_algorithm + type: keyword +- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. + name: tls.server.x509.public_key_curve + type: keyword +- description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + index: false + name: tls.server.x509.public_key_exponent + type: long +- description: The size of the public key space in bits. + name: tls.server.x509.public_key_size + type: long +- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + name: tls.server.x509.serial_number + type: keyword +- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + name: tls.server.x509.signature_algorithm + type: keyword +- description: List of common names (CN) of subject. + name: tls.server.x509.subject.common_name + type: keyword +- description: List of country (C) code + name: tls.server.x509.subject.country + type: keyword +- description: Distinguished name (DN) of the certificate subject entity. + name: tls.server.x509.subject.distinguished_name + type: keyword +- description: List of locality names (L) + name: tls.server.x509.subject.locality + type: keyword +- description: List of organizations (O) of subject. + name: tls.server.x509.subject.organization + type: keyword +- description: List of organizational units (OU) of subject. + name: tls.server.x509.subject.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: tls.server.x509.subject.state_or_province + type: keyword +- description: Version of x509 format. + name: tls.server.x509.version_number + type: keyword +- description: Numeric part of the version parsed from the original string. + name: tls.version + type: keyword +- description: Normalized lowercase protocol name parsed from original string. + name: tls.version_protocol + type: keyword +- description: |- + Unique identifier of the span within the scope of its trace. + A span represents an operation within a transaction, such as a request to another service, or a database query. + name: span.id + type: keyword +- description: |- + Unique identifier of the trace. + A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + name: trace.id + type: keyword +- description: |- + Unique identifier of the transaction within the scope of its trace. + A transaction is the highest level of work measured within a service, such as a request to a server. + name: transaction.id + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Password of the request. + name: url.password + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: Port of the request, such as 443. + name: url.port + type: long +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: Username of the request. + name: url.username + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.group.id + type: keyword +- description: Name of the group. + name: user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: user.hash + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Array of user roles at the time of the event. + name: user.roles + type: keyword +- description: Name of the device. + name: user_agent.device.name + type: keyword +- description: Name of the user agent. + name: user_agent.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: user_agent.os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: user_agent.os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: user_agent.os.platform + type: keyword +- description: Operating system version as a raw string. + name: user_agent.os.version + type: keyword +- description: Version of the user agent. + name: user_agent.version + type: keyword +- description: VLAN ID as reported by the observer. + name: vlan.id + type: keyword +- description: Optional VLAN name as reported by the observer. + name: vlan.name + type: keyword +- description: |- + The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) + This field must be an array. + name: vulnerability.category + type: keyword +- description: The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) + name: vulnerability.classification + type: keyword +- description: The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) + multi_fields: + - name: text + type: match_only_text + name: vulnerability.description + type: keyword +- description: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) + name: vulnerability.enumeration + type: keyword +- description: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] + name: vulnerability.id + type: keyword +- description: A resource that provides additional information, context, and mitigations for the identified vulnerability. + name: vulnerability.reference + type: keyword +- description: The report or scan identification number. + name: vulnerability.report_id + type: keyword +- description: The name of the vulnerability scanner vendor. + name: vulnerability.scanner.vendor + type: keyword +- description: |- + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) + name: vulnerability.score.base + type: float +- description: |- + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) + name: vulnerability.score.environmental + type: float +- description: |- + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) + name: vulnerability.score.temporal + type: float +- description: |- + The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. + CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) + name: vulnerability.score.version + type: keyword +- description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) + name: vulnerability.severity + type: keyword +- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + name: x509.alternative_names + type: keyword +- description: List of common name (CN) of issuing certificate authority. + name: x509.issuer.common_name + type: keyword +- description: List of country (C) codes + name: x509.issuer.country + type: keyword +- description: Distinguished name (DN) of issuing certificate authority. + name: x509.issuer.distinguished_name + type: keyword +- description: List of locality names (L) + name: x509.issuer.locality + type: keyword +- description: List of organizations (O) of issuing certificate authority. + name: x509.issuer.organization + type: keyword +- description: List of organizational units (OU) of issuing certificate authority. + name: x509.issuer.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: x509.issuer.state_or_province + type: keyword +- description: Time at which the certificate is no longer considered valid. + name: x509.not_after + type: date +- description: Time at which the certificate is first considered valid. + name: x509.not_before + type: date +- description: Algorithm used to generate the public key. + name: x509.public_key_algorithm + type: keyword +- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. + name: x509.public_key_curve + type: keyword +- description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + index: false + name: x509.public_key_exponent + type: long +- description: The size of the public key space in bits. + name: x509.public_key_size + type: long +- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + name: x509.serial_number + type: keyword +- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + name: x509.signature_algorithm + type: keyword +- description: List of common names (CN) of subject. + name: x509.subject.common_name + type: keyword +- description: List of country (C) code + name: x509.subject.country + type: keyword +- description: Distinguished name (DN) of the certificate subject entity. + name: x509.subject.distinguished_name + type: keyword +- description: List of locality names (L) + name: x509.subject.locality + type: keyword +- description: List of organizations (O) of subject. + name: x509.subject.organization + type: keyword +- description: List of organizational units (OU) of subject. + name: x509.subject.organizational_unit + type: keyword +- description: List of state or province names (ST, S, or P) + name: x509.subject.state_or_province + type: keyword +- description: Version of x509 format. + name: x509.version_number + type: keyword diff --git a/packages/juniper/1.1.1/data_stream/srx/fields/fields.yml b/packages/juniper/1.1.1/data_stream/srx/fields/fields.yml new file mode 100755 index 0000000000..f1c609ea12 --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/srx/fields/fields.yml @@ -0,0 +1,388 @@ +- name: juniper.srx + type: group + release: ga + fields: + - name: reason + type: keyword + description: | + reason + - name: connection_tag + type: keyword + description: | + connection tag + - name: service_name + type: keyword + description: | + service name + - name: nat_connection_tag + type: keyword + description: | + nat connection tag + - name: src_nat_rule_type + type: keyword + description: | + src nat rule type + - name: src_nat_rule_name + type: keyword + description: | + src nat rule name + - name: dst_nat_rule_type + type: keyword + description: | + dst nat rule type + - name: dst_nat_rule_name + type: keyword + description: | + dst nat rule name + - name: protocol_id + type: keyword + description: | + protocol id + - name: policy_name + type: keyword + description: | + policy name + - name: session_id_32 + type: keyword + description: | + session id 32 + - name: session_id + type: keyword + description: | + session id + - name: outbound_packets + type: integer + description: | + packets from client + - name: outbound_bytes + type: integer + description: | + bytes from client + - name: inbound_packets + type: integer + description: | + packets from server + - name: inbound_bytes + type: integer + description: | + bytes from server + - name: elapsed_time + type: date + description: | + elapsed time + - name: application + type: keyword + description: | + application + - name: nested_application + type: keyword + description: | + nested application + - name: username + type: keyword + description: | + username + - name: roles + type: keyword + description: | + roles + - name: encrypted + type: keyword + description: | + encrypted + - name: application_category + type: keyword + description: | + application category + - name: application_sub_category + type: keyword + description: | + application sub category + - name: application_characteristics + type: keyword + description: | + application characteristics + - name: secure_web_proxy_session_type + type: keyword + description: | + secure web proxy session type + - name: peer_session_id + type: keyword + description: | + peer session id + - name: peer_source_address + type: ip + description: | + peer source address + - name: peer_source_port + type: integer + description: | + peer source port + - name: peer_destination_address + type: ip + description: | + peer destination address + - name: peer_destination_port + type: integer + description: | + peer destination port + - name: hostname + type: keyword + description: | + hostname + - name: src_vrf_grp + type: keyword + description: | + src_vrf_grp + - name: dst_vrf_grp + type: keyword + description: | + dst_vrf_grp + - name: icmp_type + type: integer + description: | + icmp type + - name: process + type: keyword + description: | + process that generated the message + - name: apbr_rule_type + type: keyword + description: | + apbr rule type + - name: dscp_value + type: integer + description: | + apbr rule type + - name: logical_system_name + type: keyword + description: | + logical system name + - name: profile_name + type: keyword + description: | + profile name + - name: routing_instance + type: keyword + description: | + routing instance + - name: rule_name + type: keyword + description: | + rule name + - name: uplink_tx_bytes + type: integer + description: | + uplink tx bytes + - name: uplink_rx_bytes + type: integer + description: | + uplink rx bytes + - name: obj + type: keyword + description: | + url path + - name: url + type: keyword + description: | + url domain + - name: profile + type: keyword + description: | + filter profile + - name: category + type: keyword + description: | + filter category + - name: filename + type: keyword + description: | + filename + - name: temporary_filename + type: keyword + description: | + temporary_filename + - name: name + type: keyword + description: | + name + - name: error_message + type: keyword + description: | + error_message + - name: error_code + type: keyword + description: | + error_code + - name: action + type: keyword + description: | + action + - name: protocol + type: keyword + description: | + protocol + - name: protocol_name + type: keyword + description: | + protocol name + - name: type + type: keyword + description: | + type + - name: repeat_count + type: integer + description: | + repeat count + - name: alert + type: keyword + description: | + repeat alert + - name: message_type + type: keyword + description: | + message type + - name: threat_severity + type: keyword + description: | + threat severity + - name: application_name + type: keyword + description: | + application name + - name: attack_name + type: keyword + description: | + attack name + - name: index + type: keyword + description: | + index + - name: message + type: keyword + description: | + mesagge + - name: epoch_time + type: date + description: | + epoch time + - name: packet_log_id + type: integer + description: | + packet log id + - name: export_id + type: integer + description: | + packet log id + - name: ddos_application_name + type: keyword + description: | + ddos application name + - name: connection_hit_rate + type: integer + description: | + connection hit rate + - name: time_scope + type: keyword + description: | + time scope + - name: context_hit_rate + type: integer + description: | + context hit rate + - name: context_value_hit_rate + type: integer + description: | + context value hit rate + - name: time_count + type: integer + description: | + time count + - name: time_period + type: integer + description: | + time period + - name: context_value + type: keyword + description: | + context value + - name: context_name + type: keyword + description: | + context name + - name: ruleebase_name + type: keyword + description: | + ruleebase name + - name: verdict_source + type: keyword + description: | + verdict source + - name: verdict_number + type: integer + description: | + verdict number + - name: file_category + type: keyword + description: | + file category + - name: sample_sha256 + type: keyword + description: | + sample sha256 + - name: malware_info + type: keyword + description: | + malware info + - name: client_ip + type: ip + description: | + client ip + - name: tenant_id + type: keyword + description: | + tenant id + - name: timestamp + type: date + description: | + timestamp + - name: th + type: keyword + description: | + th + - name: status + type: keyword + description: | + status + - name: state + type: keyword + description: | + state + - name: file_hash_lookup + type: keyword + description: | + file hash lookup + - name: file_name + type: keyword + description: | + file name + - name: action_detail + type: keyword + description: | + action detail + - name: sub_category + type: keyword + description: | + sub category + - name: feed_name + type: keyword + description: | + feed name + - name: occur_count + type: integer + description: | + occur count + - name: tag + type: keyword + description: |- + system log message tag, which uniquely identifies the message. diff --git a/packages/juniper/1.1.1/data_stream/srx/manifest.yml b/packages/juniper/1.1.1/data_stream/srx/manifest.yml new file mode 100755 index 0000000000..8e21c3258d --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/srx/manifest.yml @@ -0,0 +1,133 @@ +type: logs +title: Juniper SRX logs +streams: + - input: tcp + vars: + - name: syslog_host + type: text + title: Syslog Host + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9006 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - juniper-srx + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: tcp.yml.hbs + title: Juniper SRX logs + description: Collect Juniper SRX logs via TCP + - input: udp + vars: + - name: syslog_host + type: text + title: Syslog Host + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9006 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - juniper-srx + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: udp.yml.hbs + title: Juniper SRX logs + description: Collect Juniper SRX logs via UDP + - input: logfile + enabled: false + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/juniper-srx.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - juniper-srx + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: logfile.yml.hbs + title: Juniper SRX logs + description: Read Juniper SRX logs from a file diff --git a/packages/juniper/1.1.1/data_stream/srx/sample_event.json b/packages/juniper/1.1.1/data_stream/srx/sample_event.json new file mode 100755 index 0000000000..ae69f86328 --- /dev/null +++ b/packages/juniper/1.1.1/data_stream/srx/sample_event.json @@ -0,0 +1,106 @@ +{ + "@timestamp": "2016-02-18T01:32:50.391Z", + "agent": { + "ephemeral_id": "2876d482-8245-456b-833a-6aff7be73223", + "id": "ea40d449-2727-40b0-90ad-be273a35f475", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "ip": "192.168.1.100", + "port": 58071 + }, + "data_stream": { + "dataset": "juniper.srx", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": "103.235.46.39", + "port": 80 + }, + "ecs": { + "version": "1.12.0" + }, + "elastic_agent": { + "id": "ea40d449-2727-40b0-90ad-be273a35f475", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "action": "web_filter", + "agent_id_status": "verified", + "category": [ + "network", + "malware" + ], + "dataset": "juniper.srx", + "ingested": "2021-12-06T12:33:40Z", + "kind": "alert", + "outcome": "success", + "severity": 12, + "timezone": "+00:00", + "type": [ + "info", + "denied", + "connection" + ] + }, + "input": { + "type": "log" + }, + "juniper": { + "srx": { + "category": "cat1", + "process": "RT_UTM", + "profile": "uf1", + "reason": "BY_BLACK_LIST", + "tag": "WEBFILTER_URL_BLOCKED" + } + }, + "log": { + "file": { + "path": "/tmp/service_logs/juniper-srx.log" + }, + "level": "warning", + "offset": 0 + }, + "observer": { + "name": "utm-srx550-b", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "related": { + "hosts": [ + "www.baidu.com" + ], + "ip": [ + "192.168.1.100", + "103.235.46.39" + ], + "user": [ + "user01" + ] + }, + "server": { + "ip": "103.235.46.39", + "port": 80 + }, + "source": { + "ip": "192.168.1.100", + "port": 58071, + "user": { + "name": "user01" + } + }, + "tags": [ + "juniper-srx", + "forwarded" + ], + "url": { + "domain": "www.baidu.com", + "path": "/" + } +} \ No newline at end of file diff --git a/packages/juniper/1.1.1/docs/README.md b/packages/juniper/1.1.1/docs/README.md new file mode 100755 index 0000000000..f1cbbdd29f --- /dev/null +++ b/packages/juniper/1.1.1/docs/README.md @@ -0,0 +1,2555 @@ +# Juniper integration + +This is an integration for ingesting data from the different Juniper products. +Currently it supports these datasets: +- `srx` fileset: Supports Juniper SRX logs +- `junos` dataset: supports Juniper JUNOS logs. +- `netscreen` dataset: supports Netscreen logs. + +### SRX + +The SRX integration only supports syslog messages in the format "structured-data + brief". See the [JunOS Documentation on structured-data.](https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html) + +To configure a remote syslog destination, please reference the [SRX Getting Started - Configure System Logging.](https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502) +The syslog format choosen should be `Default`. + +The following processes and tags are supported: + +| JunOS processes | JunOS tags | +|-----------------|-------------------------------------------| +| RT_FLOW | RT_FLOW_SESSION_CREATE | +| | RT_FLOW_SESSION_CLOSE | +| | RT_FLOW_SESSION_DENY | +| | APPTRACK_SESSION_CREATE | +| | APPTRACK_SESSION_CLOSE | +| | APPTRACK_SESSION_VOL_UPDATE | +| RT_IDS | RT_SCREEN_TCP | +| | RT_SCREEN_UDP | +| | RT_SCREEN_ICMP | +| | RT_SCREEN_IP | +| | RT_SCREEN_TCP_DST_IP | +| | RT_SCREEN_TCP_SRC_IP | +| RT_UTM | WEBFILTER_URL_PERMITTED | +| | WEBFILTER_URL_BLOCKED | +| | AV_VIRUS_DETECTED_MT | +| | CONTENT_FILTERING_BLOCKED_MT | +| | ANTISPAM_SPAM_DETECTED_MT | +| RT_IDP | IDP_ATTACK_LOG_EVENT | +| | IDP_APPDDOS_APP_STATE_EVENT | +| RT_AAMW | SRX_AAMW_ACTION_LOG | +| | AAMW_MALWARE_EVENT_LOG | +| | AAMW_HOST_INFECTED_EVENT_LOG | +| | AAMW_ACTION_LOG | +| RT_SECINTEL | SECINTEL_ACTION_LOG | + + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| agent.build.original | Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. | keyword | +| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | +| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. | keyword | +| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | +| agent.version | Version of the agent. | keyword | +| as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| as.organization.name | Organization name. | keyword | +| as.organization.name.text | Multi-field of `as.organization.name`. | match_only_text | +| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| client.as.organization.name | Organization name. | keyword | +| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | +| client.bytes | Bytes sent from the client to the server. | long | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.geo.city_name | City name. | keyword | +| client.geo.continent_name | Name of the continent. | keyword | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | +| client.nat.port | Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | long | +| client.packets | Packets sent from the client to the server. | long | +| client.port | Port of the client. | long | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| client.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| client.user.email | User email address. | keyword | +| client.user.full_name | User's full name, if available. | keyword | +| client.user.full_name.text | Multi-field of `client.user.full_name`. | match_only_text | +| client.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| client.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| client.user.group.name | Name of the group. | keyword | +| client.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| client.user.id | Unique identifier of the user. | keyword | +| client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | +| client.user.roles | Array of user roles at the time of the event. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| code_signature.exists | Boolean to capture if a signature is present. | boolean | +| code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| code_signature.subject_name | Subject name of the code signer | keyword | +| code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.image.tag | Container image tags. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| destination.user.email | User email address. | keyword | +| destination.user.full_name | User's full name, if available. | keyword | +| destination.user.full_name.text | Multi-field of `destination.user.full_name`. | match_only_text | +| destination.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| destination.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| destination.user.group.name | Name of the group. | keyword | +| destination.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| destination.user.id | Unique identifier of the user. | keyword | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| destination.user.roles | Array of user roles at the time of the event. | keyword | +| dll.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| dll.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| dll.code_signature.subject_name | Subject name of the code signer | keyword | +| dll.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| dll.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| dll.hash.md5 | MD5 hash. | keyword | +| dll.hash.sha1 | SHA1 hash. | keyword | +| dll.hash.sha256 | SHA256 hash. | keyword | +| dll.hash.sha512 | SHA512 hash. | keyword | +| dll.name | Name of the library. This generally maps to the name of the file on disk. | keyword | +| dll.path | Full file path of the library. | keyword | +| dll.pe.architecture | CPU architecture target for the file. | keyword | +| dll.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| dll.pe.description | Internal description of the file, provided at compile-time. | keyword | +| dll.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| dll.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| dll.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| dll.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | +| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | +| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | +| dns.question.class | The class of records being queried. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | +| dns.response_code | The DNS response code. | keyword | +| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | +| error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | +| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| file.code_signature.subject_name | Subject name of the code signer | keyword | +| file.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| file.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| file.created | File creation time. Note that not all filesystems store the creation time. | date | +| file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | +| file.device | Device that is the source of the file. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.drive_letter | Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.gid | Primary group ID (GID) of the file. | keyword | +| file.group | Primary group name of the file. | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.hash.sha512 | SHA512 hash. | keyword | +| file.inode | Inode representing the file in the filesystem. | keyword | +| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | +| file.mode | Mode of the file in octal representation. | keyword | +| file.mtime | Last time the file content was modified. | date | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.owner | File owner's username. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.pe.architecture | CPU architecture target for the file. | keyword | +| file.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| file.pe.description | Internal description of the file, provided at compile-time. | keyword | +| file.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| file.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| file.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.target_path | Target path for symlinks. | keyword | +| file.target_path.text | Multi-field of `file.target_path`. | match_only_text | +| file.type | File type (file, dir, or symlink). | keyword | +| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | +| file.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | +| file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| file.x509.issuer.country | List of country (C) codes | keyword | +| file.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | +| file.x509.issuer.locality | List of locality names (L) | keyword | +| file.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | +| file.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | +| file.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | +| file.x509.not_after | Time at which the certificate is no longer considered valid. | date | +| file.x509.not_before | Time at which the certificate is first considered valid. | date | +| file.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | +| file.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | +| file.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | +| file.x509.public_key_size | The size of the public key space in bits. | long | +| file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| file.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | +| file.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| file.x509.subject.country | List of country (C) code | keyword | +| file.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | +| file.x509.subject.locality | List of locality names (L) | keyword | +| file.x509.subject.organization | List of organizations (O) of subject. | keyword | +| file.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| file.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | +| file.x509.version_number | Version of x509 format. | keyword | +| geo.city_name | City name. | keyword | +| geo.continent_name | Name of the continent. | keyword | +| geo.country_iso_code | Country ISO code. | keyword | +| geo.country_name | Country name. | keyword | +| geo.location | Longitude and latitude. | geo_point | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_iso_code | Region ISO code. | keyword | +| geo.region_name | Region name. | keyword | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| hash.md5 | MD5 hash. | keyword | +| hash.sha1 | SHA1 hash. | keyword | +| hash.sha256 | SHA256 hash. | keyword | +| hash.sha512 | SHA512 hash. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| http.request.body.bytes | Size in bytes of the request body. | long | +| http.request.body.content | The full HTTP request body. | wildcard | +| http.request.body.content.text | Multi-field of `http.request.body.content`. | match_only_text | +| http.request.bytes | Total size in bytes of the request (body and headers). | long | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.body.bytes | Size in bytes of the response body. | long | +| http.response.body.content | The full HTTP response body. | wildcard | +| http.response.body.content.text | Multi-field of `http.response.body.content`. | match_only_text | +| http.response.bytes | Total size in bytes of the response (body and headers). | long | +| http.response.status_code | HTTP response status code. | long | +| http.version | HTTP version. | keyword | +| input.type | Input type. | keyword | +| interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | +| interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | +| interface.name | Interface name as reported by the system. | keyword | +| juniper.srx.action | action | keyword | +| juniper.srx.action_detail | action detail | keyword | +| juniper.srx.alert | repeat alert | keyword | +| juniper.srx.apbr_rule_type | apbr rule type | keyword | +| juniper.srx.application | application | keyword | +| juniper.srx.application_category | application category | keyword | +| juniper.srx.application_characteristics | application characteristics | keyword | +| juniper.srx.application_name | application name | keyword | +| juniper.srx.application_sub_category | application sub category | keyword | +| juniper.srx.attack_name | attack name | keyword | +| juniper.srx.category | filter category | keyword | +| juniper.srx.client_ip | client ip | ip | +| juniper.srx.connection_hit_rate | connection hit rate | integer | +| juniper.srx.connection_tag | connection tag | keyword | +| juniper.srx.context_hit_rate | context hit rate | integer | +| juniper.srx.context_name | context name | keyword | +| juniper.srx.context_value | context value | keyword | +| juniper.srx.context_value_hit_rate | context value hit rate | integer | +| juniper.srx.ddos_application_name | ddos application name | keyword | +| juniper.srx.dscp_value | apbr rule type | integer | +| juniper.srx.dst_nat_rule_name | dst nat rule name | keyword | +| juniper.srx.dst_nat_rule_type | dst nat rule type | keyword | +| juniper.srx.dst_vrf_grp | dst_vrf_grp | keyword | +| juniper.srx.elapsed_time | elapsed time | date | +| juniper.srx.encrypted | encrypted | keyword | +| juniper.srx.epoch_time | epoch time | date | +| juniper.srx.error_code | error_code | keyword | +| juniper.srx.error_message | error_message | keyword | +| juniper.srx.export_id | packet log id | integer | +| juniper.srx.feed_name | feed name | keyword | +| juniper.srx.file_category | file category | keyword | +| juniper.srx.file_hash_lookup | file hash lookup | keyword | +| juniper.srx.file_name | file name | keyword | +| juniper.srx.filename | filename | keyword | +| juniper.srx.hostname | hostname | keyword | +| juniper.srx.icmp_type | icmp type | integer | +| juniper.srx.inbound_bytes | bytes from server | integer | +| juniper.srx.inbound_packets | packets from server | integer | +| juniper.srx.index | index | keyword | +| juniper.srx.logical_system_name | logical system name | keyword | +| juniper.srx.malware_info | malware info | keyword | +| juniper.srx.message | mesagge | keyword | +| juniper.srx.message_type | message type | keyword | +| juniper.srx.name | name | keyword | +| juniper.srx.nat_connection_tag | nat connection tag | keyword | +| juniper.srx.nested_application | nested application | keyword | +| juniper.srx.obj | url path | keyword | +| juniper.srx.occur_count | occur count | integer | +| juniper.srx.outbound_bytes | bytes from client | integer | +| juniper.srx.outbound_packets | packets from client | integer | +| juniper.srx.packet_log_id | packet log id | integer | +| juniper.srx.peer_destination_address | peer destination address | ip | +| juniper.srx.peer_destination_port | peer destination port | integer | +| juniper.srx.peer_session_id | peer session id | keyword | +| juniper.srx.peer_source_address | peer source address | ip | +| juniper.srx.peer_source_port | peer source port | integer | +| juniper.srx.policy_name | policy name | keyword | +| juniper.srx.process | process that generated the message | keyword | +| juniper.srx.profile | filter profile | keyword | +| juniper.srx.profile_name | profile name | keyword | +| juniper.srx.protocol | protocol | keyword | +| juniper.srx.protocol_id | protocol id | keyword | +| juniper.srx.protocol_name | protocol name | keyword | +| juniper.srx.reason | reason | keyword | +| juniper.srx.repeat_count | repeat count | integer | +| juniper.srx.roles | roles | keyword | +| juniper.srx.routing_instance | routing instance | keyword | +| juniper.srx.rule_name | rule name | keyword | +| juniper.srx.ruleebase_name | ruleebase name | keyword | +| juniper.srx.sample_sha256 | sample sha256 | keyword | +| juniper.srx.secure_web_proxy_session_type | secure web proxy session type | keyword | +| juniper.srx.service_name | service name | keyword | +| juniper.srx.session_id | session id | keyword | +| juniper.srx.session_id_32 | session id 32 | keyword | +| juniper.srx.src_nat_rule_name | src nat rule name | keyword | +| juniper.srx.src_nat_rule_type | src nat rule type | keyword | +| juniper.srx.src_vrf_grp | src_vrf_grp | keyword | +| juniper.srx.state | state | keyword | +| juniper.srx.status | status | keyword | +| juniper.srx.sub_category | sub category | keyword | +| juniper.srx.tag | system log message tag, which uniquely identifies the message. | keyword | +| juniper.srx.temporary_filename | temporary_filename | keyword | +| juniper.srx.tenant_id | tenant id | keyword | +| juniper.srx.th | th | keyword | +| juniper.srx.threat_severity | threat severity | keyword | +| juniper.srx.time_count | time count | integer | +| juniper.srx.time_period | time period | integer | +| juniper.srx.time_scope | time scope | keyword | +| juniper.srx.timestamp | timestamp | date | +| juniper.srx.type | type | keyword | +| juniper.srx.uplink_rx_bytes | uplink rx bytes | integer | +| juniper.srx.uplink_tx_bytes | uplink tx bytes | integer | +| juniper.srx.url | url domain | keyword | +| juniper.srx.username | username | keyword | +| juniper.srx.verdict_number | verdict number | integer | +| juniper.srx.verdict_source | verdict source | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Byte offset of the log line within its file. | long | +| log.source.address | Source address of the syslog message. | keyword | +| log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| network.name | Name given by operators to sections of their network. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| network.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| observer.egress | Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | +| observer.egress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | +| observer.egress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.vlan.id | VLAN ID as reported by the observer. | keyword | +| observer.egress.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.geo.city_name | City name. | keyword | +| observer.geo.continent_name | Name of the continent. | keyword | +| observer.geo.country_iso_code | Country ISO code. | keyword | +| observer.geo.country_name | Country name. | keyword | +| observer.geo.location | Longitude and latitude. | geo_point | +| observer.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| observer.geo.region_iso_code | Region ISO code. | keyword | +| observer.geo.region_name | Region name. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ingress | Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | +| observer.ingress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | +| observer.ingress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword | +| observer.ingress.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| observer.os.full | Operating system name, including the version or code name. | keyword | +| observer.os.full.text | Multi-field of `observer.os.full`. | match_only_text | +| observer.os.kernel | Operating system kernel version as a raw string. | keyword | +| observer.os.name | Operating system name, without the version. | keyword | +| observer.os.name.text | Multi-field of `observer.os.name`. | match_only_text | +| observer.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| observer.os.version | Operating system version as a raw string. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.serial_number | Observer serial number. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| organization.id | Unique identifier for the organization. | keyword | +| organization.name | Organization name. | keyword | +| organization.name.text | Multi-field of `organization.name`. | match_only_text | +| os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| os.full | Operating system name, including the version or code name. | keyword | +| os.full.text | Multi-field of `os.full`. | match_only_text | +| os.kernel | Operating system kernel version as a raw string. | keyword | +| os.name | Operating system name, without the version. | keyword | +| os.name.text | Multi-field of `os.name`. | match_only_text | +| os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| os.version | Operating system version as a raw string. | keyword | +| package.architecture | Package architecture. | keyword | +| package.build_version | Additional information about the build version of the installed package. For example use the commit SHA of a non-released package. | keyword | +| package.checksum | Checksum of the installed package for verification. | keyword | +| package.description | Description of the package. | keyword | +| package.install_scope | Indicating how the package was installed, e.g. user-local, global. | keyword | +| package.installed | Time when package was installed. | date | +| package.license | License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). | keyword | +| package.name | Package name | keyword | +| package.path | Path where the package is installed. | keyword | +| package.reference | Home page or reference URL of the software in this package, if available. | keyword | +| package.size | Package size in bytes. | long | +| package.type | Type of package. This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. | keyword | +| package.version | Package version | keyword | +| pe.architecture | CPU architecture target for the file. | keyword | +| pe.company | Internal company name of the file, provided at compile-time. | keyword | +| pe.description | Internal description of the file, provided at compile-time. | keyword | +| pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.code_signature.subject_name | Subject name of the code signer | keyword | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.hash.sha512 | SHA512 hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.parent.hash.md5 | MD5 hash. | keyword | +| process.parent.hash.sha1 | SHA1 hash. | keyword | +| process.parent.hash.sha256 | SHA256 hash. | keyword | +| process.parent.hash.sha512 | SHA512 hash. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | +| process.parent.pid | Process id. | long | +| process.parent.start | The time the process started. | date | +| process.parent.thread.id | Thread ID. | long | +| process.parent.thread.name | Thread name. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.parent.uptime | Seconds the process has been up. | long | +| process.parent.working_directory | The working directory of the process. | keyword | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | +| process.pe.architecture | CPU architecture target for the file. | keyword | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.pgid | Identifier of the group of processes the process belongs to. | long | +| process.pid | Process id. | long | +| process.start | The time the process started. | date | +| process.thread.id | Thread ID. | long | +| process.thread.name | Thread name. | keyword | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.uptime | Seconds the process has been up. | long | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | +| registry.data.bytes | Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. | keyword | +| registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard | +| registry.data.type | Standard registry type for encoding contents | keyword | +| registry.hive | Abbreviated name for the hive. | keyword | +| registry.key | Hive-relative path of keys. | keyword | +| registry.path | Full path, including hive, key and value | keyword | +| registry.value | Name of the value written. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.author | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. | keyword | +| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | +| rule.description | The description of the rule generating the event. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| rule.license | Name of the license under which the rule used to generate this event is made available. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| rule.reference | Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. | keyword | +| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | +| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | +| rule.version | The version / revision of the rule being used for analysis. | keyword | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| server.as.organization.name | Organization name. | keyword | +| server.as.organization.name.text | Multi-field of `server.as.organization.name`. | match_only_text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.geo.city_name | City name. | keyword | +| server.geo.continent_name | Name of the continent. | keyword | +| server.geo.country_iso_code | Country ISO code. | keyword | +| server.geo.country_name | Country name. | keyword | +| server.geo.location | Longitude and latitude. | geo_point | +| server.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| server.geo.region_iso_code | Region ISO code. | keyword | +| server.geo.region_name | Region name. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| server.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| server.nat.port | Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | long | +| server.packets | Packets sent from the server to the client. | long | +| server.port | Port of the server. | long | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| server.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| server.user.email | User email address. | keyword | +| server.user.full_name | User's full name, if available. | keyword | +| server.user.full_name.text | Multi-field of `server.user.full_name`. | match_only_text | +| server.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| server.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| server.user.group.name | Name of the group. | keyword | +| server.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| server.user.id | Unique identifier of the user. | keyword | +| server.user.name | Short name or login of the user. | keyword | +| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | +| server.user.roles | Array of user roles at the time of the event. | keyword | +| service.ephemeral_id | Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not. | keyword | +| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| service.node.name | Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. | keyword | +| service.state | Current state of the service. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.email | User email address. | keyword | +| source.user.full_name | User's full name, if available. | keyword | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | +| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| source.user.roles | Array of user roles at the time of the event. | keyword | +| span.id | Unique identifier of the span within the scope of its trace. A span represents an operation within a transaction, such as a request to another service, or a database query. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | +| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | +| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | +| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| tls.cipher | String indicating the cipher used during the current connection. | keyword | +| tls.client.certificate | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. | keyword | +| tls.client.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. | keyword | +| tls.client.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.client.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.client.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | +| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | +| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | +| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | +| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | +| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | +| tls.client.supported_ciphers | Array of ciphers offered by the client during the client hello. | keyword | +| tls.client.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | +| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| tls.client.x509.issuer.country | List of country (C) codes | keyword | +| tls.client.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | +| tls.client.x509.issuer.locality | List of locality names (L) | keyword | +| tls.client.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | +| tls.client.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | +| tls.client.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | +| tls.client.x509.not_after | Time at which the certificate is no longer considered valid. | date | +| tls.client.x509.not_before | Time at which the certificate is first considered valid. | date | +| tls.client.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | +| tls.client.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | +| tls.client.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | +| tls.client.x509.public_key_size | The size of the public key space in bits. | long | +| tls.client.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| tls.client.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | +| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| tls.client.x509.subject.country | List of country (C) code | keyword | +| tls.client.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | +| tls.client.x509.subject.locality | List of locality names (L) | keyword | +| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | +| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | +| tls.client.x509.version_number | Version of x509 format. | keyword | +| tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | +| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | +| tls.next_protocol | String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. | keyword | +| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | +| tls.server.certificate | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. | keyword | +| tls.server.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. | keyword | +| tls.server.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.server.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | +| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | +| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | +| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | +| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | +| tls.server.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | +| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| tls.server.x509.issuer.country | List of country (C) codes | keyword | +| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | +| tls.server.x509.issuer.locality | List of locality names (L) | keyword | +| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | +| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | +| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | +| tls.server.x509.not_after | Time at which the certificate is no longer considered valid. | date | +| tls.server.x509.not_before | Time at which the certificate is first considered valid. | date | +| tls.server.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | +| tls.server.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | +| tls.server.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | +| tls.server.x509.public_key_size | The size of the public key space in bits. | long | +| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| tls.server.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | +| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| tls.server.x509.subject.country | List of country (C) code | keyword | +| tls.server.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | +| tls.server.x509.subject.locality | List of locality names (L) | keyword | +| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | +| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | +| tls.server.x509.version_number | Version of x509 format. | keyword | +| tls.version | Numeric part of the version parsed from the original string. | keyword | +| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | +| trace.id | Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. | keyword | +| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.username | Username of the request. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.group.name | Name of the group. | keyword | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.roles | Array of user roles at the time of the event. | keyword | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | +| vlan.id | VLAN ID as reported by the observer. | keyword | +| vlan.name | Optional VLAN name as reported by the observer. | keyword | +| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | +| vulnerability.classification | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) | keyword | +| vulnerability.description | The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) | keyword | +| vulnerability.description.text | Multi-field of `vulnerability.description`. | match_only_text | +| vulnerability.enumeration | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) | keyword | +| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | +| vulnerability.reference | A resource that provides additional information, context, and mitigations for the identified vulnerability. | keyword | +| vulnerability.report_id | The report or scan identification number. | keyword | +| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | keyword | +| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | +| vulnerability.score.environmental | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) | float | +| vulnerability.score.temporal | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) | float | +| vulnerability.score.version | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | +| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | +| x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | +| x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| x509.issuer.country | List of country (C) codes | keyword | +| x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | +| x509.issuer.locality | List of locality names (L) | keyword | +| x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | +| x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | +| x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | +| x509.not_after | Time at which the certificate is no longer considered valid. | date | +| x509.not_before | Time at which the certificate is first considered valid. | date | +| x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | +| x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | +| x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | +| x509.public_key_size | The size of the public key space in bits. | long | +| x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | +| x509.subject.common_name | List of common names (CN) of subject. | keyword | +| x509.subject.country | List of country (C) code | keyword | +| x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | +| x509.subject.locality | List of locality names (L) | keyword | +| x509.subject.organization | List of organizations (O) of subject. | keyword | +| x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | +| x509.version_number | Version of x509 format. | keyword | + + +### Junos + +The `junos` dataset collects Juniper JUNOS logs. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| agent.build.original | Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. | keyword | +| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | +| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. | keyword | +| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | +| agent.version | Version of the agent. | keyword | +| as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| as.organization.name | Organization name. | keyword | +| as.organization.name.text | Multi-field of `as.organization.name`. | match_only_text | +| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| client.as.organization.name | Organization name. | keyword | +| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | +| client.bytes | Bytes sent from the client to the server. | long | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.geo.city_name | City name. | keyword | +| client.geo.continent_name | Name of the continent. | keyword | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | +| client.nat.port | Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | long | +| client.packets | Packets sent from the client to the server. | long | +| client.port | Port of the client. | long | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| client.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| client.user.email | User email address. | keyword | +| client.user.full_name | User's full name, if available. | keyword | +| client.user.full_name.text | Multi-field of `client.user.full_name`. | match_only_text | +| client.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| client.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| client.user.group.name | Name of the group. | keyword | +| client.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| client.user.id | Unique identifier of the user. | keyword | +| client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | +| client.user.roles | Array of user roles at the time of the event. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| code_signature.exists | Boolean to capture if a signature is present. | boolean | +| code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| code_signature.subject_name | Subject name of the code signer | keyword | +| code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.image.tag | Container image tags. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| destination.user.email | User email address. | keyword | +| destination.user.full_name | User's full name, if available. | keyword | +| destination.user.full_name.text | Multi-field of `destination.user.full_name`. | match_only_text | +| destination.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| destination.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| destination.user.group.name | Name of the group. | keyword | +| destination.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| destination.user.id | Unique identifier of the user. | keyword | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| destination.user.roles | Array of user roles at the time of the event. | keyword | +| dll.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| dll.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| dll.code_signature.subject_name | Subject name of the code signer | keyword | +| dll.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| dll.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| dll.hash.md5 | MD5 hash. | keyword | +| dll.hash.sha1 | SHA1 hash. | keyword | +| dll.hash.sha256 | SHA256 hash. | keyword | +| dll.hash.sha512 | SHA512 hash. | keyword | +| dll.name | Name of the library. This generally maps to the name of the file on disk. | keyword | +| dll.path | Full file path of the library. | keyword | +| dll.pe.architecture | CPU architecture target for the file. | keyword | +| dll.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| dll.pe.description | Internal description of the file, provided at compile-time. | keyword | +| dll.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| dll.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| dll.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| dll.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | +| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | +| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | +| dns.question.class | The class of records being queried. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | +| dns.response_code | The DNS response code. | keyword | +| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | +| error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | +| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| file.code_signature.subject_name | Subject name of the code signer | keyword | +| file.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| file.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| file.created | File creation time. Note that not all filesystems store the creation time. | date | +| file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | +| file.device | Device that is the source of the file. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.drive_letter | Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.gid | Primary group ID (GID) of the file. | keyword | +| file.group | Primary group name of the file. | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.hash.sha512 | SHA512 hash. | keyword | +| file.inode | Inode representing the file in the filesystem. | keyword | +| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | +| file.mode | Mode of the file in octal representation. | keyword | +| file.mtime | Last time the file content was modified. | date | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.owner | File owner's username. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.pe.architecture | CPU architecture target for the file. | keyword | +| file.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| file.pe.description | Internal description of the file, provided at compile-time. | keyword | +| file.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| file.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| file.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.target_path | Target path for symlinks. | keyword | +| file.target_path.text | Multi-field of `file.target_path`. | match_only_text | +| file.type | File type (file, dir, or symlink). | keyword | +| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | +| file.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | +| file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| file.x509.issuer.country | List of country (C) codes | keyword | +| file.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | +| file.x509.issuer.locality | List of locality names (L) | keyword | +| file.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | +| file.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | +| file.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | +| file.x509.not_after | Time at which the certificate is no longer considered valid. | date | +| file.x509.not_before | Time at which the certificate is first considered valid. | date | +| file.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | +| file.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | +| file.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | +| file.x509.public_key_size | The size of the public key space in bits. | long | +| file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| file.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | +| file.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| file.x509.subject.country | List of country (C) code | keyword | +| file.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | +| file.x509.subject.locality | List of locality names (L) | keyword | +| file.x509.subject.organization | List of organizations (O) of subject. | keyword | +| file.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| file.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | +| file.x509.version_number | Version of x509 format. | keyword | +| geo.city_name | City name. | keyword | +| geo.continent_name | Name of the continent. | keyword | +| geo.country_iso_code | Country ISO code. | keyword | +| geo.country_name | Country name. | keyword | +| geo.location | Longitude and latitude. | geo_point | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_iso_code | Region ISO code. | keyword | +| geo.region_name | Region name. | keyword | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| hash.md5 | MD5 hash. | keyword | +| hash.sha1 | SHA1 hash. | keyword | +| hash.sha256 | SHA256 hash. | keyword | +| hash.sha512 | SHA512 hash. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| http.request.body.bytes | Size in bytes of the request body. | long | +| http.request.body.content | The full HTTP request body. | wildcard | +| http.request.body.content.text | Multi-field of `http.request.body.content`. | match_only_text | +| http.request.bytes | Total size in bytes of the request (body and headers). | long | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.body.bytes | Size in bytes of the response body. | long | +| http.response.body.content | The full HTTP response body. | wildcard | +| http.response.body.content.text | Multi-field of `http.response.body.content`. | match_only_text | +| http.response.bytes | Total size in bytes of the response (body and headers). | long | +| http.response.status_code | HTTP response status code. | long | +| http.version | HTTP version. | keyword | +| input.type | Input type. | keyword | +| interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | +| interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | +| interface.name | Interface name as reported by the system. | keyword | +| juniper.srx.action | action | keyword | +| juniper.srx.action_detail | action detail | keyword | +| juniper.srx.alert | repeat alert | keyword | +| juniper.srx.apbr_rule_type | apbr rule type | keyword | +| juniper.srx.application | application | keyword | +| juniper.srx.application_category | application category | keyword | +| juniper.srx.application_characteristics | application characteristics | keyword | +| juniper.srx.application_name | application name | keyword | +| juniper.srx.application_sub_category | application sub category | keyword | +| juniper.srx.attack_name | attack name | keyword | +| juniper.srx.category | filter category | keyword | +| juniper.srx.client_ip | client ip | ip | +| juniper.srx.connection_hit_rate | connection hit rate | integer | +| juniper.srx.connection_tag | connection tag | keyword | +| juniper.srx.context_hit_rate | context hit rate | integer | +| juniper.srx.context_name | context name | keyword | +| juniper.srx.context_value | context value | keyword | +| juniper.srx.context_value_hit_rate | context value hit rate | integer | +| juniper.srx.ddos_application_name | ddos application name | keyword | +| juniper.srx.dscp_value | apbr rule type | integer | +| juniper.srx.dst_nat_rule_name | dst nat rule name | keyword | +| juniper.srx.dst_nat_rule_type | dst nat rule type | keyword | +| juniper.srx.dst_vrf_grp | dst_vrf_grp | keyword | +| juniper.srx.elapsed_time | elapsed time | date | +| juniper.srx.encrypted | encrypted | keyword | +| juniper.srx.epoch_time | epoch time | date | +| juniper.srx.error_code | error_code | keyword | +| juniper.srx.error_message | error_message | keyword | +| juniper.srx.export_id | packet log id | integer | +| juniper.srx.feed_name | feed name | keyword | +| juniper.srx.file_category | file category | keyword | +| juniper.srx.file_hash_lookup | file hash lookup | keyword | +| juniper.srx.file_name | file name | keyword | +| juniper.srx.filename | filename | keyword | +| juniper.srx.hostname | hostname | keyword | +| juniper.srx.icmp_type | icmp type | integer | +| juniper.srx.inbound_bytes | bytes from server | integer | +| juniper.srx.inbound_packets | packets from server | integer | +| juniper.srx.index | index | keyword | +| juniper.srx.logical_system_name | logical system name | keyword | +| juniper.srx.malware_info | malware info | keyword | +| juniper.srx.message | mesagge | keyword | +| juniper.srx.message_type | message type | keyword | +| juniper.srx.name | name | keyword | +| juniper.srx.nat_connection_tag | nat connection tag | keyword | +| juniper.srx.nested_application | nested application | keyword | +| juniper.srx.obj | url path | keyword | +| juniper.srx.occur_count | occur count | integer | +| juniper.srx.outbound_bytes | bytes from client | integer | +| juniper.srx.outbound_packets | packets from client | integer | +| juniper.srx.packet_log_id | packet log id | integer | +| juniper.srx.peer_destination_address | peer destination address | ip | +| juniper.srx.peer_destination_port | peer destination port | integer | +| juniper.srx.peer_session_id | peer session id | keyword | +| juniper.srx.peer_source_address | peer source address | ip | +| juniper.srx.peer_source_port | peer source port | integer | +| juniper.srx.policy_name | policy name | keyword | +| juniper.srx.process | process that generated the message | keyword | +| juniper.srx.profile | filter profile | keyword | +| juniper.srx.profile_name | profile name | keyword | +| juniper.srx.protocol | protocol | keyword | +| juniper.srx.protocol_id | protocol id | keyword | +| juniper.srx.protocol_name | protocol name | keyword | +| juniper.srx.reason | reason | keyword | +| juniper.srx.repeat_count | repeat count | integer | +| juniper.srx.roles | roles | keyword | +| juniper.srx.routing_instance | routing instance | keyword | +| juniper.srx.rule_name | rule name | keyword | +| juniper.srx.ruleebase_name | ruleebase name | keyword | +| juniper.srx.sample_sha256 | sample sha256 | keyword | +| juniper.srx.secure_web_proxy_session_type | secure web proxy session type | keyword | +| juniper.srx.service_name | service name | keyword | +| juniper.srx.session_id | session id | keyword | +| juniper.srx.session_id_32 | session id 32 | keyword | +| juniper.srx.src_nat_rule_name | src nat rule name | keyword | +| juniper.srx.src_nat_rule_type | src nat rule type | keyword | +| juniper.srx.src_vrf_grp | src_vrf_grp | keyword | +| juniper.srx.state | state | keyword | +| juniper.srx.status | status | keyword | +| juniper.srx.sub_category | sub category | keyword | +| juniper.srx.tag | system log message tag, which uniquely identifies the message. | keyword | +| juniper.srx.temporary_filename | temporary_filename | keyword | +| juniper.srx.tenant_id | tenant id | keyword | +| juniper.srx.th | th | keyword | +| juniper.srx.threat_severity | threat severity | keyword | +| juniper.srx.time_count | time count | integer | +| juniper.srx.time_period | time period | integer | +| juniper.srx.time_scope | time scope | keyword | +| juniper.srx.timestamp | timestamp | date | +| juniper.srx.type | type | keyword | +| juniper.srx.uplink_rx_bytes | uplink rx bytes | integer | +| juniper.srx.uplink_tx_bytes | uplink tx bytes | integer | +| juniper.srx.url | url domain | keyword | +| juniper.srx.username | username | keyword | +| juniper.srx.verdict_number | verdict number | integer | +| juniper.srx.verdict_source | verdict source | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Byte offset of the log line within its file. | long | +| log.source.address | Source address of the syslog message. | keyword | +| log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| network.name | Name given by operators to sections of their network. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| network.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| observer.egress | Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | +| observer.egress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | +| observer.egress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.vlan.id | VLAN ID as reported by the observer. | keyword | +| observer.egress.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.geo.city_name | City name. | keyword | +| observer.geo.continent_name | Name of the continent. | keyword | +| observer.geo.country_iso_code | Country ISO code. | keyword | +| observer.geo.country_name | Country name. | keyword | +| observer.geo.location | Longitude and latitude. | geo_point | +| observer.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| observer.geo.region_iso_code | Region ISO code. | keyword | +| observer.geo.region_name | Region name. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ingress | Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | +| observer.ingress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | +| observer.ingress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword | +| observer.ingress.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| observer.os.full | Operating system name, including the version or code name. | keyword | +| observer.os.full.text | Multi-field of `observer.os.full`. | match_only_text | +| observer.os.kernel | Operating system kernel version as a raw string. | keyword | +| observer.os.name | Operating system name, without the version. | keyword | +| observer.os.name.text | Multi-field of `observer.os.name`. | match_only_text | +| observer.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| observer.os.version | Operating system version as a raw string. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.serial_number | Observer serial number. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| organization.id | Unique identifier for the organization. | keyword | +| organization.name | Organization name. | keyword | +| organization.name.text | Multi-field of `organization.name`. | match_only_text | +| os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| os.full | Operating system name, including the version or code name. | keyword | +| os.full.text | Multi-field of `os.full`. | match_only_text | +| os.kernel | Operating system kernel version as a raw string. | keyword | +| os.name | Operating system name, without the version. | keyword | +| os.name.text | Multi-field of `os.name`. | match_only_text | +| os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| os.version | Operating system version as a raw string. | keyword | +| package.architecture | Package architecture. | keyword | +| package.build_version | Additional information about the build version of the installed package. For example use the commit SHA of a non-released package. | keyword | +| package.checksum | Checksum of the installed package for verification. | keyword | +| package.description | Description of the package. | keyword | +| package.install_scope | Indicating how the package was installed, e.g. user-local, global. | keyword | +| package.installed | Time when package was installed. | date | +| package.license | License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). | keyword | +| package.name | Package name | keyword | +| package.path | Path where the package is installed. | keyword | +| package.reference | Home page or reference URL of the software in this package, if available. | keyword | +| package.size | Package size in bytes. | long | +| package.type | Type of package. This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. | keyword | +| package.version | Package version | keyword | +| pe.architecture | CPU architecture target for the file. | keyword | +| pe.company | Internal company name of the file, provided at compile-time. | keyword | +| pe.description | Internal description of the file, provided at compile-time. | keyword | +| pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.code_signature.subject_name | Subject name of the code signer | keyword | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.hash.sha512 | SHA512 hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.parent.hash.md5 | MD5 hash. | keyword | +| process.parent.hash.sha1 | SHA1 hash. | keyword | +| process.parent.hash.sha256 | SHA256 hash. | keyword | +| process.parent.hash.sha512 | SHA512 hash. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | +| process.parent.pid | Process id. | long | +| process.parent.start | The time the process started. | date | +| process.parent.thread.id | Thread ID. | long | +| process.parent.thread.name | Thread name. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.parent.uptime | Seconds the process has been up. | long | +| process.parent.working_directory | The working directory of the process. | keyword | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | +| process.pe.architecture | CPU architecture target for the file. | keyword | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.pgid | Identifier of the group of processes the process belongs to. | long | +| process.pid | Process id. | long | +| process.start | The time the process started. | date | +| process.thread.id | Thread ID. | long | +| process.thread.name | Thread name. | keyword | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.uptime | Seconds the process has been up. | long | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | +| registry.data.bytes | Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. | keyword | +| registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard | +| registry.data.type | Standard registry type for encoding contents | keyword | +| registry.hive | Abbreviated name for the hive. | keyword | +| registry.key | Hive-relative path of keys. | keyword | +| registry.path | Full path, including hive, key and value | keyword | +| registry.value | Name of the value written. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.author | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. | keyword | +| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | +| rule.description | The description of the rule generating the event. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| rule.license | Name of the license under which the rule used to generate this event is made available. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| rule.reference | Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. | keyword | +| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | +| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | +| rule.version | The version / revision of the rule being used for analysis. | keyword | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| server.as.organization.name | Organization name. | keyword | +| server.as.organization.name.text | Multi-field of `server.as.organization.name`. | match_only_text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.geo.city_name | City name. | keyword | +| server.geo.continent_name | Name of the continent. | keyword | +| server.geo.country_iso_code | Country ISO code. | keyword | +| server.geo.country_name | Country name. | keyword | +| server.geo.location | Longitude and latitude. | geo_point | +| server.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| server.geo.region_iso_code | Region ISO code. | keyword | +| server.geo.region_name | Region name. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| server.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| server.nat.port | Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | long | +| server.packets | Packets sent from the server to the client. | long | +| server.port | Port of the server. | long | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| server.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| server.user.email | User email address. | keyword | +| server.user.full_name | User's full name, if available. | keyword | +| server.user.full_name.text | Multi-field of `server.user.full_name`. | match_only_text | +| server.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| server.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| server.user.group.name | Name of the group. | keyword | +| server.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| server.user.id | Unique identifier of the user. | keyword | +| server.user.name | Short name or login of the user. | keyword | +| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | +| server.user.roles | Array of user roles at the time of the event. | keyword | +| service.ephemeral_id | Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not. | keyword | +| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| service.node.name | Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. | keyword | +| service.state | Current state of the service. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.email | User email address. | keyword | +| source.user.full_name | User's full name, if available. | keyword | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | +| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| source.user.roles | Array of user roles at the time of the event. | keyword | +| span.id | Unique identifier of the span within the scope of its trace. A span represents an operation within a transaction, such as a request to another service, or a database query. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | +| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | +| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | +| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| tls.cipher | String indicating the cipher used during the current connection. | keyword | +| tls.client.certificate | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. | keyword | +| tls.client.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. | keyword | +| tls.client.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.client.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.client.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | +| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | +| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | +| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | +| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | +| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | +| tls.client.supported_ciphers | Array of ciphers offered by the client during the client hello. | keyword | +| tls.client.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | +| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| tls.client.x509.issuer.country | List of country (C) codes | keyword | +| tls.client.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | +| tls.client.x509.issuer.locality | List of locality names (L) | keyword | +| tls.client.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | +| tls.client.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | +| tls.client.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | +| tls.client.x509.not_after | Time at which the certificate is no longer considered valid. | date | +| tls.client.x509.not_before | Time at which the certificate is first considered valid. | date | +| tls.client.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | +| tls.client.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | +| tls.client.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | +| tls.client.x509.public_key_size | The size of the public key space in bits. | long | +| tls.client.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| tls.client.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | +| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| tls.client.x509.subject.country | List of country (C) code | keyword | +| tls.client.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | +| tls.client.x509.subject.locality | List of locality names (L) | keyword | +| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | +| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | +| tls.client.x509.version_number | Version of x509 format. | keyword | +| tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | +| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | +| tls.next_protocol | String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. | keyword | +| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | +| tls.server.certificate | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. | keyword | +| tls.server.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. | keyword | +| tls.server.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.server.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | +| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | +| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | +| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | +| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | +| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | +| tls.server.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | +| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| tls.server.x509.issuer.country | List of country (C) codes | keyword | +| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | +| tls.server.x509.issuer.locality | List of locality names (L) | keyword | +| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | +| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | +| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | +| tls.server.x509.not_after | Time at which the certificate is no longer considered valid. | date | +| tls.server.x509.not_before | Time at which the certificate is first considered valid. | date | +| tls.server.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | +| tls.server.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | +| tls.server.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | +| tls.server.x509.public_key_size | The size of the public key space in bits. | long | +| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| tls.server.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | +| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| tls.server.x509.subject.country | List of country (C) code | keyword | +| tls.server.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | +| tls.server.x509.subject.locality | List of locality names (L) | keyword | +| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | +| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | +| tls.server.x509.version_number | Version of x509 format. | keyword | +| tls.version | Numeric part of the version parsed from the original string. | keyword | +| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | +| trace.id | Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. | keyword | +| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.username | Username of the request. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.group.name | Name of the group. | keyword | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.roles | Array of user roles at the time of the event. | keyword | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | +| vlan.id | VLAN ID as reported by the observer. | keyword | +| vlan.name | Optional VLAN name as reported by the observer. | keyword | +| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | +| vulnerability.classification | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) | keyword | +| vulnerability.description | The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) | keyword | +| vulnerability.description.text | Multi-field of `vulnerability.description`. | match_only_text | +| vulnerability.enumeration | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) | keyword | +| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | +| vulnerability.reference | A resource that provides additional information, context, and mitigations for the identified vulnerability. | keyword | +| vulnerability.report_id | The report or scan identification number. | keyword | +| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | keyword | +| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | +| vulnerability.score.environmental | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) | float | +| vulnerability.score.temporal | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) | float | +| vulnerability.score.version | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | +| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | +| x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | +| x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| x509.issuer.country | List of country (C) codes | keyword | +| x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | +| x509.issuer.locality | List of locality names (L) | keyword | +| x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | +| x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | +| x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | +| x509.not_after | Time at which the certificate is no longer considered valid. | date | +| x509.not_before | Time at which the certificate is first considered valid. | date | +| x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | +| x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | +| x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | +| x509.public_key_size | The size of the public key space in bits. | long | +| x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | +| x509.subject.common_name | List of common names (CN) of subject. | keyword | +| x509.subject.country | List of country (C) code | keyword | +| x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | +| x509.subject.locality | List of locality names (L) | keyword | +| x509.subject.organization | List of organizations (O) of subject. | keyword | +| x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | +| x509.version_number | Version of x509 format. | keyword | + + +### Netscreen + +The `netscreen` dataset collects Netscreen logs. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.domain | Server domain. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + diff --git a/packages/juniper/1.1.1/img/logo.svg b/packages/juniper/1.1.1/img/logo.svg new file mode 100755 index 0000000000..8802414a5a --- /dev/null +++ b/packages/juniper/1.1.1/img/logo.svg @@ -0,0 +1,72 @@ + +image/svg+xml \ No newline at end of file diff --git a/packages/juniper/1.1.1/manifest.yml b/packages/juniper/1.1.1/manifest.yml new file mode 100755 index 0000000000..74ccaa0207 --- /dev/null +++ b/packages/juniper/1.1.1/manifest.yml @@ -0,0 +1,32 @@ +format_version: 1.0.0 +name: juniper +title: Juniper Logs +version: 1.1.1 +description: Deprecated. Use a specific Juniper package instead. +categories: ["network", "security"] +release: ga +license: basic +type: integration +conditions: + kibana.version: "^8.0.0" +policy_templates: + - name: juniper + title: Juniper logs + description: Collect Juniper logs from syslog or a file. + inputs: + - type: udp + title: Collect logs from Juniper via UDP + description: Collecting syslog from Juniper via UDP. + - type: tcp + title: Collect logs from Juniper via TCP + description: Collecting syslog from Juniper via TCP. + - type: logfile + title: Collect logs from Juniper via file + description: Collecting syslog from Juniper via file. +icons: + - src: /img/logo.svg + title: Juniper logo + size: 32x32 + type: image/svg+xml +owner: + github: elastic/security-external-integrations diff --git a/packages/microsoft/1.2.1/changelog.yml b/packages/microsoft/1.2.1/changelog.yml new file mode 100755 index 0000000000..a3f35e968a --- /dev/null +++ b/packages/microsoft/1.2.1/changelog.yml @@ -0,0 +1,106 @@ +# newer versions go on top +- version: "1.2.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.2.0" + changes: + - description: Update to ECS 8.0.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2591 +- version: "1.1.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.1.0" + changes: + - description: Add deprecation message in readme. + type: enhancement + link: https://github.com/elastic/integrations/pull/2327 +- version: "0.8.3" + changes: + - description: Update title and description. Mark as deprecated in description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1997 +- version: "0.8.2" + changes: + - description: Fixed a bug that prevents the package from working in 7.16. + type: bugfix + link: https://github.com/elastic/integrations/pull/1882 +- version: "0.8.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1828 +- version: "0.8.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1781 +- version: "0.7.5" + changes: + - description: Add proxy config + type: enhancement + link: https://github.com/elastic/integrations/pull/1648 +- version: "0.7.4" + changes: + - description: Requires version 7.14.1 of the stack + type: bugfix + link: https://github.com/elastic/integrations/pull/1541 +- version: "0.7.3" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1487 +- version: '0.7.2' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1394 +- version: "0.7.1" + changes: + - description: Escape special characters in docs + type: enhancement + link: https://github.com/elastic/integrations/pull/1405 +- version: "0.7.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.6.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1268 +- version: "0.5.0" + changes: + - description: update to ECS 1.10.0 and add event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1059 +- version: "0.4.3" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/854 +- version: "0.4.2" + changes: + - description: Fix compatibility with Kibana + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/740 +- version: "0.4.1" + changes: + - description: Drop cloud field in Defender ATP to set it with provided values + type: bugfix # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/732 +- version: "0.4.0" + changes: + - description: Add Defender ATP data stream + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/468 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/231 diff --git a/packages/microsoft/1.2.1/data_stream/defender_atp/agent/stream/httpjson.yml.hbs b/packages/microsoft/1.2.1/data_stream/defender_atp/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..5c8f09e6c9 --- /dev/null +++ b/packages/microsoft/1.2.1/data_stream/defender_atp/agent/stream/httpjson.yml.hbs @@ -0,0 +1,45 @@ +config_version: "2" +interval: {{interval}} +auth.oauth2.client.id: {{client_id}} +auth.oauth2.client.secret: {{client_secret}} +auth.oauth2.token_url: "https://login.microsoftonline.com/{{tenant_id}}/oauth2/token" +auth.oauth2.provider: azure +auth.oauth2.azure.resource: https://api.securitycenter.windows.com/ +request.url: "https://api.securitycenter.windows.com/api/alerts" +request.method: GET +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +request.transforms: + - set: + target: "header.User-Agent" + value: "MdatpPartner-Elastic-Filebeat/1.0.0" + - set: + target: "url.params.$expand" + value: evidence + - set: + target: "url.params.$filter" + value: 'lastUpdateTime gt [[formatDate .cursor.lastUpdateTime "2006-01-02T15:04:05.9999999Z"]]' + default: 'lastUpdateTime gt [[formatDate (now (parseDuration "-5m")) "2006-01-02T15:04:05.9999999Z"]]' +response.split: + target: body.value + split: + target: body.evidence + keep_parent: true +cursor: + lastUpdateTime: + value: "[[.last_response.body.lastUpdateTime]]" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/microsoft/1.2.1/data_stream/defender_atp/agent/stream/log.yml.hbs b/packages/microsoft/1.2.1/data_stream/defender_atp/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..73636a0a7a --- /dev/null +++ b/packages/microsoft/1.2.1/data_stream/defender_atp/agent/stream/log.yml.hbs @@ -0,0 +1,19 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/microsoft/1.2.1/data_stream/defender_atp/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft/1.2.1/data_stream/defender_atp/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..0469afcf86 --- /dev/null +++ b/packages/microsoft/1.2.1/data_stream/defender_atp/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,346 @@ +--- +description: Pipeline for parsing microsoft atp logs +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: ecs.version + value: '1.12.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - remove: + field: + - json.comments + - host + - cloud + ignore_missing: true + +######################### +## ECS General Mapping ## +######################### + - script: + lang: painless + if: ctx?.json != null + params: + values: + - null + - "" + - "-" + - "N/A" + source: | + if (!ctx['json'].empty) { + ctx.json.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + } + - script: + lang: painless + if: ctx?.json?.evidence != null + params: + values: + - null + - "" + - "-" + - "N/A" + source: | + if (!ctx.json['evidence'].empty) { + ctx.json.evidence.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + } + - set: + field: cloud.provider + value: azure + - set: + field: '@timestamp' + value: '{{json.alertUpdateTime}}' + if: ctx.json?.alertUpdateTime != null + - rename: + field: json.aadTenantId + target_field: cloud.account.id + ignore_missing: true + - rename: + field: json.machineId + target_field: cloud.instance.id + ignore_missing: true + - rename: + field: json.title + target_field: message + ignore_missing: true + +####################### +## ECS Event Mapping ## +####################### + - set: + field: event.kind + value: alert +# Events returned from the API is always in UTC, so should never use anything else + - set: + field: event.timezone + value: UTC + - set: + field: event.action + value: '{{json.category}}' + if: ctx.json?.category != null + - set: + field: event.provider + value: defender_atp + - set: + field: event.created + value: '{{json.alertCreationTime}}' + if: ctx.json?.alertCreationTime != null + - append: + field: event.category + value: host + - append: + field: event.category + value: malware + if: ctx.json?.category == 'Malware' + - append: + field: event.category + value: process + if: ctx.json?.evidence?.entityType == 'Process' + - append: + field: event.type + value: user + if: ctx.json?.evidence?.entityType == 'User' + - append: + field: event.type + value: + - creation + - start + if: ctx.json?.status == 'New' + - append: + field: event.type + value: end + if: ctx.json?.status == 'Resolved' + - rename: + field: json.id + target_field: event.id + ignore_missing: true + - rename: + field: json.firstEventTime + target_field: event.start + ignore_missing: true + - rename: + field: json.lastEventTime + target_field: event.end + ignore_missing: true + - set: + field: event.severity + value: 0 + if: ctx.json?.severity == 'Unspecified' + - set: + field: event.severity + value: 1 + if: ctx.json?.severity == 'Informational' + - set: + field: event.severity + value: 2 + if: ctx.json?.severity == 'Low' + - set: + field: event.severity + value: 3 + if: ctx.json?.severity == 'Medium' + - set: + field: event.severity + value: 4 + if: ctx.json?.severity == 'High' + - script: + lang: painless + if: "ctx?.event?.start != null && ctx?.event?.end != null" + source: > + Instant eventstart = ZonedDateTime.parse(ctx?.event?.start).toInstant(); + Instant eventend = ZonedDateTime.parse(ctx?.event?.end).toInstant(); + ctx.event['duration'] = ChronoUnit.NANOS.between(eventstart, eventend); + +######################## +## ECS Threat Mapping ## +######################## + - set: + field: threat.framework + value: MITRE ATT&CK + if: ctx.json?.category != null + - rename: + field: json.category + target_field: threat.technique.name + ignore_missing: true + - rename: + field: json.description + target_field: rule.description + ignore_missing: true + if: (ctx.json?.description).length() < 1020 + +###################### +## ECS File Mapping ## +###################### + - rename: + field: json.evidence.fileName + target_field: file.name + ignore_missing: true + - rename: + field: json.evidence.sha256 + target_field: file.hash.sha256 + ignore_missing: true + - rename: + field: json.evidence.sha1 + target_field: file.hash.sha1 + ignore_missing: true + - rename: + field: json.evidence.filePath + target_field: file.path + ignore_missing: true + +###################### +## ECS Process Mapping ## +###################### + - rename: + field: json.evidence.processId + target_field: process.pid + ignore_missing: true + - rename: + field: json.evidence.processCommandLine + target_field: process.command_line + ignore_missing: true + - rename: + field: json.evidence.processCreationTime + target_field: process.start + ignore_missing: true + - rename: + field: json.evidence.parentProcessId + target_field: process.parent.pid + ignore_missing: true + - rename: + field: json.evidence.parentProcessCreationTime + target_field: process.parent.start + ignore_missing: true + +########################## +## ECS Observer Mapping ## +########################## + - set: + field: observer.product + value: Defender ATP + - set: + field: observer.vendor + value: Microsoft + - rename: + field: json.detectionSource + target_field: observer.name + ignore_missing: true + +##################### +## ECS URL Mapping ## +##################### + - rename: + field: json.evidence.url + target_field: url.full + ignore_missing: true + if: ctx?.json?.evidence?.url != null + - uri_parts: + field: url.full + ignore_failure: true + if: ctx?.url?.full != null + +###################### +## ECS Host Mapping ## +###################### + - rename: + field: json.computerDnsName + target_field: host.hostname + ignore_missing: true + - set: + field: host.name + value: '{{host.hostname}}' + if: ctx?.host?.hostname != null + +###################### +## ECS User Mapping ## +###################### + - rename: + field: json.relatedUser.userName + target_field: user.name + ignore_missing: true + - rename: + field: json.relatedUser.domainName + target_field: user.domain + ignore_missing: true + - rename: + field: json.evidence.userSid + target_field: user.id + ignore_missing: true + +############################## +## ECS host.user Mapping ## +## Deprecated since ECS 1.8 ## +############################## + - set: + field: host.user.name + value: '{{user.name}}' + ignore_empty_value: true + - set: + field: host.user.domain + value: '{{user.domain}}' + ignore_empty_value: true + - set: + field: host.user.id + value: '{{user.id}}' + ignore_empty_value: true + +######################### +## ECS Related Mapping ## +######################### + - append: + field: related.ip + value: '{{json.evidence.ipAddress}}' + if: ctx.json?.evidence?.ipAddress != null + - append: + field: related.user + value: '{{user.name}}' + if: ctx.user?.name != null + - append: + field: related.hash + value: '{{file.hash.sha1}}' + if: ctx.file?.hash?.sha1 != null + - append: + field: related.hash + value: '{{file.hash.sha256}}' + if: ctx.file?.hash?.sha256 != null + - append: + field: related.hosts + value: '{{host.hostname}}' + if: ctx.host?.hostname != null && ctx.host?.hostname != '' + allow_duplicates: false + +############# +## Cleanup ## +############# + - remove: + field: + - json.alertCreationTime + - json.severity + - json.relatedUser + ignore_missing: true + - rename: + field: json + target_field: microsoft.defender_atp + ignore_missing: true + - convert: + field: microsoft.defender_atp.incidentId + type: string + ignore_missing: true + - convert: + field: microsoft.defender_atp.investigationId + type: string + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{_ingest.on_failure_message}}' diff --git a/packages/microsoft/1.2.1/data_stream/defender_atp/fields/agent.yml b/packages/microsoft/1.2.1/data_stream/defender_atp/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/microsoft/1.2.1/data_stream/defender_atp/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/microsoft/1.2.1/data_stream/defender_atp/fields/base-fields.yml b/packages/microsoft/1.2.1/data_stream/defender_atp/fields/base-fields.yml new file mode 100755 index 0000000000..a4e56bf5f3 --- /dev/null +++ b/packages/microsoft/1.2.1/data_stream/defender_atp/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: microsoft +- name: event.dataset + type: constant_keyword + description: Event dataset + value: microsoft.defender_atp +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/microsoft/1.2.1/data_stream/defender_atp/fields/ecs.yml b/packages/microsoft/1.2.1/data_stream/defender_atp/fields/ecs.yml new file mode 100755 index 0000000000..ff1822b5e5 --- /dev/null +++ b/packages/microsoft/1.2.1/data_stream/defender_atp/fields/ecs.yml @@ -0,0 +1,205 @@ +- description: Unique container id. + name: container.id + type: keyword +- description: Name of the image the container was built on. + name: container.image.name + type: keyword +- description: Container image tags. + name: container.image.tag + type: keyword +- description: Image labels. + name: container.labels + type: object +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: MD5 hash. + name: file.hash.md5 + type: keyword +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: SHA512 hash. + name: file.hash.sha512 + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + name: log.logger + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.command_line + type: wildcard +- description: Process id. + name: process.parent.pid + type: long +- description: The time the process started. + name: process.parent.start + type: date +- description: Process id. + name: process.pid + type: long +- description: The time the process started. + name: process.start + type: date +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The description of the rule generating the event. + name: rule.description + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. + name: threat.framework + type: keyword +- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + multi_fields: + - name: text + type: match_only_text + name: threat.technique.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword diff --git a/packages/microsoft/1.2.1/data_stream/defender_atp/fields/fields.yml b/packages/microsoft/1.2.1/data_stream/defender_atp/fields/fields.yml new file mode 100755 index 0000000000..a05ec2d249 --- /dev/null +++ b/packages/microsoft/1.2.1/data_stream/defender_atp/fields/fields.yml @@ -0,0 +1,72 @@ +- name: microsoft.defender_atp + type: group + release: beta + fields: + - name: lastUpdateTime + type: date + description: | + The date and time (in UTC) the alert was last updated. + - name: resolvedTime + type: date + description: | + The date and time in which the status of the alert was changed to 'Resolved'. + - name: incidentId + type: keyword + description: | + The Incident ID of the Alert. + - name: investigationId + type: keyword + description: | + The Investigation ID related to the Alert. + - name: investigationState + type: keyword + description: | + The current state of the Investigation. + - name: assignedTo + type: keyword + description: | + Owner of the alert. + - name: status + type: keyword + description: | + Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. + - name: classification + type: keyword + description: | + Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. + - name: determination + type: keyword + description: | + Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. + - name: threatFamilyName + type: keyword + description: | + Threat family. + - name: rbacGroupName + type: keyword + description: | + User group related to the alert + - name: evidence.domainName + type: keyword + description: | + Domain name related to the alert + - name: evidence.ipAddress + type: ip + description: | + IP address involved in the alert + - name: evidence.aadUserId + type: keyword + description: | + ID of the user involved in the alert + - name: evidence.accountName + type: keyword + description: | + Username of the user involved in the alert + - name: evidence.entityType + type: keyword + description: | + The type of evidence + - name: evidence.userPrincipalName + type: keyword + description: | + Principal name of the user involved in the alert diff --git a/packages/microsoft/1.2.1/data_stream/defender_atp/manifest.yml b/packages/microsoft/1.2.1/data_stream/defender_atp/manifest.yml new file mode 100755 index 0000000000..048e85f661 --- /dev/null +++ b/packages/microsoft/1.2.1/data_stream/defender_atp/manifest.yml @@ -0,0 +1,108 @@ +type: logs +title: Microsoft Defender ATP logs +release: experimental +streams: + - input: httpjson + vars: + - name: client_id + type: text + title: Client ID + description: The client ID related to creating a new application on Azure. + multi: false + required: true + show_user: true + - name: client_secret + type: text + title: Client Secret + description: The secret related to the client ID. + multi: false + required: true + show_user: true + - name: tenant_id + type: text + title: Tenant ID + description: The tenant ID related to creating a new application on Azure. + multi: false + required: true + show_user: true + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 5m + description: The interval between requests to the HTTP API. + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - defender-atp + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: Microsoft Defender ATP logs + description: Collect Microsoft Defender ATP logs + - input: logfile + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - defender-atp + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: log.yml.hbs + title: Microsoft Defender ATP logs + description: Collect Microsoft Defender ATP logs diff --git a/packages/microsoft/1.2.1/data_stream/defender_atp/sample_event.json b/packages/microsoft/1.2.1/data_stream/defender_atp/sample_event.json new file mode 100755 index 0000000000..68634d8dad --- /dev/null +++ b/packages/microsoft/1.2.1/data_stream/defender_atp/sample_event.json @@ -0,0 +1,73 @@ +{ + "rule": { + "description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection." + }, + "message": "An active 'Exeselrun' malware was detected", + "microsoft": { + "defender_atp": { + "investigationId": "9", + "evidence": { + "entityType": "File" + }, + "resolvedTime": "2020-06-30T11:13:12.2680434Z", + "investigationState": "Benign", + "incidentId": "12", + "assignedTo": "elastic@elasticuser.com", + "lastUpdateTime": "2020-07-03T15:15:39.13Z", + "status": "Resolved" + } + }, + "cloud": { + "provider": "azure", + "account": { + "id": "123543-d66c-4c7e-9e30-40034eb7c6f3" + }, + "instance": { + "id": "c5a964f417c11f6277d5bf9489f0d" + } + }, + "observer": { + "name": "WindowsDefenderAv", + "product": "Defender ATP", + "vendor": "Microsoft" + }, + "file": { + "name": "SB.xsl", + "path": "C:\\Windows\\Temp\\sb-sim-temp-ikyxqi\\sb_10554_bs_h4qpk5" + }, + "related": { + "hosts": [ + "testserver4" + ] + }, + "host": { + "name": "testserver4", + "hostname": "testserver4" + }, + "threat": { + "technique": { + "name": "Malware" + }, + "framework": "MITRE ATT\u0026CK" + }, + "event": { + "severity": 2, + "kind": "alert", + "timezone": "UTC", + "created": "2020-06-30T10:09:01.1569718Z", + "start": "2020-06-30T10:07:44.333733Z", + "type": [ + "end" + ], + "duration": 0, + "ingested": "2021-02-18T13:34:35.126958300Z", + "provider": "defender_atp", + "action": "Malware", + "end": "2020-06-30T10:07:44.333733Z", + "id": "da637291085411733957_-1043898914", + "category": [ + "host", + "malware" + ] + } +} \ No newline at end of file diff --git a/packages/microsoft/1.2.1/data_stream/dhcp/agent/stream/log.yml.hbs b/packages/microsoft/1.2.1/data_stream/dhcp/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..d68c848735 --- /dev/null +++ b/packages/microsoft/1.2.1/data_stream/dhcp/agent/stream/log.yml.hbs @@ -0,0 +1,3651 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Microsoft" + product: "DHCP" + type: "Application" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/microsoft/1.2.1/data_stream/dhcp/fields/base-fields.yml b/packages/microsoft/1.2.1/data_stream/dhcp/fields/base-fields.yml new file mode 100755 index 0000000000..cd35075f6e --- /dev/null +++ b/packages/microsoft/1.2.1/data_stream/dhcp/fields/base-fields.yml @@ -0,0 +1,46 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: microsoft +- name: event.dataset + type: constant_keyword + description: Event dataset + value: microsoft.dhcp +- name: '@timestamp' + type: date + description: Event timestamp. +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/microsoft/1.2.1/data_stream/dhcp/fields/ecs.yml b/packages/microsoft/1.2.1/data_stream/dhcp/fields/ecs.yml new file mode 100755 index 0000000000..78ddffacce --- /dev/null +++ b/packages/microsoft/1.2.1/data_stream/dhcp/fields/ecs.yml @@ -0,0 +1,541 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/microsoft/1.2.1/data_stream/dhcp/fields/fields.yml b/packages/microsoft/1.2.1/data_stream/dhcp/fields/fields.yml new file mode 100755 index 0000000000..ea69cd79e3 --- /dev/null +++ b/packages/microsoft/1.2.1/data_stream/dhcp/fields/fields.yml @@ -0,0 +1,1754 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + ignore_above: 1024 + description: Server domain. +- name: network.interface.name + type: keyword diff --git a/packages/microsoft/1.2.1/data_stream/dhcp/manifest.yml b/packages/microsoft/1.2.1/data_stream/dhcp/manifest.yml new file mode 100755 index 0000000000..4e45e2fd94 --- /dev/null +++ b/packages/microsoft/1.2.1/data_stream/dhcp/manifest.yml @@ -0,0 +1,204 @@ +title: Microsoft DHCP logs +release: experimental +type: logs +streams: + - input: udp + title: Microsoft DHCP logs + description: Collect Microsoft DHCP logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - microsoft-dhcp + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9514 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Microsoft DHCP logs + description: Collect Microsoft DHCP logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - microsoft-dhcp + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9514 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + title: Microsoft DHCP logs + description: Collect Microsoft DHCP logs from file + template_path: log.yml.hbs + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/microsoft-dhcp.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - microsoft-dhcp + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/microsoft/1.2.1/data_stream/dhcp/sample_event.json b/packages/microsoft/1.2.1/data_stream/dhcp/sample_event.json new file mode 100755 index 0000000000..2c966ced2f --- /dev/null +++ b/packages/microsoft/1.2.1/data_stream/dhcp/sample_event.json @@ -0,0 +1,74 @@ +{ + "@timestamp": "2016-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "58c793ae-7b18-450b-9966-6d0f5f6fd7ac", + "hostname": "docker-fleet-agent", + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.2" + }, + "data_stream": { + "dataset": "microsoft.dhcp", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "1.12.0" + }, + "elastic_agent": { + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "snapshot": false, + "version": "7.16.2" + }, + "event": { + "agent_id_status": "verified", + "code": "11030", + "dataset": "microsoft.dhcp", + "ingested": "2022-01-25T10:07:48Z", + "timezone": "+00:00" + }, + "host": { + "hostname": "ciade5699.domain" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.19.0.4:45800" + } + }, + "observer": { + "product": "DHCP", + "type": "Application", + "vendor": "Microsoft" + }, + "related": { + "hosts": [ + "ciade5699.domain" + ], + "ip": [ + "10.124.22.221" + ] + }, + "rsa": { + "internal": { + "event_desc": "oremi", + "messageid": "11030" + }, + "time": { + "event_time": "2016-01-29T06:09:59.000Z" + } + }, + "source": { + "address": "ciade5699.domain", + "ip": [ + "10.124.22.221" + ] + }, + "tags": [ + "microsoft-dhcp", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/microsoft/1.2.1/docs/README.md b/packages/microsoft/1.2.1/docs/README.md new file mode 100755 index 0000000000..7d31ee6345 --- /dev/null +++ b/packages/microsoft/1.2.1/docs/README.md @@ -0,0 +1,1091 @@ +# Microsoft integration (Deprecated) + +_This integration is deprecated. Please use one of the other Microsoft integrations +that are specific to a Microsoft product._ + +This integration is for Microsoft logs. It includes the following datasets for receiving logs over syslog or read from a file: + +- `defender_atp` dataset: Supports Microsoft Defender for Endpoint (Microsoft Defender ATP) +- `dhcp` dataset: Supports Microsoft DHCP logs. + +## Logs + +### Defender ATP + +To allow the integration to ingest data from the Microsoft Defender API, you would need to create a new application on your Azure domain. + +The procedure to create an application is found on the below link: + +https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp[Create a new Azure Application] + +When giving the application the API permissions described in the documentation (`Windows Defender ATP Alert.Read.All`) it will only grant access to read alerts from ATP and nothing else in the Azure Domain. + +After the application has been created, it should contain 3 values that you need to apply to the module configuration. + +These values are: + +- Client ID +- Client Secret +- Tenant ID + +#### ECS mappings + +| Defender ATP Fields | ECS Fields | +|-------------------------------------|--------------------------------| +| alertCreationTime | @timestamp | +| aadTenantId | cloud.account.id | +| category | threat.technique.name | +| computerDnsName | host.hostname | +| description | rule.description | +| detectionSource | observer.name | +| evidence.fileName | file.name | +| evidence.filePath | file.path | +| evidence.processId | process.pid | +| evidence.processCommandLine | process.command_line | +| evidence.processCreationTime | process.start | +| evidence.parentProcessId | process.parent.pid | +| evidence.parentProcessCreationTime | process.parent.start | +| evidence.sha1 | file.hash.sha1 | +| evidence.sha256 | file.hash.sha256 | +| evidence.url | url.full | +| firstEventTime | event.start | +| id | event.id | +| lastEventTime | event.end | +| machineId | cloud.instance.id | +| relatedUser.userName | host.user.name | +| relatedUser.domainName | host.user.domain | +| title | message | +| severity | event.severity | + +An example event for `defender_atp` looks as following: + +```json +{ + "rule": { + "description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection." + }, + "message": "An active 'Exeselrun' malware was detected", + "microsoft": { + "defender_atp": { + "investigationId": "9", + "evidence": { + "entityType": "File" + }, + "resolvedTime": "2020-06-30T11:13:12.2680434Z", + "investigationState": "Benign", + "incidentId": "12", + "assignedTo": "elastic@elasticuser.com", + "lastUpdateTime": "2020-07-03T15:15:39.13Z", + "status": "Resolved" + } + }, + "cloud": { + "provider": "azure", + "account": { + "id": "123543-d66c-4c7e-9e30-40034eb7c6f3" + }, + "instance": { + "id": "c5a964f417c11f6277d5bf9489f0d" + } + }, + "observer": { + "name": "WindowsDefenderAv", + "product": "Defender ATP", + "vendor": "Microsoft" + }, + "file": { + "name": "SB.xsl", + "path": "C:\\Windows\\Temp\\sb-sim-temp-ikyxqi\\sb_10554_bs_h4qpk5" + }, + "related": { + "hosts": [ + "testserver4" + ] + }, + "host": { + "name": "testserver4", + "hostname": "testserver4" + }, + "threat": { + "technique": { + "name": "Malware" + }, + "framework": "MITRE ATT\u0026CK" + }, + "event": { + "severity": 2, + "kind": "alert", + "timezone": "UTC", + "created": "2020-06-30T10:09:01.1569718Z", + "start": "2020-06-30T10:07:44.333733Z", + "type": [ + "end" + ], + "duration": 0, + "ingested": "2021-02-18T13:34:35.126958300Z", + "provider": "defender_atp", + "action": "Malware", + "end": "2020-06-30T10:07:44.333733Z", + "id": "da637291085411733957_-1043898914", + "category": [ + "host", + "malware" + ] + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.image.tag | Container image tags. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.hash.sha512 | SHA512 hash. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| microsoft.defender_atp.assignedTo | Owner of the alert. | keyword | +| microsoft.defender_atp.classification | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. | keyword | +| microsoft.defender_atp.determination | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. | keyword | +| microsoft.defender_atp.evidence.aadUserId | ID of the user involved in the alert | keyword | +| microsoft.defender_atp.evidence.accountName | Username of the user involved in the alert | keyword | +| microsoft.defender_atp.evidence.domainName | Domain name related to the alert | keyword | +| microsoft.defender_atp.evidence.entityType | The type of evidence | keyword | +| microsoft.defender_atp.evidence.ipAddress | IP address involved in the alert | ip | +| microsoft.defender_atp.evidence.userPrincipalName | Principal name of the user involved in the alert | keyword | +| microsoft.defender_atp.incidentId | The Incident ID of the Alert. | keyword | +| microsoft.defender_atp.investigationId | The Investigation ID related to the Alert. | keyword | +| microsoft.defender_atp.investigationState | The current state of the Investigation. | keyword | +| microsoft.defender_atp.lastUpdateTime | The date and time (in UTC) the alert was last updated. | date | +| microsoft.defender_atp.rbacGroupName | User group related to the alert | keyword | +| microsoft.defender_atp.resolvedTime | The date and time in which the status of the alert was changed to 'Resolved'. | date | +| microsoft.defender_atp.status | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. | keyword | +| microsoft.defender_atp.threatFamilyName | Threat family. | keyword | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.start | The time the process started. | date | +| process.pid | Process id. | long | +| process.start | The time the process started. | date | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.description | The description of the rule generating the event. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | +| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + +### DHCP + +The `dhcp` dataset collects Microsoft DHCP logs. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.domain | Server domain. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + diff --git a/packages/microsoft/1.2.1/img/filebeat-defender-atp-overview.png b/packages/microsoft/1.2.1/img/filebeat-defender-atp-overview.png new file mode 100755 index 0000000000..7df250e2ae Binary files /dev/null and b/packages/microsoft/1.2.1/img/filebeat-defender-atp-overview.png differ diff --git a/packages/microsoft/1.2.1/img/logo.svg b/packages/microsoft/1.2.1/img/logo.svg new file mode 100755 index 0000000000..5334aa7ca6 --- /dev/null +++ b/packages/microsoft/1.2.1/img/logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/microsoft/1.2.1/img/siem-alerts-cs.jpg b/packages/microsoft/1.2.1/img/siem-alerts-cs.jpg new file mode 100755 index 0000000000..b74edfe229 Binary files /dev/null and b/packages/microsoft/1.2.1/img/siem-alerts-cs.jpg differ diff --git a/packages/microsoft/1.2.1/img/siem-events-cs.jpg b/packages/microsoft/1.2.1/img/siem-events-cs.jpg new file mode 100755 index 0000000000..9839f73821 Binary files /dev/null and b/packages/microsoft/1.2.1/img/siem-events-cs.jpg differ diff --git a/packages/microsoft/1.2.1/kibana/dashboard/microsoft-65402c30-ca6a-11ea-9d4d-9737a63aaa55.json b/packages/microsoft/1.2.1/kibana/dashboard/microsoft-65402c30-ca6a-11ea-9d4d-9737a63aaa55.json new file mode 100755 index 0000000000..a8f18d053a --- /dev/null +++ b/packages/microsoft/1.2.1/kibana/dashboard/microsoft-65402c30-ca6a-11ea-9d4d-9737a63aaa55.json @@ -0,0 +1,59 @@ +{ + "attributes": { + "description": "Microsoft Defender ATP Alert Overview", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:microsoft.defender_atp\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8343f7ea-b977-44bf-bf81-6d41742093a4\",\"w\":4,\"x\":0,\"y\":0},\"panelIndex\":\"8343f7ea-b977-44bf-bf81-6d41742093a4\",\"panelRefName\":\"panel_0\",\"version\":\"7.8.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":24,\"i\":\"74d36139-4d22-44d4-bfc8-020c575febb1\",\"w\":25,\"x\":4,\"y\":0},\"panelIndex\":\"74d36139-4d22-44d4-bfc8-020c575febb1\",\"panelRefName\":\"panel_1\",\"version\":\"7.8.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":24,\"i\":\"a3e140ed-a0ed-4da0-8142-72d68fd7c5e5\",\"w\":19,\"x\":29,\"y\":0},\"panelIndex\":\"a3e140ed-a0ed-4da0-8142-72d68fd7c5e5\",\"panelRefName\":\"panel_2\",\"title\":\"ATP Techniques [Logs Microsoft]\",\"version\":\"7.8.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"f3843ab0-8b0f-4f64-805c-4ab0d0965d8a\",\"w\":4,\"x\":0,\"y\":6},\"panelIndex\":\"f3843ab0-8b0f-4f64-805c-4ab0d0965d8a\",\"panelRefName\":\"panel_3\",\"version\":\"7.8.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"16e7059b-70a5-4ea4-b622-9015d7430419\",\"w\":4,\"x\":0,\"y\":12},\"panelIndex\":\"16e7059b-70a5-4ea4-b622-9015d7430419\",\"panelRefName\":\"panel_4\",\"version\":\"7.8.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"d8a5a667-ed0b-42ed-ae7d-edbfa722677f\",\"w\":4,\"x\":0,\"y\":18},\"panelIndex\":\"d8a5a667-ed0b-42ed-ae7d-edbfa722677f\",\"panelRefName\":\"panel_5\",\"version\":\"7.8.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"cb8de6bb-1096-427d-834e-210963aad3e5\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"cb8de6bb-1096-427d-834e-210963aad3e5\",\"panelRefName\":\"panel_6\",\"version\":\"7.8.1\"}]", + "timeRestore": false, + "title": "[Logs Microsoft] ATP Overview", + "version": 1 + }, + "id": "microsoft-65402c30-ca6a-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "dashboard": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "microsoft-3c64f400-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "microsoft-e415af10-ca67-11ea-9d4d-9737a63aaa55", + "name": "panel_1", + "type": "lens" + }, + { + "id": "microsoft-14d367f0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_2", + "type": "lens" + }, + { + "id": "microsoft-9e902dc0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "microsoft-b9fcbf60-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "microsoft-62f081c0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "microsoft-00e8fca0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_6", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/microsoft/1.2.1/kibana/lens/microsoft-14d367f0-ca68-11ea-9d4d-9737a63aaa55.json b/packages/microsoft/1.2.1/kibana/lens/microsoft-14d367f0-ca68-11ea-9d4d-9737a63aaa55.json new file mode 100755 index 0000000000..198be8e7df --- /dev/null +++ b/packages/microsoft/1.2.1/kibana/lens/microsoft-14d367f0-ca68-11ea-9d4d-9737a63aaa55.json @@ -0,0 +1,139 @@ +{ + "attributes": { + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f93e2634-0dd5-4aec-b6de-45284dd39630": { + "columnOrder": [ + "12ecaf1f-b957-4c15-8f43-8f043a7d1d51", + "0f67be87-cc6f-48e7-8afd-d9401037d006" + ], + "columns": { + "0f67be87-cc6f-48e7-8afd-d9401037d006": { + "dataType": "number", + "isBucketed": false, + "label": "Number of techniques", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "12ecaf1f-b957-4c15-8f43-8f043a7d1d51": { + "dataType": "string", + "isBucketed": true, + "label": "Related MITRE attach techniques", + "operationType": "terms", + "params": { + "orderBy": { + "type": "alphabetical" + }, + "orderDirection": "asc", + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.technique.name" + } + } + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.integration", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.integration": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-1", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft.defender_atp" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "12ecaf1f-b957-4c15-8f43-8f043a7d1d51" + ], + "layerId": "f93e2634-0dd5-4aec-b6de-45284dd39630", + "legendDisplay": "default", + "metric": "0f67be87-cc6f-48e7-8afd-d9401037d006", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "treemap" + } + }, + "title": "ATP Techniques [Logs Microsoft]", + "visualizationType": "lnsPie" + }, + "id": "microsoft-14d367f0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "lens": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f93e2634-0dd5-4aec-b6de-45284dd39630", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/microsoft/1.2.1/kibana/lens/microsoft-e415af10-ca67-11ea-9d4d-9737a63aaa55.json b/packages/microsoft/1.2.1/kibana/lens/microsoft-e415af10-ca67-11ea-9d4d-9737a63aaa55.json new file mode 100755 index 0000000000..365f8751e9 --- /dev/null +++ b/packages/microsoft/1.2.1/kibana/lens/microsoft-e415af10-ca67-11ea-9d4d-9737a63aaa55.json @@ -0,0 +1,164 @@ +{ + "attributes": { + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "ac550ae9-6e17-4944-9545-25bbe83d9dbb": { + "columnOrder": [ + "19ade524-0042-4ecd-ac59-9696c8c2e225", + "677e5501-ca31-435c-8eab-38b5297e54c2", + "27212c7c-83ee-4292-a4c6-396d9b77dce6" + ], + "columns": { + "19ade524-0042-4ecd-ac59-9696c8c2e225": { + "dataType": "number", + "isBucketed": true, + "label": "Top values of event.severity", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "27212c7c-83ee-4292-a4c6-396d9b77dce6", + "type": "column" + }, + "orderDirection": "desc", + "size": 6 + }, + "scale": "ordinal", + "sourceField": "event.severity" + }, + "27212c7c-83ee-4292-a4c6-396d9b77dce6": { + "dataType": "number", + "isBucketed": false, + "label": "Number of incidents", + "operationType": "cardinality", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "microsoft.defender_atp.incidentId" + }, + "677e5501-ca31-435c-8eab-38b5297e54c2": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "24h" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + } + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.integration", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.integration": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-1", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft.defender_atp" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "27212c7c-83ee-4292-a4c6-396d9b77dce6" + ], + "layerId": "ac550ae9-6e17-4944-9545-25bbe83d9dbb", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "19ade524-0042-4ecd-ac59-9696c8c2e225", + "xAccessor": "677e5501-ca31-435c-8eab-38b5297e54c2" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "ATP New Incidents [Logs Microsoft]", + "visualizationType": "lnsXY" + }, + "id": "microsoft-e415af10-ca67-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "lens": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ac550ae9-6e17-4944-9545-25bbe83d9dbb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/microsoft/1.2.1/kibana/visualization/microsoft-00e8fca0-ca68-11ea-9d4d-9737a63aaa55.json b/packages/microsoft/1.2.1/kibana/visualization/microsoft-00e8fca0-ca68-11ea-9d4d-9737a63aaa55.json new file mode 100755 index 0000000000..497f33df8f --- /dev/null +++ b/packages/microsoft/1.2.1/kibana/visualization/microsoft-00e8fca0-ca68-11ea-9d4d-9737a63aaa55.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "description": "Microsoft Defender ATP Incident Table", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"microsoft.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"microsoft.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft.defender_atp\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft.defender_atp\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "ATP Incident Table [Logs Microsoft]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"aggregate\":\"concat\",\"field\":\"@timestamp\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Incident ID\",\"field\":\"microsoft.defender_atp.incidentId\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Current Status\",\"field\":\"microsoft.defender_atp.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Assigned To\",\"field\":\"microsoft.defender_atp.assignedTo\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"9\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"10\",\"params\":{\"customLabel\":\"Category\",\"field\":\"threat.technique.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Description\",\"field\":\"rule.description\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"row\":true,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"ATP Incident Table [Logs Microsoft]\",\"type\":\"table\"}" + }, + "id": "microsoft-00e8fca0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/microsoft/1.2.1/kibana/visualization/microsoft-3c64f400-ca68-11ea-9d4d-9737a63aaa55.json b/packages/microsoft/1.2.1/kibana/visualization/microsoft-3c64f400-ca68-11ea-9d4d-9737a63aaa55.json new file mode 100755 index 0000000000..711217c708 --- /dev/null +++ b/packages/microsoft/1.2.1/kibana/visualization/microsoft-3c64f400-ca68-11ea-9d4d-9737a63aaa55.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "description": "Microsoft Defender ATP Counter for new incidents", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"microsoft.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"microsoft.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft.defender_atp\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft.defender_atp\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"microsoft.defender_atp\\\" \"}}" + }, + "title": "ATP New Incidents Counter [Logs Microsoft]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"New Incidents\",\"field\":\"microsoft.defender_atp.incidentId\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"ATP New Incidents Counter [Logs Microsoft]\",\"type\":\"metric\"}" + }, + "id": "microsoft-3c64f400-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/microsoft/1.2.1/kibana/visualization/microsoft-62f081c0-ca68-11ea-9d4d-9737a63aaa55.json b/packages/microsoft/1.2.1/kibana/visualization/microsoft-62f081c0-ca68-11ea-9d4d-9737a63aaa55.json new file mode 100755 index 0000000000..36d7e64a9e --- /dev/null +++ b/packages/microsoft/1.2.1/kibana/visualization/microsoft-62f081c0-ca68-11ea-9d4d-9737a63aaa55.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "description": "Microsoft Defender ATP counter for related Users", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"microsoft.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"microsoft.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft.defender_atp\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft.defender_atp\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"microsoft.defender_atp\\\" \"}}" + }, + "title": "ATP Related Users Counter [Logs Microsoft]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Related Users\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"ATP Related Users Counter [Logs Microsoft]\",\"type\":\"metric\"}" + }, + "id": "microsoft-62f081c0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/microsoft/1.2.1/kibana/visualization/microsoft-9e902dc0-ca68-11ea-9d4d-9737a63aaa55.json b/packages/microsoft/1.2.1/kibana/visualization/microsoft-9e902dc0-ca68-11ea-9d4d-9737a63aaa55.json new file mode 100755 index 0000000000..1c32276d7d --- /dev/null +++ b/packages/microsoft/1.2.1/kibana/visualization/microsoft-9e902dc0-ca68-11ea-9d4d-9737a63aaa55.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "description": "Microsoft Defender ATP counter for related domains", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"microsoft.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"microsoft.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft.defender_atp\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft.defender_atp\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"microsoft.defender_atp\\\" \"}}" + }, + "title": "ATP Domains Counter [Logs Microsoft]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Related Domains\",\"field\":\"microsoft.defender_atp.evidence.domainName\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"ATP Domains Counter [Logs Microsoft]\",\"type\":\"metric\"}" + }, + "id": "microsoft-9e902dc0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/microsoft/1.2.1/kibana/visualization/microsoft-b9fcbf60-ca68-11ea-9d4d-9737a63aaa55.json b/packages/microsoft/1.2.1/kibana/visualization/microsoft-b9fcbf60-ca68-11ea-9d4d-9737a63aaa55.json new file mode 100755 index 0000000000..fa3c4f591a --- /dev/null +++ b/packages/microsoft/1.2.1/kibana/visualization/microsoft-b9fcbf60-ca68-11ea-9d4d-9737a63aaa55.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "description": "Microsoft Defender ATP counter for related IP Addresses", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"microsoft.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"microsoft.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft.defender_atp\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft.defender_atp\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"microsoft.defender_atp\\\" \"}}" + }, + "title": "ATP IP Addresses Counter [Logs Microsoft]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Related Networks\",\"field\":\"microsoft.defender_atp.evidence.ipAddress\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"ATP IP Addresses Counter [Logs Microsoft]\",\"type\":\"metric\"}" + }, + "id": "microsoft-b9fcbf60-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/microsoft/1.2.1/manifest.yml b/packages/microsoft/1.2.1/manifest.yml new file mode 100755 index 0000000000..54af6e2c47 --- /dev/null +++ b/packages/microsoft/1.2.1/manifest.yml @@ -0,0 +1,51 @@ +format_version: 1.0.0 +name: microsoft +title: Microsoft +version: 1.2.1 +description: Deprecated. Use a specific Microsoft package instead. +categories: + - "network" + - "security" + - "azure" +release: experimental +license: basic +type: integration +conditions: + kibana.version: "^7.14.1" +policy_templates: + - name: microsoft + title: Microsoft + description: Collect logs from Microsoft products + inputs: + - type: udp + title: Collect logs from Microsoft DHCP via UDP + description: Collecting syslog from Microsoft DHCP via UDP + - type: tcp + title: Collect logs from Microsoft DHCP via TCP + description: Collecting syslog from Microsoft DHCP via TCP + - type: httpjson + title: "Collect Microsoft Defender ATP via HTTP" + description: "Collecting Defender ATP logs via HTTP" + - type: logfile + title: "Collect Microsoft Defender ATP and DHCP logs" + description: "Collecting Defender ATP and DHCP logs" +icons: + - src: /img/logo.svg + title: Microsoft logo + size: 32x32 + type: image/svg+xml +screenshots: + - src: /img/filebeat-defender-atp-overview.png + title: Defender ATP overview + size: 2551x1315 + type: image/png + - src: /img/siem-alerts-cs.jpg + title: SIEM alerts CS + size: 3360x1776 + type: image/jpg + - src: /img/siem-events-cs.jpg + title: SIEM events CS + size: 3360x1776 + type: image/jpg +owner: + github: elastic/security-external-integrations diff --git a/packages/microsoft_defender_endpoint/2.3.1/changelog.yml b/packages/microsoft_defender_endpoint/2.3.1/changelog.yml new file mode 100755 index 0000000000..32aa536a4d --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/changelog.yml @@ -0,0 +1,56 @@ +# newer versions go on top +- version: "2.3.1" + changes: + - description: Fix proxy URL documentation rendering. + type: bugfix + link: https://github.com/elastic/integrations/pull/3881 +- version: "2.3.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "2.2.1" + changes: + - description: Update to Readme to include link to vendor documentation + type: enhancement + link: https://github.com/elastic/integrations/pull/3272 +- version: "2.2.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2780 +- version: "2.1.0" + changes: + - description: Add possibility to choose azure resource + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "2.0.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "2.0.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2422 +- version: "1.1.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2234 +- version: "1.0.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1971 +- version: "1.0.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1829 +- version: "1.0.0" + changes: + - description: First version + type: enhancement + link: https://github.com/elastic/integrations/pull/1777 diff --git a/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/agent/stream/httpjson.yml.hbs b/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..6d462e94fe --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/agent/stream/httpjson.yml.hbs @@ -0,0 +1,45 @@ +config_version: "2" +interval: {{interval}} +auth.oauth2.client.id: {{client_id}} +auth.oauth2.client.secret: {{client_secret}} +auth.oauth2.token_url: {{login_url}}/{{tenant_id}}/oauth2/token +auth.oauth2.provider: azure +auth.oauth2.azure.resource: {{azure_resource}} +request.url: {{request_url}} +request.method: GET +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +request.transforms: + - set: + target: "header.User-Agent" + value: "MdatpPartner-Elastic-Filebeat/1.0.0" + - set: + target: "url.params.$expand" + value: evidence + - set: + target: "url.params.$filter" + value: 'lastUpdateTime gt [[formatDate .cursor.lastUpdateTime "2006-01-02T15:04:05.9999999Z"]]' + default: 'lastUpdateTime gt [[formatDate (now (parseDuration "-5m")) "2006-01-02T15:04:05.9999999Z"]]' +response.split: + target: body.value + split: + target: body.evidence + keep_parent: true +cursor: + lastUpdateTime: + value: "[[.last_response.body.lastUpdateTime]]" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/agent/stream/log.yml.hbs b/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..73636a0a7a --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/agent/stream/log.yml.hbs @@ -0,0 +1,19 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..acd4b363a2 --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,326 @@ +--- +description: Pipeline for parsing Microsoft Defender for Endpoint logs +processors: + - set: + field: ecs.version + value: '8.3.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - remove: + field: + - json.comments + - host + - cloud + ignore_missing: true + +######################### +## ECS General Mapping ## +######################### + - script: + lang: painless + if: ctx?.json != null + params: + values: + - null + - "" + - "-" + - "N/A" + source: | + if (!ctx['json'].empty) { + ctx.json.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + } + - script: + lang: painless + if: ctx?.json?.evidence != null + params: + values: + - null + - "" + - "-" + - "N/A" + source: | + if (!ctx.json['evidence'].empty) { + ctx.json.evidence.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + } + - set: + field: cloud.provider + value: azure + - set: + field: '@timestamp' + value: '{{json.alertUpdateTime}}' + if: ctx.json?.alertUpdateTime != null + - rename: + field: json.aadTenantId + target_field: cloud.account.id + ignore_missing: true + - rename: + field: json.machineId + target_field: cloud.instance.id + ignore_missing: true + - rename: + field: json.title + target_field: message + ignore_missing: true + +####################### +## ECS Event Mapping ## +####################### + - set: + field: event.kind + value: alert +# Events returned from the API is always in UTC, so should never use anything else + - set: + field: event.timezone + value: UTC + - set: + field: event.action + value: '{{json.category}}' + if: ctx.json?.category != null + - set: + field: event.provider + value: defender_endpoint + - set: + field: event.created + value: '{{json.alertCreationTime}}' + if: ctx.json?.alertCreationTime != null + - append: + field: event.category + value: host + - append: + field: event.category + value: malware + if: ctx.json?.category == 'Malware' + - append: + field: event.category + value: process + if: ctx.json?.evidence?.entityType == 'Process' + - append: + field: event.type + value: user + if: ctx.json?.evidence?.entityType == 'User' + - append: + field: event.type + value: + - creation + - start + if: ctx.json?.status == 'New' + - append: + field: event.type + value: end + if: ctx.json?.status == 'Resolved' + - rename: + field: json.id + target_field: event.id + ignore_missing: true + - rename: + field: json.firstEventTime + target_field: event.start + ignore_missing: true + - rename: + field: json.lastEventTime + target_field: event.end + ignore_missing: true + - set: + field: event.severity + value: 0 + if: ctx.json?.severity == 'Unspecified' + - set: + field: event.severity + value: 1 + if: ctx.json?.severity == 'Informational' + - set: + field: event.severity + value: 2 + if: ctx.json?.severity == 'Low' + - set: + field: event.severity + value: 3 + if: ctx.json?.severity == 'Medium' + - set: + field: event.severity + value: 4 + if: ctx.json?.severity == 'High' + - script: + lang: painless + if: "ctx?.event?.start != null && ctx?.event?.end != null" + source: > + Instant eventstart = ZonedDateTime.parse(ctx?.event?.start).toInstant(); + Instant eventend = ZonedDateTime.parse(ctx?.event?.end).toInstant(); + ctx.event['duration'] = ChronoUnit.NANOS.between(eventstart, eventend); + +######################## +## ECS Threat Mapping ## +######################## + - set: + field: threat.framework + value: MITRE ATT&CK + if: ctx.json?.category != null + - rename: + field: json.category + target_field: threat.technique.name + ignore_missing: true + - rename: + field: json.description + target_field: rule.description + ignore_missing: true + if: (ctx.json?.description).length() < 1020 + +###################### +## ECS File Mapping ## +###################### + - rename: + field: json.evidence.fileName + target_field: file.name + ignore_missing: true + - rename: + field: json.evidence.sha256 + target_field: file.hash.sha256 + ignore_missing: true + - rename: + field: json.evidence.sha1 + target_field: file.hash.sha1 + ignore_missing: true + - rename: + field: json.evidence.filePath + target_field: file.path + ignore_missing: true + +###################### +## ECS Process Mapping ## +###################### + - rename: + field: json.evidence.processId + target_field: process.pid + ignore_missing: true + - rename: + field: json.evidence.processCommandLine + target_field: process.command_line + ignore_missing: true + - rename: + field: json.evidence.processCreationTime + target_field: process.start + ignore_missing: true + - rename: + field: json.evidence.parentProcessId + target_field: process.parent.pid + ignore_missing: true + - rename: + field: json.evidence.parentProcessCreationTime + target_field: process.parent.start + ignore_missing: true + +########################## +## ECS Observer Mapping ## +########################## + - set: + field: observer.product + value: Defender for Endpoint + - set: + field: observer.vendor + value: Microsoft + - rename: + field: json.detectionSource + target_field: observer.name + ignore_missing: true + +##################### +## ECS URL Mapping ## +##################### + - rename: + field: json.evidence.url + target_field: url.full + ignore_missing: true + if: ctx?.json?.evidence?.url != null + - uri_parts: + field: url.full + ignore_failure: true + if: ctx?.url?.full != null + +###################### +## ECS Host Mapping ## +###################### + - rename: + field: json.computerDnsName + target_field: host.hostname + ignore_missing: true + - set: + field: host.name + value: '{{host.hostname}}' + if: ctx?.host?.hostname != null + +###################### +## ECS User Mapping ## +###################### + - rename: + field: json.relatedUser.userName + target_field: user.name + ignore_missing: true + - rename: + field: json.relatedUser.domainName + target_field: user.domain + ignore_missing: true + - rename: + field: json.evidence.userSid + target_field: user.id + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### + - append: + field: related.ip + value: '{{json.evidence.ipAddress}}' + if: ctx.json?.evidence?.ipAddress != null + - append: + field: related.user + value: '{{user.name}}' + if: ctx.user?.name != null + - append: + field: related.hash + value: '{{file.hash.sha1}}' + if: ctx.file?.hash?.sha1 != null + - append: + field: related.hash + value: '{{file.hash.sha256}}' + if: ctx.file?.hash?.sha256 != null + - append: + field: related.hosts + value: '{{host.hostname}}' + if: ctx.host?.hostname != null && ctx.host?.hostname != '' + allow_duplicates: false + +############# +## Cleanup ## +############# + - remove: + field: + - json.alertCreationTime + - json.severity + - json.relatedUser + ignore_missing: true + - rename: + field: json + target_field: microsoft.defender_endpoint + ignore_missing: true + - convert: + field: microsoft.defender_endpoint.incidentId + type: string + ignore_missing: true + - convert: + field: microsoft.defender_endpoint.investigationId + type: string + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{_ingest.on_failure_message}}' diff --git a/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/fields/agent.yml b/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/fields/base-fields.yml b/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..fa6e341507 --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: microsoft_defender_endpoint +- name: event.dataset + type: constant_keyword + description: Event dataset + value: microsoft_defender_endpoint.log +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/fields/ecs.yml b/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..ff1822b5e5 --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/fields/ecs.yml @@ -0,0 +1,205 @@ +- description: Unique container id. + name: container.id + type: keyword +- description: Name of the image the container was built on. + name: container.image.name + type: keyword +- description: Container image tags. + name: container.image.tag + type: keyword +- description: Image labels. + name: container.labels + type: object +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: MD5 hash. + name: file.hash.md5 + type: keyword +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: SHA512 hash. + name: file.hash.sha512 + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + name: log.logger + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.command_line + type: wildcard +- description: Process id. + name: process.parent.pid + type: long +- description: The time the process started. + name: process.parent.start + type: date +- description: Process id. + name: process.pid + type: long +- description: The time the process started. + name: process.start + type: date +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The description of the rule generating the event. + name: rule.description + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. + name: threat.framework + type: keyword +- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + multi_fields: + - name: text + type: match_only_text + name: threat.technique.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword diff --git a/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/fields/fields.yml b/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..ad1ed731d8 --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/fields/fields.yml @@ -0,0 +1,72 @@ +- name: microsoft.defender_endpoint + type: group + release: ga + fields: + - name: lastUpdateTime + type: date + description: | + The date and time (in UTC) the alert was last updated. + - name: resolvedTime + type: date + description: | + The date and time in which the status of the alert was changed to 'Resolved'. + - name: incidentId + type: keyword + description: | + The Incident ID of the Alert. + - name: investigationId + type: keyword + description: | + The Investigation ID related to the Alert. + - name: investigationState + type: keyword + description: | + The current state of the Investigation. + - name: assignedTo + type: keyword + description: | + Owner of the alert. + - name: status + type: keyword + description: | + Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. + - name: classification + type: keyword + description: | + Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. + - name: determination + type: keyword + description: | + Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. + - name: threatFamilyName + type: keyword + description: | + Threat family. + - name: rbacGroupName + type: keyword + description: | + User group related to the alert + - name: evidence.domainName + type: keyword + description: | + Domain name related to the alert + - name: evidence.ipAddress + type: ip + description: | + IP address involved in the alert + - name: evidence.aadUserId + type: keyword + description: | + ID of the user involved in the alert + - name: evidence.accountName + type: keyword + description: | + Username of the user involved in the alert + - name: evidence.entityType + type: keyword + description: | + The type of evidence + - name: evidence.userPrincipalName + type: keyword + description: | + Principal name of the user involved in the alert diff --git a/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/manifest.yml b/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/manifest.yml new file mode 100755 index 0000000000..2d328372c5 --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/manifest.yml @@ -0,0 +1,129 @@ +type: logs +title: Microsoft Defender for Endpoint logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: Microsoft Defender for Endpoint logs + description: Collect Microsoft Defender for Endpoint logs from API + vars: + - name: client_id + type: text + title: Client ID + description: The client ID related to creating a new application on Azure. + multi: false + required: true + show_user: true + - name: client_secret + type: text + title: Client Secret + description: The secret related to the client ID. + multi: false + required: true + show_user: true + - name: tenant_id + type: text + title: Tenant ID + description: The tenant ID related to creating a new application on Azure. + multi: false + required: true + show_user: true + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 5m + description: The interval between requests to the HTTP API. + - name: azure_resource + type: text + title: Azure Resource + multi: false + required: true + default: https://api.securitycenter.windows.com/ + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: login_url + type: text + title: OAuth Server URL + required: true + show_user: false + default: https://login.microsoftonline.com/ + description: "URL of Login server 'tenant-id/oauth2/token added automatically'" + - name: request_url + type: text + title: Security Center URL + required: true + show_user: false + default: https://api.securitycenter.windows.com/api/alerts + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - microsoft-defender-endpoint + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + template_path: log.yml.hbs + title: Microsoft Defender for Endpoint logs + description: Collect Microsoft Defender for Endpoint logs from a file + enabled: false + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - microsoft-defender-endpoint + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/sample_event.json b/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/sample_event.json new file mode 100755 index 0000000000..e92e566713 --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/data_stream/log/sample_event.json @@ -0,0 +1,110 @@ +{ + "@timestamp": "2022-01-02T01:30:05.670Z", + "agent": { + "ephemeral_id": "9cc31363-7ffb-4763-9bec-cef372647d15", + "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "cloud": { + "account": { + "id": "a839b112-1253-6432-9bf6-94542403f21c" + }, + "instance": { + "id": "111e6dd8c833c8a052ea231ec1b19adaf497b625" + }, + "provider": "azure" + }, + "data_stream": { + "dataset": "microsoft_defender_endpoint.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "Execution", + "agent_id_status": "verified", + "category": [ + "host" + ], + "created": "2021-01-26T20:33:57.7220239Z", + "dataset": "microsoft_defender_endpoint.log", + "duration": 101466100, + "end": "2021-01-26T20:31:33.0577322Z", + "id": "da637472900382838869_1364969609", + "ingested": "2022-01-02T01:30:06Z", + "kind": "alert", + "provider": "defender_endpoint", + "severity": 2, + "start": "2021-01-26T20:31:32.9562661Z", + "timezone": "UTC", + "type": [ + "user", + "creation", + "start" + ] + }, + "host": { + "hostname": "temp123.middleeast.corp.microsoft.com", + "name": "temp123.middleeast.corp.microsoft.com" + }, + "input": { + "type": "httpjson" + }, + "message": "Low-reputation arbitrary code executed by signed executable", + "microsoft": { + "defender_endpoint": { + "evidence": { + "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", + "accountName": "name", + "domainName": "DOMAIN", + "entityType": "User", + "userPrincipalName": "temp123@microsoft.com" + }, + "incidentId": "1126093", + "investigationState": "Queued", + "lastUpdateTime": "2021-01-26T20:33:59.2Z", + "rbacGroupName": "A", + "status": "New" + } + }, + "observer": { + "name": "WindowsDefenderAtp", + "product": "Defender for Endpoint", + "vendor": "Microsoft" + }, + "related": { + "hosts": [ + "temp123.middleeast.corp.microsoft.com" + ], + "user": [ + "temp123" + ] + }, + "rule": { + "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C\u0026C) server." + }, + "tags": [ + "microsoft-defender-endpoint", + "forwarded" + ], + "threat": { + "framework": "MITRE ATT\u0026CK", + "technique": { + "name": "Execution" + } + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-5-21-11111607-1111760036-109187956-75141", + "name": "temp123" + } +} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.3.1/docs/README.md b/packages/microsoft_defender_endpoint/2.3.1/docs/README.md new file mode 100755 index 0000000000..2a42367291 --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/docs/README.md @@ -0,0 +1,270 @@ +# Microsoft Defender for Endpoint integration + +This integration is for [Microsoft Defender for Endpoint](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) logs. + +## Setting up + +To allow the integration to ingest data from the Microsoft Defender API, you need to create a new application on your Azure domain. The procedure to create an application is found on the [Create a new Azure Application](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp) documentation page. + +> Note: When giving the application the API permissions described in the documentation (`Windows Defender ATP Alert.Read.All`), it will only grant access to read alerts from ATP and nothing else in the Azure Domain + +After the application has been created, it should contain 3 values that you need to apply to the module configuration. + +These values are: + +- Client ID +- Client Secret +- Tenant ID + +## ECS mappings + +| Defender for Endpoint fields | ECS Fields | +| ---------------------------------- | --------------------- | +| alertCreationTime | @timestamp | +| aadTenantId | cloud.account.id | +| category | threat.technique.name | +| computerDnsName | host.hostname | +| description | rule.description | +| detectionSource | observer.name | +| evidence.fileName | file.name | +| evidence.filePath | file.path | +| evidence.processId | process.pid | +| evidence.processCommandLine | process.command_line | +| evidence.processCreationTime | process.start | +| evidence.parentProcessId | process.parent.pid | +| evidence.parentProcessCreationTime | process.parent.start | +| evidence.sha1 | file.hash.sha1 | +| evidence.sha256 | file.hash.sha256 | +| evidence.url | url.full | +| firstEventTime | event.start | +| id | event.id | +| lastEventTime | event.end | +| machineId | cloud.instance.id | +| title | message | +| severity | event.severity | + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2022-01-02T01:30:05.670Z", + "agent": { + "ephemeral_id": "9cc31363-7ffb-4763-9bec-cef372647d15", + "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "cloud": { + "account": { + "id": "a839b112-1253-6432-9bf6-94542403f21c" + }, + "instance": { + "id": "111e6dd8c833c8a052ea231ec1b19adaf497b625" + }, + "provider": "azure" + }, + "data_stream": { + "dataset": "microsoft_defender_endpoint.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "Execution", + "agent_id_status": "verified", + "category": [ + "host" + ], + "created": "2021-01-26T20:33:57.7220239Z", + "dataset": "microsoft_defender_endpoint.log", + "duration": 101466100, + "end": "2021-01-26T20:31:33.0577322Z", + "id": "da637472900382838869_1364969609", + "ingested": "2022-01-02T01:30:06Z", + "kind": "alert", + "provider": "defender_endpoint", + "severity": 2, + "start": "2021-01-26T20:31:32.9562661Z", + "timezone": "UTC", + "type": [ + "user", + "creation", + "start" + ] + }, + "host": { + "hostname": "temp123.middleeast.corp.microsoft.com", + "name": "temp123.middleeast.corp.microsoft.com" + }, + "input": { + "type": "httpjson" + }, + "message": "Low-reputation arbitrary code executed by signed executable", + "microsoft": { + "defender_endpoint": { + "evidence": { + "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", + "accountName": "name", + "domainName": "DOMAIN", + "entityType": "User", + "userPrincipalName": "temp123@microsoft.com" + }, + "incidentId": "1126093", + "investigationState": "Queued", + "lastUpdateTime": "2021-01-26T20:33:59.2Z", + "rbacGroupName": "A", + "status": "New" + } + }, + "observer": { + "name": "WindowsDefenderAtp", + "product": "Defender for Endpoint", + "vendor": "Microsoft" + }, + "related": { + "hosts": [ + "temp123.middleeast.corp.microsoft.com" + ], + "user": [ + "temp123" + ] + }, + "rule": { + "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C\u0026C) server." + }, + "tags": [ + "microsoft-defender-endpoint", + "forwarded" + ], + "threat": { + "framework": "MITRE ATT\u0026CK", + "technique": { + "name": "Execution" + } + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-5-21-11111607-1111760036-109187956-75141", + "name": "temp123" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.image.tag | Container image tags. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.hash.sha512 | SHA512 hash. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| microsoft.defender_endpoint.assignedTo | Owner of the alert. | keyword | +| microsoft.defender_endpoint.classification | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. | keyword | +| microsoft.defender_endpoint.determination | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. | keyword | +| microsoft.defender_endpoint.evidence.aadUserId | ID of the user involved in the alert | keyword | +| microsoft.defender_endpoint.evidence.accountName | Username of the user involved in the alert | keyword | +| microsoft.defender_endpoint.evidence.domainName | Domain name related to the alert | keyword | +| microsoft.defender_endpoint.evidence.entityType | The type of evidence | keyword | +| microsoft.defender_endpoint.evidence.ipAddress | IP address involved in the alert | ip | +| microsoft.defender_endpoint.evidence.userPrincipalName | Principal name of the user involved in the alert | keyword | +| microsoft.defender_endpoint.incidentId | The Incident ID of the Alert. | keyword | +| microsoft.defender_endpoint.investigationId | The Investigation ID related to the Alert. | keyword | +| microsoft.defender_endpoint.investigationState | The current state of the Investigation. | keyword | +| microsoft.defender_endpoint.lastUpdateTime | The date and time (in UTC) the alert was last updated. | date | +| microsoft.defender_endpoint.rbacGroupName | User group related to the alert | keyword | +| microsoft.defender_endpoint.resolvedTime | The date and time in which the status of the alert was changed to 'Resolved'. | date | +| microsoft.defender_endpoint.status | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. | keyword | +| microsoft.defender_endpoint.threatFamilyName | Threat family. | keyword | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.start | The time the process started. | date | +| process.pid | Process id. | long | +| process.start | The time the process started. | date | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.description | The description of the rule generating the event. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | +| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + diff --git a/packages/microsoft_defender_endpoint/2.3.1/img/filebeat-defender-atp-overview.png b/packages/microsoft_defender_endpoint/2.3.1/img/filebeat-defender-atp-overview.png new file mode 100755 index 0000000000..7df250e2ae Binary files /dev/null and b/packages/microsoft_defender_endpoint/2.3.1/img/filebeat-defender-atp-overview.png differ diff --git a/packages/microsoft_defender_endpoint/2.3.1/img/logo.svg b/packages/microsoft_defender_endpoint/2.3.1/img/logo.svg new file mode 100755 index 0000000000..8392768616 --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/img/logo.svg @@ -0,0 +1,25 @@ + + + + + + diff --git a/packages/microsoft_defender_endpoint/2.3.1/img/siem-alerts-cs.jpg b/packages/microsoft_defender_endpoint/2.3.1/img/siem-alerts-cs.jpg new file mode 100755 index 0000000000..b74edfe229 Binary files /dev/null and b/packages/microsoft_defender_endpoint/2.3.1/img/siem-alerts-cs.jpg differ diff --git a/packages/microsoft_defender_endpoint/2.3.1/img/siem-events-cs.jpg b/packages/microsoft_defender_endpoint/2.3.1/img/siem-events-cs.jpg new file mode 100755 index 0000000000..9839f73821 Binary files /dev/null and b/packages/microsoft_defender_endpoint/2.3.1/img/siem-events-cs.jpg differ diff --git a/packages/microsoft_defender_endpoint/2.3.1/kibana/dashboard/microsoft_defender_endpoint-65402c30-ca6a-11ea-9d4d-9737a63aaa55.json b/packages/microsoft_defender_endpoint/2.3.1/kibana/dashboard/microsoft_defender_endpoint-65402c30-ca6a-11ea-9d4d-9737a63aaa55.json new file mode 100755 index 0000000000..c9bffa7d61 --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/kibana/dashboard/microsoft_defender_endpoint-65402c30-ca6a-11ea-9d4d-9737a63aaa55.json @@ -0,0 +1,59 @@ +{ + "attributes": { + "description": "Microsoft Defender for Endpoint Alert Overview", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:microsoft_defender_endpoint.log\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8343f7ea-b977-44bf-bf81-6d41742093a4\",\"w\":4,\"x\":0,\"y\":0},\"panelIndex\":\"8343f7ea-b977-44bf-bf81-6d41742093a4\",\"panelRefName\":\"panel_0\",\"version\":\"7.8.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":24,\"i\":\"74d36139-4d22-44d4-bfc8-020c575febb1\",\"w\":25,\"x\":4,\"y\":0},\"panelIndex\":\"74d36139-4d22-44d4-bfc8-020c575febb1\",\"panelRefName\":\"panel_1\",\"version\":\"7.8.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":24,\"i\":\"a3e140ed-a0ed-4da0-8142-72d68fd7c5e5\",\"w\":19,\"x\":29,\"y\":0},\"panelIndex\":\"a3e140ed-a0ed-4da0-8142-72d68fd7c5e5\",\"panelRefName\":\"panel_2\",\"title\":\"Techniques [Microsoft Defender for Endpoint]\",\"version\":\"7.8.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"f3843ab0-8b0f-4f64-805c-4ab0d0965d8a\",\"w\":4,\"x\":0,\"y\":6},\"panelIndex\":\"f3843ab0-8b0f-4f64-805c-4ab0d0965d8a\",\"panelRefName\":\"panel_3\",\"version\":\"7.8.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"16e7059b-70a5-4ea4-b622-9015d7430419\",\"w\":4,\"x\":0,\"y\":12},\"panelIndex\":\"16e7059b-70a5-4ea4-b622-9015d7430419\",\"panelRefName\":\"panel_4\",\"version\":\"7.8.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"d8a5a667-ed0b-42ed-ae7d-edbfa722677f\",\"w\":4,\"x\":0,\"y\":18},\"panelIndex\":\"d8a5a667-ed0b-42ed-ae7d-edbfa722677f\",\"panelRefName\":\"panel_5\",\"version\":\"7.8.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"cb8de6bb-1096-427d-834e-210963aad3e5\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"cb8de6bb-1096-427d-834e-210963aad3e5\",\"panelRefName\":\"panel_6\",\"version\":\"7.8.1\"}]", + "timeRestore": false, + "title": "[Microsoft Defender for Endpoint] Overview", + "version": 1 + }, + "id": "microsoft_defender_endpoint-65402c30-ca6a-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "dashboard": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "microsoft_defender_endpoint-3c64f400-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-e415af10-ca67-11ea-9d4d-9737a63aaa55", + "name": "panel_1", + "type": "lens" + }, + { + "id": "microsoft_defender_endpoint-14d367f0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_2", + "type": "lens" + }, + { + "id": "microsoft_defender_endpoint-9e902dc0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-b9fcbf60-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-62f081c0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-00e8fca0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_6", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.3.1/kibana/lens/microsoft_defender_endpoint-14d367f0-ca68-11ea-9d4d-9737a63aaa55.json b/packages/microsoft_defender_endpoint/2.3.1/kibana/lens/microsoft_defender_endpoint-14d367f0-ca68-11ea-9d4d-9737a63aaa55.json new file mode 100755 index 0000000000..028339d995 --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/kibana/lens/microsoft_defender_endpoint-14d367f0-ca68-11ea-9d4d-9737a63aaa55.json @@ -0,0 +1,139 @@ +{ + "attributes": { + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f93e2634-0dd5-4aec-b6de-45284dd39630": { + "columnOrder": [ + "12ecaf1f-b957-4c15-8f43-8f043a7d1d51", + "0f67be87-cc6f-48e7-8afd-d9401037d006" + ], + "columns": { + "0f67be87-cc6f-48e7-8afd-d9401037d006": { + "dataType": "number", + "isBucketed": false, + "label": "Number of techniques", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "12ecaf1f-b957-4c15-8f43-8f043a7d1d51": { + "dataType": "string", + "isBucketed": true, + "label": "Related MITRE attach techniques", + "operationType": "terms", + "params": { + "orderBy": { + "type": "alphabetical" + }, + "orderDirection": "asc", + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.technique.name" + } + } + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.integration", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.integration": "microsoft_defender_endpoint" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-1", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.log" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "12ecaf1f-b957-4c15-8f43-8f043a7d1d51" + ], + "layerId": "f93e2634-0dd5-4aec-b6de-45284dd39630", + "legendDisplay": "default", + "metric": "0f67be87-cc6f-48e7-8afd-d9401037d006", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "treemap" + } + }, + "title": "Techniques [Microsoft Defender for Endpoint]", + "visualizationType": "lnsPie" + }, + "id": "microsoft_defender_endpoint-14d367f0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "lens": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f93e2634-0dd5-4aec-b6de-45284dd39630", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.3.1/kibana/lens/microsoft_defender_endpoint-e415af10-ca67-11ea-9d4d-9737a63aaa55.json b/packages/microsoft_defender_endpoint/2.3.1/kibana/lens/microsoft_defender_endpoint-e415af10-ca67-11ea-9d4d-9737a63aaa55.json new file mode 100755 index 0000000000..e3b06ec51c --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/kibana/lens/microsoft_defender_endpoint-e415af10-ca67-11ea-9d4d-9737a63aaa55.json @@ -0,0 +1,164 @@ +{ + "attributes": { + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "ac550ae9-6e17-4944-9545-25bbe83d9dbb": { + "columnOrder": [ + "19ade524-0042-4ecd-ac59-9696c8c2e225", + "677e5501-ca31-435c-8eab-38b5297e54c2", + "27212c7c-83ee-4292-a4c6-396d9b77dce6" + ], + "columns": { + "19ade524-0042-4ecd-ac59-9696c8c2e225": { + "dataType": "number", + "isBucketed": true, + "label": "Top values of event.severity", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "27212c7c-83ee-4292-a4c6-396d9b77dce6", + "type": "column" + }, + "orderDirection": "desc", + "size": 6 + }, + "scale": "ordinal", + "sourceField": "event.severity" + }, + "27212c7c-83ee-4292-a4c6-396d9b77dce6": { + "dataType": "number", + "isBucketed": false, + "label": "Number of incidents", + "operationType": "cardinality", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "microsoft.defender_endpoint.incidentId" + }, + "677e5501-ca31-435c-8eab-38b5297e54c2": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "24h" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + } + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.integration", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.integration": "microsoft_defender_endpoint" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-1", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.log" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "27212c7c-83ee-4292-a4c6-396d9b77dce6" + ], + "layerId": "ac550ae9-6e17-4944-9545-25bbe83d9dbb", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "19ade524-0042-4ecd-ac59-9696c8c2e225", + "xAccessor": "677e5501-ca31-435c-8eab-38b5297e54c2" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "New Incidents [Microsoft Defender for Endpoint]", + "visualizationType": "lnsXY" + }, + "id": "microsoft_defender_endpoint-e415af10-ca67-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "lens": "7.11.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ac550ae9-6e17-4944-9545-25bbe83d9dbb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-1", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.3.1/kibana/visualization/microsoft_defender_endpoint-00e8fca0-ca68-11ea-9d4d-9737a63aaa55.json b/packages/microsoft_defender_endpoint/2.3.1/kibana/visualization/microsoft_defender_endpoint-00e8fca0-ca68-11ea-9d4d-9737a63aaa55.json new file mode 100755 index 0000000000..a8d751dea2 --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/kibana/visualization/microsoft_defender_endpoint-00e8fca0-ca68-11ea-9d4d-9737a63aaa55.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "description": "Microsoft Defender for Endpoint Incident Table", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"microsoft_defender_endpoint.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_defender_endpoint.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Incident Table [Microsoft Defender for Endpoint]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"aggregate\":\"concat\",\"field\":\"@timestamp\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Incident ID\",\"field\":\"microsoft.defender_endpoint.incidentId\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Current Status\",\"field\":\"microsoft.defender_endpoint.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Assigned To\",\"field\":\"microsoft.defender_endpoint.assignedTo\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"9\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"10\",\"params\":{\"customLabel\":\"Category\",\"field\":\"threat.technique.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Description\",\"field\":\"rule.description\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"row\":true,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Incident Table [Microsoft Defender for Endpoint]\",\"type\":\"table\"}" + }, + "id": "microsoft_defender_endpoint-00e8fca0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.3.1/kibana/visualization/microsoft_defender_endpoint-3c64f400-ca68-11ea-9d4d-9737a63aaa55.json b/packages/microsoft_defender_endpoint/2.3.1/kibana/visualization/microsoft_defender_endpoint-3c64f400-ca68-11ea-9d4d-9737a63aaa55.json new file mode 100755 index 0000000000..519a8aa05a --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/kibana/visualization/microsoft_defender_endpoint-3c64f400-ca68-11ea-9d4d-9737a63aaa55.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "description": "Microsoft Defender for Endpoint Counter for new incidents", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"microsoft_defender_endpoint.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_defender_endpoint.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"microsoft_defender_endpoint.log\\\" \"}}" + }, + "title": "New Incidents Counter [Microsoft Defender for Endpoint]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"New Incidents\",\"field\":\"microsoft.defender_endpoint.incidentId\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"New Incidents Counter [Microsoft Defender for Endpoint]\",\"type\":\"metric\"}" + }, + "id": "microsoft_defender_endpoint-3c64f400-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.3.1/kibana/visualization/microsoft_defender_endpoint-62f081c0-ca68-11ea-9d4d-9737a63aaa55.json b/packages/microsoft_defender_endpoint/2.3.1/kibana/visualization/microsoft_defender_endpoint-62f081c0-ca68-11ea-9d4d-9737a63aaa55.json new file mode 100755 index 0000000000..c2f78c9696 --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/kibana/visualization/microsoft_defender_endpoint-62f081c0-ca68-11ea-9d4d-9737a63aaa55.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "description": "Microsoft Defender for Endpoint counter for related Users", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"microsoft_defender_endpoint.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_defender_endpoint.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"microsoft_defender_endpoint.log\\\" \"}}" + }, + "title": "Related Users Counter [Microsoft Defender for Endpoint]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Related Users\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Related Users Counter [Microsoft Defender for Endpoint]\",\"type\":\"metric\"}" + }, + "id": "microsoft_defender_endpoint-62f081c0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.3.1/kibana/visualization/microsoft_defender_endpoint-9e902dc0-ca68-11ea-9d4d-9737a63aaa55.json b/packages/microsoft_defender_endpoint/2.3.1/kibana/visualization/microsoft_defender_endpoint-9e902dc0-ca68-11ea-9d4d-9737a63aaa55.json new file mode 100755 index 0000000000..915fcf1d72 --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/kibana/visualization/microsoft_defender_endpoint-9e902dc0-ca68-11ea-9d4d-9737a63aaa55.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "description": "Microsoft Defender for Endpoint counter for related domains", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"microsoft_defender_endpoint.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_defender_endpoint.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"microsoft_defender_endpoint.log\\\" \"}}" + }, + "title": "Domains Counter [Microsoft Defender for Endpoint]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Related Domains\",\"field\":\"microsoft.defender_endpoint.evidence.domainName\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Domains Counter [Microsoft Defender for Endpoint]\",\"type\":\"metric\"}" + }, + "id": "microsoft_defender_endpoint-9e902dc0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.3.1/kibana/visualization/microsoft_defender_endpoint-b9fcbf60-ca68-11ea-9d4d-9737a63aaa55.json b/packages/microsoft_defender_endpoint/2.3.1/kibana/visualization/microsoft_defender_endpoint-b9fcbf60-ca68-11ea-9d4d-9737a63aaa55.json new file mode 100755 index 0000000000..7c96dfb53c --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/kibana/visualization/microsoft_defender_endpoint-b9fcbf60-ca68-11ea-9d4d-9737a63aaa55.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "description": "Microsoft Defender for Endpoint counter for related IP Addresses", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"prefix\\\":{\\\"data_stream.dataset\\\":\\\"microsoft_defender_endpoint.\\\"}}\"},\"query\":{\"prefix\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_defender_endpoint.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_defender_endpoint.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"microsoft_defender_endpoint.log\\\" \"}}" + }, + "title": "IP Addresses Counter [Microsoft Defender for Endpoint]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Related Networks\",\"field\":\"microsoft.defender_endpoint.evidence.ipAddress\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"IP Addresses Counter [Microsoft Defender for Endpoint]\",\"type\":\"metric\"}" + }, + "id": "microsoft_defender_endpoint-b9fcbf60-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/2.3.1/manifest.yml b/packages/microsoft_defender_endpoint/2.3.1/manifest.yml new file mode 100755 index 0000000000..f09c3896f8 --- /dev/null +++ b/packages/microsoft_defender_endpoint/2.3.1/manifest.yml @@ -0,0 +1,45 @@ +format_version: 1.0.0 +name: microsoft_defender_endpoint +title: Microsoft Defender for Endpoint +version: "2.3.1" +description: Collect logs from Microsoft Defender for Endpoint with Elastic Agent. +categories: + - "network" + - "security" + - "azure" +release: ga +license: basic +type: integration +conditions: + kibana.version: ^7.14.1 || ^8.0.0 +policy_templates: + - name: microsoft_defender_endpoint + title: Microsoft Defender for Endpoint + description: Collect logs from Microsoft Defender for Endpoint + inputs: + - type: httpjson + title: "Collect Microsoft Defender for Endpoint logs via API" + description: "Collecting Defender for Endpoint logs via API" + - type: logfile + title: "Collect Microsoft Defender for Endpoint logs via file" + description: "Collecting Defender for Endpoint logs via file" +icons: + - src: /img/logo.svg + title: Microsoft Defender for Endpoint logo + size: 32x32 + type: image/svg+xml +screenshots: + - src: /img/filebeat-defender-atp-overview.png + title: Defender Endpoint overview + size: 2551x1315 + type: image/png + - src: /img/siem-alerts-cs.jpg + title: SIEM alerts CS + size: 3360x1776 + type: image/jpg + - src: /img/siem-events-cs.jpg + title: SIEM events CS + size: 3360x1776 + type: image/jpg +owner: + github: elastic/security-external-integrations diff --git a/packages/sonicwall/0.8.2/changelog.yml b/packages/sonicwall/0.8.2/changelog.yml new file mode 100755 index 0000000000..87dad420e4 --- /dev/null +++ b/packages/sonicwall/0.8.2/changelog.yml @@ -0,0 +1,111 @@ +# newer versions go on top +- version: "0.8.2" + changes: + - description: Mark package as deprecated. Please migrate to the sonicwall_firewall package. + type: enhancement + link: https://github.com/elastic/integrations/pull/3365 +- version: "0.8.1" + changes: + - description: Format source.mac and destination.mac as per ECS. + type: bugfix + link: https://github.com/elastic/integrations/pull/3360 +- version: "0.8.0" + changes: + - description: Update to ECS 8.2.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2780 +- version: "0.7.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "0.7.0" + changes: + - description: Update to ECS 8.0.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2595 +- version: "0.6.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.6.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2248 +- version: "0.5.4" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2087 +- version: "0.5.3" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1986 +- version: "0.5.2" + changes: + - description: Fixed a bug that prevents the package from working in 7.16. + type: bugfix + link: https://github.com/elastic/integrations/pull/1882 +- version: "0.5.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1850 +- version: "0.5.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1677 +- version: '0.4.4' + changes: + - description: Requires version 7.14.1 of the stack + type: bugfix + link: https://github.com/elastic/integrations/pull/1541 +- version: "0.4.3" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1503 +- version: '0.4.2' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1417 +- version: "0.4.1" + changes: + - description: Escape special characters in docs + type: enhancement + link: https://github.com/elastic/integrations/pull/1405 +- version: "0.4.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.3.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1274 +- version: "0.2.0" + changes: + - description: update to ECS 1.10.0 and adding event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1101 +- version: "0.1.5" + changes: + - description: Add missing "geo" fields + type: enhancement + link: https://github.com/elastic/integrations/pull/919 +- version: "0.1.4" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/869 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/package-storage/pull/181 diff --git a/packages/sonicwall/0.8.2/data_stream/firewall/agent/stream/stream.yml.hbs b/packages/sonicwall/0.8.2/data_stream/firewall/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..180ea60135 --- /dev/null +++ b/packages/sonicwall/0.8.2/data_stream/firewall/agent/stream/stream.yml.hbs @@ -0,0 +1,9739 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Sonicwall" + product: "Firewalls" + type: "Firewall" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} n=%{fld2->} src=%{p0}"); + + var dup8 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + + var dup9 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var dup10 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); + + var dup11 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup12 = setc("eventcategory","1502010000"); + + var dup13 = setc("eventcategory","1502020000"); + + var dup14 = setc("eventcategory","1002010000"); + + var dup15 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + + var dup16 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); + + var dup17 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); + + var dup18 = setf("hostip","hhostip"); + + var dup19 = setf("id","hid"); + + var dup20 = setf("serial_number","hserial_number"); + + var dup21 = setf("category","hcategory"); + + var dup22 = setf("severity","hseverity"); + + var dup23 = setc("eventcategory","1805010000"); + + var dup24 = call({ + dest: "nwparser.msg", + fn: RMQ, + args: [ + field("msg"), + ], + }); + + var dup25 = setc("eventcategory","1302000000"); + + var dup26 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var dup27 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + + var dup28 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); + + var dup29 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); + + var dup30 = setc("eventcategory","1401050100"); + + var dup31 = setc("eventcategory","1401030000"); + + var dup32 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); + + var dup33 = setc("eventcategory","1301020000"); + + var dup34 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); + + var dup35 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); + + var dup36 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); + + var dup37 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); + + var dup38 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); + + var dup39 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); + + var dup40 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); + + var dup41 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); + + var dup42 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); + + var dup43 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); + + var dup44 = date_time({ + dest: "event_time", + args: ["date","time"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup45 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup46 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); + + var dup47 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); + + var dup48 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); + + var dup49 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); + + var dup50 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); + + var dup51 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); + + var dup52 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); + + var dup53 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); + + var dup54 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); + + var dup55 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); + + var dup56 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); + + var dup57 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var dup58 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); + + var dup59 = setc("ec_subject","NetworkComm"); + + var dup60 = setc("ec_activity","Deny"); + + var dup61 = setc("ec_theme","Communication"); + + var dup62 = setf("msg","$MSG"); + + var dup63 = setc("action","dropped"); + + var dup64 = setc("eventcategory","1608010000"); + + var dup65 = setc("eventcategory","1302010000"); + + var dup66 = setc("eventcategory","1301000000"); + + var dup67 = setc("eventcategory","1001000000"); + + var dup68 = setc("eventcategory","1003030000"); + + var dup69 = setc("eventcategory","1003050000"); + + var dup70 = setc("eventcategory","1103000000"); + + var dup71 = setc("eventcategory","1603110000"); + + var dup72 = setc("eventcategory","1605020000"); + + var dup73 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); + + var dup74 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); + + var dup75 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); + + var dup76 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); + + var dup77 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup78 = setc("eventcategory","1801000000"); + + var dup79 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); + + var dup80 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); + + var dup81 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); + + var dup82 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); + + var dup83 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); + + var dup84 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); + + var dup85 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + + var dup86 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); + + var dup87 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var dup88 = setf("id","hfld1"); + + var dup89 = setc("eventcategory","1001020309"); + + var dup90 = setc("eventcategory","1303000000"); + + var dup91 = setc("eventcategory","1801010100"); + + var dup92 = setc("eventcategory","1604010000"); + + var dup93 = setc("eventcategory","1002020000"); + + var dup94 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); + + var dup95 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); + + var dup96 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); + + var dup97 = setc("eventcategory","1001010000"); + + var dup98 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); + + var dup99 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); + + var dup100 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); + + var dup101 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); + + var dup102 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); + + var dup103 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); + + var dup104 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); + + var dup105 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); + + var dup106 = setc("eventcategory","1401060000"); + + var dup107 = setc("eventcategory","1804000000"); + + var dup108 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + + var dup109 = setc("eventcategory","1401070000"); + + var dup110 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); + + var dup111 = setc("eventcategory","1801030000"); + + var dup112 = setc("eventcategory","1402020300"); + + var dup113 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); + + var dup114 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); + + var dup115 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); + + var dup116 = setc("eventcategory","1402000000"); + + var dup117 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); + + var dup118 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); + + var dup119 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); + + var dup120 = setc("eventcategory","1803020000"); + + var dup121 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); + + var dup122 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup123 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); + + var dup124 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); + + var dup125 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + + var dup126 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); + + var dup127 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); + + var dup128 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); + + var dup129 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); + + var dup130 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); + + var dup131 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); + + var dup132 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); + + var dup133 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); + + var dup134 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup135 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); + + var dup136 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + + var dup137 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); + + var dup138 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); + + var dup139 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); + + var dup140 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var dup141 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); + + var dup142 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); + + var dup143 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); + + var dup144 = setc("event_description","Connection Closed"); + + var dup145 = setc("eventcategory","1801020000"); + + var dup146 = setc("ec_activity","Permit"); + + var dup147 = setc("action","allowed"); + + var dup148 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); + + var dup149 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + + var dup150 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); + + var dup151 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); + + var dup152 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); + + var dup153 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); + + var dup154 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); + + var dup155 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); + + var dup156 = setc("eventcategory","1001030500"); + + var dup157 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); + + var dup158 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); + + var dup159 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var dup160 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var dup161 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); + + var dup162 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); + + var dup163 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); + + var dup164 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); + + var dup165 = setc("eventcategory","1801010000"); + + var dup166 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); + + var dup167 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); + + var dup168 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); + + var dup169 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var dup170 = setc("eventcategory","1003010000"); + + var dup171 = setc("eventcategory","1609000000"); + + var dup172 = setc("eventcategory","1204000000"); + + var dup173 = setc("eventcategory","1602000000"); + + var dup174 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); + + var dup175 = setc("eventcategory","1803000000"); + + var dup176 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var dup177 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); + + var dup178 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); + + var dup179 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + + var dup180 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + + var dup181 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + + var dup182 = linear_select([ + dup8, + dup9, + ]); + + var dup183 = linear_select([ + dup15, + dup16, + ]); + + var dup184 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var dup185 = linear_select([ + dup26, + dup27, + ]); + + var dup186 = linear_select([ + dup28, + dup29, + ]); + + var dup187 = linear_select([ + dup35, + dup36, + ]); + + var dup188 = linear_select([ + dup37, + dup38, + ]); + + var dup189 = linear_select([ + dup39, + dup40, + ]); + + var dup190 = linear_select([ + dup26, + dup46, + ]); + + var dup191 = linear_select([ + dup48, + dup49, + ]); + + var dup192 = linear_select([ + dup52, + dup53, + ]); + + var dup193 = linear_select([ + dup55, + dup56, + ]); + + var dup194 = linear_select([ + dup57, + dup58, + ]); + + var dup195 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup70, + ])); + + var dup196 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup5, + ])); + + var dup197 = linear_select([ + dup75, + dup76, + ]); + + var dup198 = linear_select([ + dup83, + dup84, + ]); + + var dup199 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ + dup1, + ])); + + var dup200 = linear_select([ + dup94, + dup95, + ]); + + var dup201 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup5, + ])); + + var dup202 = linear_select([ + dup98, + dup99, + ]); + + var dup203 = linear_select([ + dup86, + dup102, + ]); + + var dup204 = linear_select([ + dup103, + dup104, + ]); + + var dup205 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, + ])); + + var dup206 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var dup207 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup1, + ])); + + var dup208 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, + ])); + + var dup209 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var dup210 = linear_select([ + dup114, + dup115, + ]); + + var dup211 = linear_select([ + dup117, + dup118, + ]); + + var dup212 = linear_select([ + dup43, + dup42, + ]); + + var dup213 = linear_select([ + dup8, + dup27, + ]); + + var dup214 = linear_select([ + dup8, + dup26, + dup46, + ]); + + var dup215 = linear_select([ + dup80, + dup15, + dup16, + ]); + + var dup216 = linear_select([ + dup124, + dup125, + dup126, + dup38, + ]); + + var dup217 = linear_select([ + dup127, + dup128, + ]); + + var dup218 = linear_select([ + dup129, + dup130, + ]); + + var dup219 = linear_select([ + dup135, + dup136, + dup137, + ]); + + var dup220 = linear_select([ + dup138, + dup56, + ]); + + var dup221 = linear_select([ + dup140, + dup141, + ]); + + var dup222 = linear_select([ + dup142, + dup143, + ]); + + var dup223 = linear_select([ + dup150, + dup151, + ]); + + var dup224 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup156, + ])); + + var dup225 = linear_select([ + dup158, + dup38, + ]); + + var dup226 = linear_select([ + dup160, + dup161, + ]); + + var dup227 = linear_select([ + dup162, + dup163, + ]); + + var dup228 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup5, + ])); + + var dup229 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ + dup5, + ])); + + var dup230 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ + dup5, + dup24, + ])); + + var dup231 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var dup232 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + dup24, + ])); + + var dup233 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var dup234 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ + dup1, + ])); + + var dup235 = linear_select([ + dup177, + dup178, + ]); + + var dup236 = linear_select([ + dup180, + dup181, + ]); + + var dup237 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var dup238 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var dup239 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup91, + ]), + }); + + var dup240 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var dup241 = all_match({ + processors: [ + dup101, + dup203, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var dup242 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup106, + ]), + }); + + var dup243 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var dup244 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var dup245 = all_match({ + processors: [ + dup108, + dup185, + dup187, + ], + on_success: processor_chain([ + dup109, + ]), + }); + + var dup246 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup112, + ]), + }); + + var dup247 = all_match({ + processors: [ + dup113, + dup210, + ], + on_success: processor_chain([ + dup93, + ]), + }); + + var dup248 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup116, + ]), + }); + + var dup249 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup187, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var dup250 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var dup251 = all_match({ + processors: [ + dup157, + dup225, + dup159, + dup226, + dup227, + dup164, + ], + on_success: processor_chain([ + dup156, + dup59, + dup60, + dup61, + dup62, + dup44, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var dup252 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var dup253 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} %{messageid}= %{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("= "), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr4 = match("HEADER#3:0004", "message", "%{hfld20->} id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + ]); + + var part1 = match("MESSAGE#0:4", "nwparser.payload", "SonicWALL activated%{}", processor_chain([ + dup1, + ])); + + var msg1 = msg("4", part1); + + var part2 = match("MESSAGE#1:5", "nwparser.payload", "Log Cleared%{}", processor_chain([ + dup1, + ])); + + var msg2 = msg("5", part2); + + var part3 = match("MESSAGE#2:5:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg3 = msg("5:01", part3); + + var select2 = linear_select([ + msg2, + msg3, + ]); + + var part4 = match("MESSAGE#3:6", "nwparser.payload", "Log successfully sent via email%{}", processor_chain([ + dup1, + ])); + + var msg4 = msg("6", part4); + + var part5 = match("MESSAGE#4:6:01", "nwparser.payload", "msg=\"Log successfully sent via email\" n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg5 = msg("6:01", part5); + + var select3 = linear_select([ + msg4, + msg5, + ]); + + var part6 = match("MESSAGE#5:7", "nwparser.payload", "Log full; deactivating SonicWALL%{}", processor_chain([ + dup2, + ])); + + var msg6 = msg("7", part6); + + var part7 = match("MESSAGE#6:8", "nwparser.payload", "New Filter list loaded%{}", processor_chain([ + dup3, + ])); + + var msg7 = msg("8", part7); + + var part8 = match("MESSAGE#7:9", "nwparser.payload", "No new Filter list available%{}", processor_chain([ + dup4, + ])); + + var msg8 = msg("9", part8); + + var part9 = match("MESSAGE#8:10", "nwparser.payload", "Problem loading the Filter list; check Filter settings%{}", processor_chain([ + dup4, + ])); + + var msg9 = msg("10", part9); + + var part10 = match("MESSAGE#9:11", "nwparser.payload", "Problem loading the Filter list; check your DNS server%{}", processor_chain([ + dup4, + ])); + + var msg10 = msg("11", part10); + + var part11 = match("MESSAGE#10:12", "nwparser.payload", "Problem sending log email; check log settings%{}", processor_chain([ + dup5, + ])); + + var msg11 = msg("12", part11); + + var part12 = match("MESSAGE#11:12:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup5, + ])); + + var msg12 = msg("12:01", part12); + + var select4 = linear_select([ + msg11, + msg12, + ]); + + var part13 = match("MESSAGE#12:13", "nwparser.payload", "Restarting SonicWALL; dumping log to email%{}", processor_chain([ + dup1, + ])); + + var msg13 = msg("13", part13); + + var part14 = match("MESSAGE#13:14/0_0", "nwparser.payload", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode}"); + + var part15 = match("MESSAGE#13:14/0_1", "nwparser.payload", "Web site blocked%{}"); + + var select5 = linear_select([ + part14, + part15, + ]); + + var all1 = all_match({ + processors: [ + select5, + ], + on_success: processor_chain([ + dup6, + setc("action","Web site access denied"), + ]), + }); + + var msg14 = msg("14", all1); + + var part16 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} code= %{p0}"); + + var part17 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{dinterface->} code= %{p0}"); + + var select6 = linear_select([ + part16, + part17, + ]); + + var part18 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{fld3->} Category=%{fld4->} npcs=%{info}"); + + var all2 = all_match({ + processors: [ + dup7, + dup182, + dup10, + select6, + part18, + ], + on_success: processor_chain([ + dup6, + ]), + }); + + var msg15 = msg("14:01", all2); + + var part19 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg16 = msg("14:02", part19); + + var part20 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg17 = msg("14:03", part20); + + var part21 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg18 = msg("14:04", part21); + + var part22 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg19 = msg("14:05", part22); + + var select7 = linear_select([ + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + ]); + + var part23 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([ + dup12, + ])); + + var msg20 = msg("15", part23); + + var part24 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([ + dup13, + ])); + + var msg21 = msg("16", part24); + + var part25 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([ + dup13, + ])); + + var msg22 = msg("17", part25); + + var part26 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([ + dup12, + ])); + + var msg23 = msg("18", part26); + + var part27 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([ + dup12, + ])); + + var msg24 = msg("19", part27); + + var part28 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([ + dup12, + ])); + + var msg25 = msg("20", part28); + + var part29 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([ + dup1, + ])); + + var msg26 = msg("21", part29); + + var part30 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([ + dup14, + ])); + + var msg27 = msg("22", part30); + + var part31 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([ + dup14, + ])); + + var msg28 = msg("23", part31); + + var part32 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part33 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}"); + + var part34 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}"); + + var select8 = linear_select([ + part33, + part34, + ]); + + var part35 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{smacaddr}"); + + var all3 = all_match({ + processors: [ + part32, + dup183, + dup17, + select8, + part35, + ], + on_success: processor_chain([ + dup14, + ]), + }); + + var msg29 = msg("23:01", all3); + + var part36 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([ + dup14, + ])); + + var msg30 = msg("23:02", part36); + + var part37 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); + + var part38 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac= %{p0}"); + + var part39 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{dinterface->} srcMac= %{p0}"); + + var select9 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}"); + + var all4 = all_match({ + processors: [ + part37, + select9, + part40, + ], + on_success: processor_chain([ + dup14, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg31 = msg("23:03", all4); + + var select10 = linear_select([ + msg28, + msg29, + msg30, + msg31, + ]); + + var part41 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([ + dup23, + ])); + + var msg32 = msg("24", part41); + + var msg33 = msg("24:01", dup184); + + var select11 = linear_select([ + msg32, + msg33, + ]); + + var part42 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([ + dup14, + ])); + + var msg34 = msg("25", part42); + + var part43 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([ + dup14, + ])); + + var msg35 = msg("26", part43); + + var part44 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([ + dup14, + ])); + + var msg36 = msg("27", part44); + + var part45 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([ + dup14, + ])); + + var msg37 = msg("28", part45); + + var part46 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup14, + ])); + + var msg38 = msg("28:01", part46); + + var select12 = linear_select([ + msg37, + msg38, + ]); + + var part47 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([ + dup25, + ])); + + var msg39 = msg("29", part47); + + var part48 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + + var all5 = all_match({ + processors: [ + part48, + dup185, + dup186, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var msg40 = msg("29:01", all5); + + var select13 = linear_select([ + msg39, + msg40, + ]); + + var part49 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([ + dup31, + ])); + + var msg41 = msg("30", part49); + + var msg42 = msg("30:01", dup238); + + var select14 = linear_select([ + msg41, + msg42, + ]); + + var part50 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([ + dup25, + ])); + + var msg43 = msg("31", part50); + + var all6 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup25, + ]), + }); + + var msg44 = msg("31:01", all6); + + var part51 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup11, + ])); + + var msg45 = msg("31:02", part51); + + var part52 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup11, + ])); + + var msg46 = msg("31:03", part52); + + var part53 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup11, + ])); + + var msg47 = msg("31:04", part53); + + var select15 = linear_select([ + msg43, + msg44, + msg45, + msg46, + msg47, + ]); + + var part54 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([ + dup31, + ])); + + var msg48 = msg("32", part54); + + var msg49 = msg("32:01", dup238); + + var select16 = linear_select([ + msg48, + msg49, + ]); + + var part55 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([ + dup33, + ])); + + var msg50 = msg("33", part55); + + var all7 = all_match({ + processors: [ + dup34, + dup185, + dup186, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var msg51 = msg("33:01", all7); + + var select17 = linear_select([ + msg50, + msg51, + ]); + + var part56 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([ + dup5, + ])); + + var msg52 = msg("34", part56); + + var part57 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([ + setc("eventcategory","1401040000"), + ])); + + var msg53 = msg("35", part57); + + var all8 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1401050200"), + ]), + }); + + var msg54 = msg("35:01", all8); + + var select18 = linear_select([ + msg53, + msg54, + ]); + + var part58 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([ + dup5, + ])); + + var msg55 = msg("36", part58); + + var part59 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}"); + + var part60 = match("MESSAGE#54:36:01/2", "nwparser.p0", "%{fld1->} src= %{p0}"); + + var part61 = match("MESSAGE#54:36:01/7_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + + var select19 = linear_select([ + part61, + dup42, + dup43, + ]); + + var all9 = all_match({ + processors: [ + part59, + dup188, + part60, + dup189, + dup41, + dup183, + dup17, + select19, + ], + on_success: processor_chain([ + dup5, + dup44, + ]), + }); + + var msg56 = msg("36:01", all9); + + var part62 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} npcs=%{p0}"); + + var part63 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} npcs=%{p0}"); + + var select20 = linear_select([ + part62, + part63, + ]); + + var all10 = all_match({ + processors: [ + dup45, + dup190, + dup17, + dup183, + dup17, + select20, + dup47, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg57 = msg("36:02", all10); + + var select21 = linear_select([ + msg55, + msg56, + msg57, + ]); + + var part64 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg58 = msg("37", part64); + + var part65 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}"); + + var part66 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + + var part67 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}proto=%{protocol->} fw_action=\"%{fld3}\""); + + var part68 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport}rule=%{rule}"); + + var select22 = linear_select([ + part67, + part68, + ]); + + var all11 = all_match({ + processors: [ + part65, + dup188, + part66, + select22, + ], + on_success: processor_chain([ + dup5, + dup44, + ]), + }); + + var msg59 = msg("37:01", all11); + + var part69 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([ + dup5, + ])); + + var msg60 = msg("37:02", part69); + + var all12 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup191, + dup50, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg61 = msg("37:03", all12); + + var part70 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup5, + dup11, + ])); + + var msg62 = msg("37:04", part70); + + var select23 = linear_select([ + msg58, + msg59, + msg60, + msg61, + msg62, + ]); + + var part71 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg63 = msg("38", part71); + + var part72 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code}"); + + var select24 = linear_select([ + part72, + dup42, + ]); + + var all13 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup183, + dup17, + select24, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg64 = msg("38:01", all13); + + var part73 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{fld3->} icmpCode=%{fld4->} npcs=%{info}"); + + var all14 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup192, + part73, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg65 = msg("38:02", all14); + + var part74 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var part75 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\""); + + var all15 = all_match({ + processors: [ + dup54, + dup193, + part74, + dup194, + part75, + ], + on_success: processor_chain([ + dup5, + dup11, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg66 = msg("38:03", all15); + + var select25 = linear_select([ + msg63, + msg64, + msg65, + msg66, + ]); + + var part76 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg67 = msg("39", part76); + + var part77 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg68 = msg("40", part77); + + var part78 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg69 = msg("41:01", part78); + + var part79 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ + dup5, + ])); + + var msg70 = msg("41:02", part79); + + var part80 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([ + dup5, + ])); + + var msg71 = msg("41:03", part80); + + var select26 = linear_select([ + msg69, + msg70, + msg71, + ]); + + var part81 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([ + dup5, + ])); + + var msg72 = msg("42", part81); + + var part82 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([ + dup5, + ])); + + var msg73 = msg("43", part82); + + var part83 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([ + dup5, + ])); + + var msg74 = msg("44", part83); + + var part84 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([ + dup5, + ])); + + var msg75 = msg("45", part84); + + var part85 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup5, + ])); + + var msg76 = msg("45:01", part85); + + var part86 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([ + dup5, + ])); + + var msg77 = msg("45:02", part86); + + var select27 = linear_select([ + msg75, + msg76, + msg77, + ]); + + var part87 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg78 = msg("46:01", part87); + + var part88 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup5, + ])); + + var msg79 = msg("46:02", part88); + + var part89 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg80 = msg("46", part89); + + var part90 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var all16 = all_match({ + processors: [ + part90, + dup182, + dup10, + dup191, + dup50, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg81 = msg("46:03", all16); + + var select28 = linear_select([ + msg78, + msg79, + msg80, + msg81, + ]); + + var part91 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([ + dup5, + ])); + + var msg82 = msg("47", part91); + + var part92 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg83 = msg("48", part92); + + var part93 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([ + dup5, + ])); + + var msg84 = msg("49", part93); + + var part94 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([ + dup5, + ])); + + var msg85 = msg("50", part94); + + var part95 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg86 = msg("51", part95); + + var part96 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([ + dup5, + ])); + + var msg87 = msg("52", part96); + + var part97 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([ + dup2, + ])); + + var msg88 = msg("53", part97); + + var part98 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([ + dup64, + ])); + + var msg89 = msg("58", part98); + + var part99 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([ + dup12, + ])); + + var msg90 = msg("60", part99); + + var part100 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([ + dup1, + ])); + + var msg91 = msg("61", part100); + + var part101 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([ + dup65, + ])); + + var msg92 = msg("62", part101); + + var part102 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([ + dup66, + ])); + + var msg93 = msg("63", part102); + + var part103 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup66, + ])); + + var msg94 = msg("63:01", part103); + + var select29 = linear_select([ + msg93, + msg94, + ]); + + var part104 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([ + dup1, + ])); + + var msg95 = msg("64", part104); + + var part105 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([ + dup66, + ])); + + var msg96 = msg("65", part105); + + var part106 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([ + dup66, + ])); + + var msg97 = msg("66", part106); + + var part107 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([ + dup66, + ])); + + var msg98 = msg("67", part107); + + var all17 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup66, + ]), + }); + + var msg99 = msg("67:01", all17); + + var select30 = linear_select([ + msg98, + msg99, + ]); + + var part108 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([ + dup66, + ])); + + var msg100 = msg("68", part108); + + var part109 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([ + dup66, + ])); + + var msg101 = msg("69", part109); + + var part110 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([ + dup66, + ])); + + var msg102 = msg("70", part110); + + var part111 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst%{p0}"); + + var part112 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "=%{daddr}"); + + var part113 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", "name=%{name}"); + + var select31 = linear_select([ + part112, + part113, + ]); + + var all18 = all_match({ + processors: [ + part111, + select31, + ], + on_success: processor_chain([ + dup66, + ]), + }); + + var msg103 = msg("70:01", all18); + + var select32 = linear_select([ + msg102, + msg103, + ]); + + var part114 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg104 = msg("72", part114); + + var part115 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup67, + ])); + + var msg105 = msg("72:01", part115); + + var select33 = linear_select([ + msg104, + msg105, + ]); + + var part116 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([ + dup68, + ])); + + var msg106 = msg("73", part116); + + var part117 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([ + dup69, + ])); + + var msg107 = msg("74", part117); + + var part118 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([ + dup68, + ])); + + var msg108 = msg("75", part118); + + var part119 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg109 = msg("76", part119); + + var part120 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg110 = msg("77", part120); + + var part121 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([ + dup69, + ])); + + var msg111 = msg("78", part121); + + var part122 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg112 = msg("79", part122); + + var part123 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg113 = msg("80", part123); + + var part124 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([ + dup14, + ])); + + var msg114 = msg("81", part124); + + var part125 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([ + dup70, + ])); + + var msg115 = msg("82", part125); + + var part126 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([ + dup70, + ])); + + var msg116 = msg("82:02", part126); + + var part127 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup70, + ])); + + var msg117 = msg("82:03", part127); + + var msg118 = msg("82:01", dup195); + + var select34 = linear_select([ + msg115, + msg116, + msg117, + msg118, + ]); + + var part128 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([ + dup70, + ])); + + var msg119 = msg("83", part128); + + var msg120 = msg("83:01", dup196); + + var part129 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup5, + ])); + + var msg121 = msg("83:02", part129); + + var select35 = linear_select([ + msg119, + msg120, + msg121, + ]); + + var part130 = match("MESSAGE#120:84/0_0", "nwparser.payload", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost}"); + + var part131 = match("MESSAGE#120:84/0_1", "nwparser.payload", "Failed to resolve name%{}"); + + var select36 = linear_select([ + part130, + part131, + ]); + + var all19 = all_match({ + processors: [ + select36, + ], + on_success: processor_chain([ + dup71, + setc("action","Failed to resolve name"), + ]), + }); + + var msg122 = msg("84", all19); + + var part132 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([ + dup72, + ])); + + var msg123 = msg("87", part132); + + var part133 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup72, + ])); + + var msg124 = msg("87:01", part133); + + var select37 = linear_select([ + msg123, + msg124, + ]); + + var part134 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([ + dup66, + ])); + + var msg125 = msg("88", part134); + + var part135 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup66, + ])); + + var msg126 = msg("88:01", part135); + + var select38 = linear_select([ + msg125, + msg126, + ]); + + var part136 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([ + dup72, + ])); + + var msg127 = msg("89", part136); + + var part137 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface}"); + + var part138 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} dstname=%{name}"); + + var select39 = linear_select([ + part137, + part138, + ]); + + var all20 = all_match({ + processors: [ + dup73, + select39, + ], + on_success: processor_chain([ + dup72, + ]), + }); + + var msg128 = msg("89:01", all20); + + var select40 = linear_select([ + msg127, + msg128, + ]); + + var part139 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([ + dup72, + ])); + + var msg129 = msg("90", part139); + + var part140 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([ + dup72, + ])); + + var msg130 = msg("91", part140); + + var part141 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([ + dup72, + ])); + + var msg131 = msg("92", part141); + + var part142 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([ + dup1, + ])); + + var msg132 = msg("93", part142); + + var part143 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([ + dup1, + ])); + + var msg133 = msg("94", part143); + + var part144 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([ + dup1, + ])); + + var msg134 = msg("95", part144); + + var part145 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([ + dup1, + ])); + + var msg135 = msg("96", part145); + + var part146 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([ + dup1, + ])); + + var msg136 = msg("97", part146); + + var part147 = match("MESSAGE#135:97:01/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} %{p0}"); + + var part148 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}"); + + var part149 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}"); + + var select41 = linear_select([ + part148, + part149, + ]); + + var part150 = match_copy("MESSAGE#135:97:01/7", "nwparser.p0", "name"); + + var all21 = all_match({ + processors: [ + dup74, + dup189, + dup41, + dup183, + part147, + select41, + dup197, + part150, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg137 = msg("97:01", all21); + + var part151 = match("MESSAGE#136:97:02/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} result=%{result}"); + + var all22 = all_match({ + processors: [ + dup74, + dup189, + dup41, + dup183, + part151, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg138 = msg("97:02", all22); + + var part152 = match("MESSAGE#137:97:03/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}"); + + var part153 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{} %{name}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); + + var all23 = all_match({ + processors: [ + dup77, + dup189, + dup41, + dup183, + part152, + dup197, + part153, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg139 = msg("97:03", all23); + + var part154 = match("MESSAGE#138:97:04/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} %{p0}"); + + var part155 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{}arg= %{name}%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); + + var all24 = all_match({ + processors: [ + dup77, + dup189, + dup41, + dup183, + part154, + dup197, + part155, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg140 = msg("97:04", all24); + + var part156 = match("MESSAGE#139:97:05/4", "nwparser.p0", "proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}"); + + var all25 = all_match({ + processors: [ + dup74, + dup189, + dup41, + dup183, + part156, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg141 = msg("97:05", all25); + + var part157 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{p0}"); + + var part158 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{sinterface}:%{shost}dst=%{p0}"); + + var part159 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{sinterface}dst=%{p0}"); + + var select42 = linear_select([ + part158, + part159, + ]); + + var part160 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); + + var all26 = all_match({ + processors: [ + part157, + select42, + part160, + ], + on_success: processor_chain([ + dup78, + dup11, + ]), + }); + + var msg142 = msg("97:06", all26); + + var part161 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); + + var part162 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{dinterface}:%{fld3->} srcMac=%{p0}"); + + var select43 = linear_select([ + part162, + dup79, + ]); + + var part163 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); + + var all27 = all_match({ + processors: [ + part161, + select43, + part163, + ], + on_success: processor_chain([ + dup78, + dup11, + ]), + }); + + var msg143 = msg("97:07", all27); + + var part164 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg144 = msg("97:08", part164); + + var part165 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg145 = msg("97:09", part165); + + var part166 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg146 = msg("97:10", part166); + + var select44 = linear_select([ + msg136, + msg137, + msg138, + msg139, + msg140, + msg141, + msg142, + msg143, + msg144, + msg145, + msg146, + ]); + + var part167 = match("MESSAGE#145:98/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); + + var part168 = match("MESSAGE#145:98/3_0", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + + var part169 = match("MESSAGE#145:98/3_1", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes}"); + + var part170 = match("MESSAGE#145:98/3_2", "nwparser.p0", "%{dinterface} %{protocol}"); + + var select45 = linear_select([ + part168, + part169, + part170, + ]); + + var all28 = all_match({ + processors: [ + dup54, + dup193, + part167, + select45, + ], + on_success: processor_chain([ + dup78, + dup59, + setc("ec_activity","Stop"), + dup61, + dup62, + dup11, + setc("action","Opened"), + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg147 = msg("98", all28); + + var part171 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg148 = msg("98:07", part171); + + var part172 = match("MESSAGE#147:98:01/0", "nwparser.payload", "msg=\"%{msg}\"%{p0}"); + + var part173 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", " app=%{fld2->} sess=\"%{fld3}\"%{p0}"); + + var select46 = linear_select([ + part173, + dup56, + ]); + + var part174 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}"); + + var part175 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}"); + + var part176 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}"); + + var select47 = linear_select([ + part175, + part176, + ]); + + var part177 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); + + var part178 = match("MESSAGE#147:98:01/4_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + + var part179 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); + + var select48 = linear_select([ + part177, + part178, + part179, + ]); + + var part180 = match("MESSAGE#147:98:01/5", "nwparser.p0", "%{} %{p0}"); + + var part181 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + + var part182 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", "%{daddr->} %{p0}"); + + var select49 = linear_select([ + dup80, + part181, + part182, + ]); + + var part183 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + + var part184 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes}"); + + var part185 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); + + var part186 = match("MESSAGE#147:98:01/7_3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + + var select50 = linear_select([ + part183, + part184, + part185, + part186, + dup81, + dup43, + ]); + + var all29 = all_match({ + processors: [ + part172, + select46, + part174, + select47, + select48, + part180, + select49, + select50, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg149 = msg("98:01", all29); + + var part187 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "app=%{fld2->} appName=\"%{application}\" n=%{p0}"); + + var part188 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", "app=%{fld2->} n=%{p0}"); + + var part189 = match("MESSAGE#148:98:06/1_2", "nwparser.p0", "sess=%{fld2->} n=%{p0}"); + + var select51 = linear_select([ + part187, + part188, + part189, + ]); + + var part190 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{fld1->} %{p0}"); + + var part191 = match("MESSAGE#148:98:06/3_0", "nwparser.p0", "usr=%{username->} %{p0}"); + + var select52 = linear_select([ + part191, + dup56, + ]); + + var part192 = match("MESSAGE#148:98:06/4", "nwparser.p0", "src= %{saddr}:%{sport}:%{p0}"); + + var part193 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part194 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part195 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var select53 = linear_select([ + part193, + part194, + dup85, + part195, + ]); + + var part196 = match("MESSAGE#148:98:06/8", "nwparser.p0", "%{protocol->} %{p0}"); + + var part197 = match("MESSAGE#148:98:06/9_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); + + var part198 = match("MESSAGE#148:98:06/9_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}"); + + var part199 = match("MESSAGE#148:98:06/9_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\""); + + var part200 = match("MESSAGE#148:98:06/9_4", "nwparser.p0", "fw_action=\"%{action}\""); + + var select54 = linear_select([ + part197, + part198, + part199, + dup86, + part200, + ]); + + var all30 = all_match({ + processors: [ + dup82, + select51, + part190, + select52, + part192, + dup198, + dup17, + select53, + part196, + select54, + ], + on_success: processor_chain([ + dup78, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg150 = msg("98:06", all30); + + var part201 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}"); + + var all31 = all_match({ + processors: [ + part201, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg151 = msg("98:02", all31); + + var part202 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection%{}"); + + var part203 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}"); + + var select55 = linear_select([ + part202, + part203, + ]); + + var all32 = all_match({ + processors: [ + select55, + ], + on_success: processor_chain([ + dup1, + dup44, + ]), + }); + + var msg152 = msg("98:03", all32); + + var part204 = match("MESSAGE#151:98:04/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}"); + + var all33 = all_match({ + processors: [ + dup7, + dup185, + dup183, + part204, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg153 = msg("98:04", all33); + + var part205 = match("MESSAGE#152:98:05/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} npcs=%{info}"); + + var all34 = all_match({ + processors: [ + dup7, + dup185, + dup183, + part205, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg154 = msg("98:05", all34); + + var select56 = linear_select([ + msg147, + msg148, + msg149, + msg150, + msg151, + msg152, + msg153, + msg154, + ]); + + var part206 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup31, + dup11, + ])); + + var msg155 = msg("986", part206); + + var part207 = match("MESSAGE#154:427/3", "nwparser.p0", "note=\"%{event_description}\""); + + var all35 = all_match({ + processors: [ + dup73, + dup185, + dup183, + part207, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg156 = msg("427", all35); + + var part208 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + + var all36 = all_match({ + processors: [ + dup87, + dup194, + part208, + ], + on_success: processor_chain([ + dup23, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg157 = msg("428", all36); + + var part209 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([ + dup72, + ])); + + var msg158 = msg("99", part209); + + var part210 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([ + dup72, + ])); + + var msg159 = msg("100", part210); + + var part211 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([ + dup72, + ])); + + var msg160 = msg("101", part211); + + var part212 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup72, + ])); + + var msg161 = msg("102", part212); + + var part213 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup72, + ])); + + var msg162 = msg("103", part213); + + var part214 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([ + dup72, + ])); + + var msg163 = msg("104", part214); + + var part215 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([ + dup72, + ])); + + var msg164 = msg("105", part215); + + var part216 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([ + dup71, + ])); + + var msg165 = msg("106", part216); + + var part217 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([ + dup72, + ])); + + var msg166 = msg("107", part217); + + var part218 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([ + dup72, + ])); + + var msg167 = msg("108", part218); + + var part219 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([ + dup71, + ])); + + var msg168 = msg("109", part219); + + var part220 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([ + dup72, + ])); + + var msg169 = msg("110", part220); + + var msg170 = msg("111:01", dup199); + + var part221 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([ + dup72, + ])); + + var msg171 = msg("111", part221); + + var select57 = linear_select([ + msg170, + msg171, + ]); + + var part222 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([ + dup72, + ])); + + var msg172 = msg("112", part222); + + var part223 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([ + dup72, + ])); + + var msg173 = msg("113", part223); + + var part224 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([ + dup72, + ])); + + var msg174 = msg("114", part224); + + var msg175 = msg("115:01", dup199); + + var part225 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([ + dup72, + ])); + + var msg176 = msg("115", part225); + + var select58 = linear_select([ + msg175, + msg176, + ]); + + var part226 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup72, + ])); + + var msg177 = msg("116", part226); + + var part227 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup72, + ])); + + var msg178 = msg("117", part227); + + var part228 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([ + dup72, + ])); + + var msg179 = msg("118", part228); + + var part229 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([ + dup71, + ])); + + var msg180 = msg("119", part229); + + var part230 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([ + dup71, + ])); + + var msg181 = msg("120", part230); + + var part231 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([ + dup72, + ])); + + var msg182 = msg("121", part231); + + var part232 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([ + dup71, + ])); + + var msg183 = msg("122", part232); + + var part233 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([ + dup71, + ])); + + var msg184 = msg("123", part233); + + var part234 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([ + dup72, + ])); + + var msg185 = msg("124", part234); + + var part235 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([ + dup72, + ])); + + var msg186 = msg("125", part235); + + var part236 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup89, + dup11, + ])); + + var msg187 = msg("1254", part236); + + var part237 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg188 = msg("1256", part237); + + var part238 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup89, + dup11, + ])); + + var msg189 = msg("1257", part238); + + var part239 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([ + dup72, + ])); + + var msg190 = msg("126", part239); + + var part240 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([ + dup72, + ])); + + var msg191 = msg("127", part240); + + var part241 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([ + dup5, + ])); + + var msg192 = msg("128", part241); + + var part242 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([ + dup5, + ])); + + var msg193 = msg("129", part242); + + var part243 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([ + dup1, + ])); + + var msg194 = msg("130", part243); + + var part244 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([ + dup1, + ])); + + var msg195 = msg("131", part244); + + var part245 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([ + dup1, + ])); + + var msg196 = msg("132", part245); + + var part246 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([ + dup1, + ])); + + var msg197 = msg("133", part246); + + var part247 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([ + dup1, + ])); + + var msg198 = msg("134", part247); + + var part248 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([ + dup90, + ])); + + var msg199 = msg("135", part248); + + var part249 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([ + dup90, + ])); + + var msg200 = msg("136", part249); + + var part250 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([ + dup3, + ])); + + var msg201 = msg("137", part250); + + var part251 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([ + dup3, + ])); + + var msg202 = msg("138", part251); + + var part252 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([ + dup5, + ])); + + var msg203 = msg("139", part252); + + var all37 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1801020100"), + ]), + }); + + var msg204 = msg("139:01", all37); + + var select59 = linear_select([ + msg203, + msg204, + ]); + + var msg205 = msg("140", dup239); + + var msg206 = msg("141", dup239); + + var part253 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ + dup1, + ])); + + var msg207 = msg("142", part253); + + var part254 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([ + dup1, + ])); + + var msg208 = msg("143", part254); + + var part255 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg209 = msg("1431", part255); + + var part256 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([ + dup1, + ])); + + var msg210 = msg("144", part256); + + var part257 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([ + dup1, + ])); + + var msg211 = msg("145", part257); + + var part258 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([ + dup92, + ])); + + var msg212 = msg("146", part258); + + var part259 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([ + dup92, + ])); + + var msg213 = msg("147", part259); + + var part260 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([ + dup1, + ])); + + var msg214 = msg("148", part260); + + var part261 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + setc("eventcategory","1204010000"), + dup11, + ])); + + var msg215 = msg("1480", part261); + + var part262 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([ + dup1, + ])); + + var msg216 = msg("149", part262); + + var part263 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([ + dup1, + ])); + + var msg217 = msg("150", part263); + + var part264 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([ + dup1, + ])); + + var msg218 = msg("151", part264); + + var part265 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([ + dup1, + ])); + + var msg219 = msg("152", part265); + + var part266 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([ + setc("eventcategory","1603010000"), + ])); + + var msg220 = msg("153", part266); + + var part267 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([ + dup64, + ])); + + var msg221 = msg("154", part267); + + var part268 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([ + dup92, + ])); + + var msg222 = msg("155", part268); + + var part269 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([ + dup92, + ])); + + var msg223 = msg("156", part269); + + var part270 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup1, + ])); + + var msg224 = msg("157:01", part270); + + var part271 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([ + dup5, + ])); + + var msg225 = msg("157", part271); + + var select60 = linear_select([ + msg224, + msg225, + ]); + + var part272 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([ + dup92, + ])); + + var msg226 = msg("158", part272); + + var part273 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([ + dup5, + ])); + + var msg227 = msg("159", part273); + + var part274 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([ + setc("eventcategory","1203000000"), + ])); + + var msg228 = msg("160", part274); + + var part275 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([ + dup65, + ])); + + var msg229 = msg("161", part275); + + var part276 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([ + dup33, + ])); + + var msg230 = msg("162", part276); + + var part277 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([ + dup5, + ])); + + var msg231 = msg("163", part277); + + var part278 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([ + dup5, + ])); + + var msg232 = msg("164", part278); + + var part279 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([ + dup1, + ])); + + var msg233 = msg("165", part279); + + var part280 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([ + dup12, + ])); + + var msg234 = msg("166", part280); + + var part281 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([ + dup12, + ])); + + var msg235 = msg("167", part281); + + var part282 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([ + dup12, + ])); + + var msg236 = msg("168", part282); + + var part283 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([ + dup1, + ])); + + var msg237 = msg("169", part283); + + var part284 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([ + dup1, + ])); + + var msg238 = msg("170", part284); + + var part285 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([ + dup70, + ])); + + var msg239 = msg("171", part285); + + var part286 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var msg240 = msg("171:01", part286); + + var part287 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var msg241 = msg("171:02", part287); + + var part288 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}"); + + var all38 = all_match({ + processors: [ + part288, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup93, + ]), + }); + + var msg242 = msg("171:03", all38); + + var select61 = linear_select([ + msg239, + msg240, + msg241, + msg242, + ]); + + var part289 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([ + dup70, + ])); + + var msg243 = msg("172", part289); + + var part290 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup70, + ])); + + var msg244 = msg("172:01", part290); + + var select62 = linear_select([ + msg243, + msg244, + ]); + + var part291 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([ + dup70, + ])); + + var msg245 = msg("173", part291); + + var part292 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([ + dup67, + ])); + + var msg246 = msg("174", part292); + + var all39 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var msg247 = msg("174:01", all39); + + var all40 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup187, + ], + on_success: processor_chain([ + dup12, + ]), + }); + + var msg248 = msg("174:02", all40); + + var all41 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup191, + dup50, + ], + on_success: processor_chain([ + dup12, + ]), + }); + + var msg249 = msg("174:03", all41); + + var select63 = linear_select([ + msg246, + msg247, + msg248, + msg249, + ]); + + var part293 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([ + dup67, + ])); + + var msg250 = msg("175", part293); + + var part294 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([ + dup67, + ])); + + var msg251 = msg("175:01", part294); + + var part295 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([ + dup67, + ])); + + var msg252 = msg("175:02", part295); + + var select64 = linear_select([ + msg250, + msg251, + msg252, + ]); + + var part296 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([ + dup93, + ])); + + var msg253 = msg("176", part296); + + var msg254 = msg("177", dup196); + + var msg255 = msg("178", dup201); + + var msg256 = msg("179", dup196); + + var all42 = all_match({ + processors: [ + dup34, + dup185, + dup187, + ], + on_success: processor_chain([ + dup97, + ]), + }); + + var msg257 = msg("180", all42); + + var all43 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup97, + ]), + }); + + var msg258 = msg("180:01", all43); + + var select65 = linear_select([ + msg257, + msg258, + ]); + + var msg259 = msg("181", dup195); + + var all44 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup70, + ]), + }); + + var msg260 = msg("181:01", all44); + + var select66 = linear_select([ + msg259, + msg260, + ]); + + var msg261 = msg("193", dup240); + + var msg262 = msg("194", dup241); + + var msg263 = msg("195", dup241); + + var part297 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}"); + + var all45 = all_match({ + processors: [ + part297, + dup204, + dup105, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg264 = msg("196", all45); + + var all46 = all_match({ + processors: [ + dup101, + dup204, + dup105, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg265 = msg("196:01", all46); + + var select67 = linear_select([ + msg264, + msg265, + ]); + + var msg266 = msg("199", dup242); + + var msg267 = msg("200", dup243); + + var part298 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup30, + ])); + + var msg268 = msg("235:02", part298); + + var part299 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}"); + + var all47 = all_match({ + processors: [ + part299, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var msg269 = msg("235", all47); + + var msg270 = msg("235:01", dup244); + + var select68 = linear_select([ + msg268, + msg269, + msg270, + ]); + + var msg271 = msg("236", dup244); + + var msg272 = msg("237", dup242); + + var msg273 = msg("238", dup242); + + var part300 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup107, + ])); + + var msg274 = msg("239", part300); + + var part301 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup107, + ])); + + var msg275 = msg("240", part301); + + var part302 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup78, + ])); + + var msg276 = msg("241", part302); + + var part303 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup78, + ])); + + var msg277 = msg("241:01", part303); + + var select69 = linear_select([ + msg276, + msg277, + ]); + + var part304 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}"); + + var part305 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); + + var select70 = linear_select([ + part304, + part305, + dup40, + ]); + + var part306 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}::"); + + var part307 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport}"); + + var select71 = linear_select([ + part306, + part307, + dup36, + ]); + + var all48 = all_match({ + processors: [ + dup51, + select70, + dup41, + select71, + ], + on_success: processor_chain([ + dup78, + ]), + }); + + var msg278 = msg("242", all48); + + var msg279 = msg("252", dup205); + + var msg280 = msg("255", dup205); + + var msg281 = msg("257", dup205); + + var msg282 = msg("261:01", dup245); + + var msg283 = msg("261", dup205); + + var select72 = linear_select([ + msg282, + msg283, + ]); + + var msg284 = msg("262", dup245); + + var all49 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg285 = msg("273", all49); + + var msg286 = msg("328", dup246); + + var msg287 = msg("329", dup243); + + var msg288 = msg("346", dup205); + + var msg289 = msg("350", dup205); + + var msg290 = msg("351", dup205); + + var msg291 = msg("352", dup205); + + var msg292 = msg("353:01", dup201); + + var part308 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ + dup5, + ])); + + var msg293 = msg("353", part308); + + var select73 = linear_select([ + msg292, + msg293, + ]); + + var part309 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ + dup1, + ])); + + var msg294 = msg("354", part309); + + var msg295 = msg("355", dup206); + + var msg296 = msg("355:01", dup205); + + var select74 = linear_select([ + msg295, + msg296, + ]); + + var msg297 = msg("356", dup207); + + var part310 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name}", processor_chain([ + dup93, + ])); + + var msg298 = msg("357", part310); + + var part311 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, + ])); + + var msg299 = msg("357:01", part311); + + var select75 = linear_select([ + msg298, + msg299, + ]); + + var msg300 = msg("358", dup208); + + var part312 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ + setc("eventcategory","1503000000"), + ])); + + var msg301 = msg("371", part312); + + var msg302 = msg("371:01", dup209); + + var select76 = linear_select([ + msg301, + msg302, + ]); + + var msg303 = msg("372", dup205); + + var msg304 = msg("373", dup207); + + var msg305 = msg("401", dup247); + + var msg306 = msg("402", dup247); + + var msg307 = msg("406", dup208); + + var part313 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, + ])); + + var msg308 = msg("413", part313); + + var msg309 = msg("414", dup205); + + var msg310 = msg("438", dup248); + + var msg311 = msg("439", dup248); + + var all50 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1501020000"), + ]), + }); + + var msg312 = msg("440", all50); + + var all51 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1502050000"), + ]), + }); + + var msg313 = msg("441", all51); + + var part314 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + setc("eventcategory","1001020000"), + ])); + + var msg314 = msg("441:01", part314); + + var select77 = linear_select([ + msg313, + msg314, + ]); + + var all52 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1501030000"), + ]), + }); + + var msg315 = msg("442", all52); + + var part315 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); + + var part316 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); + + var part317 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); + + var select78 = linear_select([ + part316, + part317, + ]); + + var part318 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var all53 = all_match({ + processors: [ + part315, + select78, + part318, + dup211, + dup119, + ], + on_success: processor_chain([ + dup67, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg316 = msg("446", all53); + + var part319 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg317 = msg("477", part319); + + var all54 = all_match({ + processors: [ + dup73, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var msg318 = msg("509", all54); + + var all55 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup109, + ]), + }); + + var msg319 = msg("520", all55); + + var msg320 = msg("522", dup249); + + var part320 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); + + var part321 = match("MESSAGE#318:522:01/2", "nwparser.p0", "dstV6=%{daddr_v6->} dst= %{p0}"); + + var all56 = all_match({ + processors: [ + part320, + dup189, + part321, + dup183, + dup121, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg321 = msg("522:01", all56); + + var part322 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); + + var select79 = linear_select([ + part322, + dup46, + ]); + + var all57 = all_match({ + processors: [ + dup45, + select79, + dup17, + dup183, + dup121, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg322 = msg("522:02", all57); + + var select80 = linear_select([ + msg320, + msg321, + msg322, + ]); + + var msg323 = msg("523", dup249); + + var all58 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup17, + dup212, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg324 = msg("524", all58); + + var part323 = match("MESSAGE#322:524:01/4_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); + + var part324 = match("MESSAGE#322:524:01/4_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); + + var select81 = linear_select([ + part323, + part324, + ]); + + var all59 = all_match({ + processors: [ + dup7, + dup185, + dup183, + dup17, + select81, + dup47, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg325 = msg("524:01", all59); + + var part325 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{rule}\"%{p0}"); + + var part326 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", " note=\"%{rulename}\"%{p0}"); + + var select82 = linear_select([ + part326, + dup56, + ]); + + var part327 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); + + var all60 = all_match({ + processors: [ + part325, + select82, + part327, + ], + on_success: processor_chain([ + dup6, + dup11, + ]), + }); + + var msg326 = msg("524:02", all60); + + var select83 = linear_select([ + msg324, + msg325, + msg326, + ]); + + var msg327 = msg("526", dup250); + + var part328 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); + + var select84 = linear_select([ + dup26, + part328, + dup46, + ]); + + var part329 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", "%{daddr}"); + + var select85 = linear_select([ + dup35, + part329, + ]); + + var all61 = all_match({ + processors: [ + dup73, + select84, + dup17, + select85, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg328 = msg("526:01", all61); + + var all62 = all_match({ + processors: [ + dup7, + dup213, + dup183, + dup121, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg329 = msg("526:02", all62); + + var part330 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + ])); + + var msg330 = msg("526:03", part330); + + var part331 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + ])); + + var msg331 = msg("526:04", part331); + + var part332 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + ])); + + var msg332 = msg("526:05", part332); + + var select86 = linear_select([ + msg327, + msg328, + msg329, + msg330, + msg331, + msg332, + ]); + + var part333 = match("MESSAGE#330:537:01/4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); + + var part334 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3}"); + + var select87 = linear_select([ + part334, + dup123, + ]); + + var all63 = all_match({ + processors: [ + dup122, + dup214, + dup17, + dup215, + part333, + select87, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg333 = msg("537:01", all63); + + var all64 = all_match({ + processors: [ + dup122, + dup214, + dup17, + dup215, + dup81, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg334 = msg("537:02", all64); + + var part335 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); + + var part336 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part337 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", "%{saddr->} %{daddr}srcMac=%{p0}"); + + var select88 = linear_select([ + part335, + part336, + part337, + ]); + + var part338 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); + + var part339 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + + var part340 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", "proto=%{protocol->} sent=%{p0}"); + + var select89 = linear_select([ + part339, + part340, + ]); + + var part341 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\""); + + var part342 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\""); + + var select90 = linear_select([ + part341, + dup131, + part342, + dup132, + dup133, + ]); + + var all65 = all_match({ + processors: [ + dup54, + dup216, + dup217, + select88, + part338, + select89, + dup218, + select90, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg335 = msg("537:08", all65); + + var select91 = linear_select([ + dup125, + dup124, + dup126, + dup38, + ]); + + var part343 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); + + var part344 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); + + var part345 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", "%{saddr->} %{daddr}dstMac=%{p0}"); + + var select92 = linear_select([ + part343, + part344, + part345, + ]); + + var part346 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + + var part347 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", "%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + + var select93 = linear_select([ + part347, + dup131, + dup132, + dup133, + ]); + + var all66 = all_match({ + processors: [ + dup54, + select91, + dup217, + select92, + part346, + dup218, + select93, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg336 = msg("537:09", all66); + + var part348 = match("MESSAGE#334:537:07/3_0", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + + var part349 = match("MESSAGE#334:537:07/3_1", "nwparser.p0", "%{saddr} %{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); + + var part350 = match("MESSAGE#334:537:07/3_2", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7}"); + + var part351 = match("MESSAGE#334:537:07/3_3", "nwparser.p0", "%{saddr} %{fld3->} fw_action=\"%{action}\""); + + var part352 = match("MESSAGE#334:537:07/3_4", "nwparser.p0", "%{saddr} %{fld3}"); + + var select94 = linear_select([ + part348, + part349, + part350, + part351, + part352, + ]); + + var all67 = all_match({ + processors: [ + dup54, + dup216, + dup217, + select94, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg337 = msg("537:07", all67); + + var part353 = match("MESSAGE#335:537/0", "nwparser.payload", "msg=\"%{action}\"%{p0}"); + + var part354 = match("MESSAGE#335:537/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"%{p0}"); + + var select95 = linear_select([ + part354, + dup56, + ]); + + var part355 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); + + var part356 = match("MESSAGE#335:537/3_0", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + + var part357 = match("MESSAGE#335:537/3_1", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}: proto=%{p0}"); + + var part358 = match("MESSAGE#335:537/3_2", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var part359 = match("MESSAGE#335:537/3_3", "nwparser.p0", "%{saddr}%{daddr->} proto=%{p0}"); + + var select96 = linear_select([ + part356, + part357, + part358, + part359, + ]); + + var part360 = match("MESSAGE#335:537/4", "nwparser.p0", "%{protocol->} sent=%{p0}"); + + var part361 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); + + var part362 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); + + var part363 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); + + var part364 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); + + var part365 = match_copy("MESSAGE#335:537/5_4", "nwparser.p0", "sbytes"); + + var select97 = linear_select([ + part361, + part362, + part363, + part364, + part365, + ]); + + var all68 = all_match({ + processors: [ + part353, + select95, + part355, + select96, + part360, + select97, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg338 = msg("537", all68); + + var part366 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); + + var all69 = all_match({ + processors: [ + dup134, + dup190, + dup17, + dup219, + part366, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg339 = msg("537:04", all69); + + var part367 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{fld4->} %{p0}"); + + var part368 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); + + var part369 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "npcs= %{p0}"); + + var select98 = linear_select([ + part368, + part369, + ]); + + var all70 = all_match({ + processors: [ + dup134, + dup190, + dup17, + dup219, + part367, + select98, + dup96, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg340 = msg("537:05", all70); + + var part370 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{fld2->} %{p0}"); + + var part371 = match("MESSAGE#338:537:10/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); + + var part372 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); + + var part373 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); + + var select99 = linear_select([ + part371, + part372, + part373, + ]); + + var part374 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); + + var all71 = all_match({ + processors: [ + part370, + dup220, + dup139, + dup221, + select99, + part374, + dup222, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg341 = msg("537:10", all71); + + var part375 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} %{p0}"); + + var part376 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var part377 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); + + var select100 = linear_select([ + dup85, + part376, + part377, + ]); + + var part378 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); + + var all72 = all_match({ + processors: [ + part375, + dup220, + dup139, + dup221, + select100, + part378, + dup222, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg342 = msg("537:03", all72); + + var part379 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); + + var all73 = all_match({ + processors: [ + dup134, + dup190, + dup17, + dup219, + part379, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg343 = msg("537:06", all73); + + var part380 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup62, + dup11, + dup144, + ])); + + var msg344 = msg("537:11", part380); + + var part381 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup62, + dup11, + dup144, + ])); + + var msg345 = msg("537:12", part381); + + var select101 = linear_select([ + msg333, + msg334, + msg335, + msg336, + msg337, + msg338, + msg339, + msg340, + msg341, + msg342, + msg343, + msg344, + msg345, + ]); + + var msg346 = msg("538", dup240); + + var msg347 = msg("549", dup243); + + var msg348 = msg("557", dup243); + + var all74 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1402020200"), + ]), + }); + + var msg349 = msg("558", all74); + + var msg350 = msg("561", dup246); + + var msg351 = msg("562", dup246); + + var msg352 = msg("563", dup246); + + var all75 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1402020400"), + ]), + }); + + var msg353 = msg("583", all75); + + var part382 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ + dup145, + dup59, + dup146, + dup61, + dup62, + dup11, + dup147, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg354 = msg("597:01", part382); + + var part383 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ + dup1, + ])); + + var msg355 = msg("597:02", part383); + + var part384 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{saddr}:%{sport}:%{p0}"); + + var part385 = match("MESSAGE#353:597:03/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); + + var all76 = all_match({ + processors: [ + part384, + dup198, + part385, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg356 = msg("597:03", all76); + + var select102 = linear_select([ + msg354, + msg355, + msg356, + ]); + + var part386 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ + dup1, + ])); + + var msg357 = msg("598", part386); + + var part387 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{type->} npcs=%{info}"); + + var all77 = all_match({ + processors: [ + dup148, + dup192, + part387, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg358 = msg("598:01", all77); + + var all78 = all_match({ + processors: [ + dup148, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg359 = msg("598:02", all78); + + var select103 = linear_select([ + msg357, + msg358, + msg359, + ]); + + var part388 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ + dup145, + dup59, + dup146, + dup61, + dup62, + dup11, + dup147, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg360 = msg("602:01", part388); + + var msg361 = msg("602:02", dup250); + + var all79 = all_match({ + processors: [ + dup7, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg362 = msg("602:03", all79); + + var select104 = linear_select([ + msg360, + msg361, + msg362, + ]); + + var msg363 = msg("605", dup208); + + var all80 = all_match({ + processors: [ + dup149, + dup223, + dup152, + dup211, + dup119, + ], + on_success: processor_chain([ + dup93, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg364 = msg("606", all80); + + var part389 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); + + var part390 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); + + var part391 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); + + var select105 = linear_select([ + part390, + part391, + ]); + + var part392 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); + + var part393 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); + + var part394 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); + + var select106 = linear_select([ + part393, + part394, + ]); + + var part395 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); + + var select107 = linear_select([ + part395, + dup154, + dup155, + ]); + + var all81 = all_match({ + processors: [ + part389, + select105, + part392, + select106, + dup153, + select107, + ], + on_success: processor_chain([ + dup1, + dup44, + ]), + }); + + var msg365 = msg("608", all81); + + var msg366 = msg("616", dup206); + + var msg367 = msg("658", dup201); + + var msg368 = msg("710", dup224); + + var msg369 = msg("712:02", dup251); + + var msg370 = msg("712", dup224); + + var all82 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup156, + ]), + }); + + var msg371 = msg("712:01", all82); + + var select108 = linear_select([ + msg369, + msg370, + msg371, + ]); + + var part396 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg372 = msg("713:01", part396); + + var msg373 = msg("713:04", dup251); + + var msg374 = msg("713:02", dup224); + + var part397 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg375 = msg("713:03", part397); + + var select109 = linear_select([ + msg372, + msg373, + msg374, + msg375, + ]); + + var part398 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg376 = msg("760", part398); + + var part399 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part400 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{action->} npcs=%{info}"); + + var all83 = all_match({ + processors: [ + part399, + dup182, + dup10, + dup202, + part400, + ], + on_success: processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg377 = msg("760:01", all83); + + var select110 = linear_select([ + msg376, + msg377, + ]); + + var msg378 = msg("766", dup228); + + var msg379 = msg("860", dup228); + + var msg380 = msg("860:01", dup229); + + var select111 = linear_select([ + msg379, + msg380, + ]); + + var part401 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); + + var part402 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + + var part403 = match_copy("MESSAGE#378:866/1_1", "nwparser.p0", "ntype"); + + var select112 = linear_select([ + part402, + part403, + ]); + + var all84 = all_match({ + processors: [ + part401, + select112, + ], + on_success: processor_chain([ + dup5, + dup44, + ]), + }); + + var msg381 = msg("866", all84); + + var msg382 = msg("866:01", dup229); + + var select113 = linear_select([ + msg381, + msg382, + ]); + + var msg383 = msg("867", dup228); + + var msg384 = msg("867:01", dup229); + + var select114 = linear_select([ + msg383, + msg384, + ]); + + var part404 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup1, + ])); + + var msg385 = msg("882", part404); + + var part405 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ + dup1, + ])); + + var msg386 = msg("882:01", part405); + + var select115 = linear_select([ + msg385, + msg386, + ]); + + var part406 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup165, + ])); + + var msg387 = msg("888", part406); + + var part407 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ + dup165, + ])); + + var msg388 = msg("888:01", part407); + + var select116 = linear_select([ + msg387, + msg388, + ]); + + var all85 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup165, + ]), + }); + + var msg389 = msg("892", all85); + + var msg390 = msg("904", dup228); + + var msg391 = msg("905", dup228); + + var msg392 = msg("906", dup228); + + var msg393 = msg("907", dup228); + + var part408 = match("MESSAGE#391:908/1_0", "nwparser.p0", "%{sinterface}:%{shost->} dst=%{p0}"); + + var select117 = linear_select([ + part408, + dup167, + ]); + + var all86 = all_match({ + processors: [ + dup166, + select117, + dup168, + dup223, + dup169, + dup211, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg394 = msg("908", all86); + + var msg395 = msg("909", dup228); + + var msg396 = msg("914", dup230); + + var part409 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup72, + ])); + + var msg397 = msg("931", part409); + + var msg398 = msg("657", dup230); + + var all87 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg399 = msg("657:01", all87); + + var select118 = linear_select([ + msg398, + msg399, + ]); + + var msg400 = msg("403", dup209); + + var msg401 = msg("534", dup184); + + var msg402 = msg("994", dup231); + + var part410 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ + dup1, + dup24, + ])); + + var msg403 = msg("243", part410); + + var msg404 = msg("995", dup184); + + var part411 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ + dup1, + dup59, + dup61, + dup62, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg405 = msg("997", part411); + + var msg406 = msg("998", dup231); + + var part412 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup11, + ])); + + var msg407 = msg("998:01", part412); + + var select119 = linear_select([ + msg406, + msg407, + ]); + + var msg408 = msg("1110", dup232); + + var msg409 = msg("565", dup232); + + var part413 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup62, + ])); + + var msg410 = msg("404", part413); + + var part414 = match("MESSAGE#409:267:01/1_0", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); + + var select120 = linear_select([ + part414, + dup58, + ]); + + var part415 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); + + var all88 = all_match({ + processors: [ + dup87, + select120, + part415, + ], + on_success: processor_chain([ + dup111, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg411 = msg("267:01", all88); + + var part416 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ + dup1, + dup62, + ])); + + var msg412 = msg("267", part416); + + var select121 = linear_select([ + msg411, + msg412, + ]); + + var part417 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ + dup1, + dup24, + ])); + + var msg413 = msg("263", part417); + + var part418 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup109, + dup11, + ])); + + var msg414 = msg("264", part418); + + var msg415 = msg("412", dup209); + + var part419 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ + dup1, + dup24, + ])); + + var msg416 = msg("793", part419); + + var part420 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ + dup1, + dup24, + ])); + + var msg417 = msg("805", part420); + + var part421 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup170, + dup11, + ])); + + var msg418 = msg("809", part421); + + var part422 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup170, + dup11, + ])); + + var msg419 = msg("809:01", part422); + + var select122 = linear_select([ + msg418, + msg419, + ]); + + var msg420 = msg("935", dup230); + + var msg421 = msg("614", dup233); + + var part423 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var all89 = all_match({ + processors: [ + part423, + dup211, + dup119, + ], + on_success: processor_chain([ + dup66, + dup44, + ]), + }); + + var msg422 = msg("748", all89); + + var part424 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var part425 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); + + var select123 = linear_select([ + part425, + dup118, + ]); + + var all90 = all_match({ + processors: [ + part424, + select123, + dup119, + ], + on_success: processor_chain([ + dup171, + dup44, + ]), + }); + + var msg423 = msg("794", all90); + + var msg424 = msg("1086", dup233); + + var part426 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var msg425 = msg("1430", part426); + + var msg426 = msg("1149", dup233); + + var msg427 = msg("1159", dup233); + + var part427 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var msg428 = msg("1195", part427); + + var part428 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ + dup171, + dup44, + ])); + + var msg429 = msg("1195:01", part428); + + var select124 = linear_select([ + msg428, + msg429, + ]); + + var part429 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup5, + dup44, + ])); + + var msg430 = msg("1226", part429); + + var part430 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup44, + ])); + + var msg431 = msg("1222", part430); + + var part431 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ + dup1, + dup24, + ])); + + var msg432 = msg("1154", part431); + + var part432 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); + + var all91 = all_match({ + processors: [ + part432, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + dup24, + ]), + }); + + var msg433 = msg("1154:01", all91); + + var part433 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup172, + dup11, + ])); + + var msg434 = msg("1154:02", part433); + + var part434 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); + + var part435 = match("MESSAGE#434:1154:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac=%{p0}"); + + var select125 = linear_select([ + part435, + dup79, + ]); + + var part436 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); + + var all92 = all_match({ + processors: [ + part434, + select125, + part436, + ], + on_success: processor_chain([ + dup172, + dup11, + ]), + }); + + var msg435 = msg("1154:03", all92); + + var select126 = linear_select([ + msg432, + msg433, + msg434, + msg435, + ]); + + var part437 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ + dup173, + ])); + + var msg436 = msg("msg", part437); + + var part438 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ + dup173, + ])); + + var msg437 = msg("src", part438); + + var all93 = all_match({ + processors: [ + dup7, + dup185, + dup183, + dup17, + dup212, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg438 = msg("1235", all93); + + var part439 = match("MESSAGE#438:1197/4", "nwparser.p0", "\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); + + var all94 = all_match({ + processors: [ + dup7, + dup185, + dup10, + dup202, + part439, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg439 = msg("1197", all94); + + var part440 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var all95 = all_match({ + processors: [ + part440, + dup185, + dup174, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg440 = msg("1199", all95); + + var part441 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup175, + dup11, + ])); + + var msg441 = msg("1199:01", part441); + + var part442 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup175, + dup11, + ])); + + var msg442 = msg("1199:02", part442); + + var select127 = linear_select([ + msg440, + msg441, + msg442, + ]); + + var part443 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); + + var all96 = all_match({ + processors: [ + part443, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg443 = msg("1155", all96); + + var part444 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup111, + ])); + + var msg444 = msg("1155:01", part444); + + var select128 = linear_select([ + msg443, + msg444, + ]); + + var all97 = all_match({ + processors: [ + dup176, + dup213, + dup174, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg445 = msg("1198", all97); + + var all98 = all_match({ + processors: [ + dup7, + dup185, + dup174, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg446 = msg("714", all98); + + var msg447 = msg("709", dup252); + + var msg448 = msg("1005", dup252); + + var msg449 = msg("1003", dup252); + + var msg450 = msg("1007", dup253); + + var part445 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup109, + dup11, + ])); + + var msg451 = msg("1008", part445); + + var msg452 = msg("708", dup253); + + var all99 = all_match({ + processors: [ + dup176, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg453 = msg("1201", all99); + + var msg454 = msg("1201:01", dup253); + + var select129 = linear_select([ + msg453, + msg454, + ]); + + var msg455 = msg("654", dup234); + + var msg456 = msg("670", dup234); + + var msg457 = msg("884", dup253); + + var part446 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ + dup1, + ])); + + var msg458 = msg("1153", part446); + + var part447 = match("MESSAGE#458:1153:01/1_0", "nwparser.p0", " app=%{fld1->} sess=%{fld2->} n=%{p0}"); + + var part448 = match("MESSAGE#458:1153:01/1_1", "nwparser.p0", " sess=%{fld2->} n=%{p0}"); + + var part449 = match("MESSAGE#458:1153:01/1_2", "nwparser.p0", " n=%{p0}"); + + var select130 = linear_select([ + part447, + part448, + part449, + ]); + + var part450 = match("MESSAGE#458:1153:01/2", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); + + var part451 = match("MESSAGE#458:1153:01/3_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + + var select131 = linear_select([ + part451, + dup26, + ]); + + var part452 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); + + var part453 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); + + var part454 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); + + var select132 = linear_select([ + part452, + part453, + part454, + ]); + + var part455 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); + + var part456 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{p0}"); + + var part457 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{p0}"); + + var part458 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{p0}"); + + var select133 = linear_select([ + part456, + part457, + part458, + ]); + + var all100 = all_match({ + processors: [ + dup54, + select130, + part450, + select131, + select132, + part455, + select133, + dup123, + ], + on_success: processor_chain([ + dup1, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg459 = msg("1153:01", all100); + + var part459 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part460 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", "n=%{fld2->} src=%{p0}"); + + var select134 = linear_select([ + part459, + part460, + ]); + + var part461 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes}"); + + var all101 = all_match({ + processors: [ + dup82, + select134, + part461, + ], + on_success: processor_chain([ + dup1, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg460 = msg("1153:02", all101); + + var select135 = linear_select([ + msg458, + msg459, + msg460, + ]); + + var part462 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg461 = msg("1107", part462); + + var part463 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); + + var part464 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part465 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst= %{p0}"); + + var select136 = linear_select([ + part464, + part465, + ]); + + var all102 = all_match({ + processors: [ + part463, + select136, + dup153, + dup235, + dup179, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg462 = msg("1220", all102); + + var all103 = all_match({ + processors: [ + dup149, + dup235, + dup179, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg463 = msg("1230", all103); + + var part466 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ + dup1, + ])); + + var msg464 = msg("1231", part466); + + var part467 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup175, + dup11, + ])); + + var msg465 = msg("1233", part467); + + var part468 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); + + var part469 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); + + var part470 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); + + var select137 = linear_select([ + part469, + part470, + ]); + + var part471 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); + + var part472 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{p0}"); + + var part473 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{p0}"); + + var select138 = linear_select([ + part472, + part473, + dup38, + ]); + + var part474 = match_copy("MESSAGE#465:1079/4", "nwparser.p0", "fld1"); + + var all104 = all_match({ + processors: [ + part468, + select137, + part471, + select138, + part474, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg466 = msg("1079", all104); + + var part475 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg467 = msg("1079:01", part475); + + var part476 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ + dup1, + dup11, + setc("event_description","destination is not allowed by access control"), + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg468 = msg("1079:02", part476); + + var part477 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ + dup1, + dup11, + setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"), + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg469 = msg("1079:03", part477); + + var select139 = linear_select([ + msg466, + msg467, + msg468, + msg469, + ]); + + var part478 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); + + var part479 = match("MESSAGE#469:1080/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var select140 = linear_select([ + dup8, + part479, + ]); + + var part480 = match("MESSAGE#469:1080/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + + var select141 = linear_select([ + dup135, + part480, + ]); + + var part481 = match_copy("MESSAGE#469:1080/3", "nwparser.p0", "protocol"); + + var all105 = all_match({ + processors: [ + part478, + select140, + select141, + part481, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg470 = msg("1080", all105); + + var part482 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg471 = msg("580", part482); + + var part483 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); + + var all106 = all_match({ + processors: [ + part483, + dup236, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg472 = msg("1369", all106); + + var all107 = all_match({ + processors: [ + dup149, + dup223, + dup152, + dup236, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg473 = msg("1370", all107); + + var all108 = all_match({ + processors: [ + dup149, + dup223, + dup169, + dup211, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg474 = msg("1371", all108); + + var part484 = match("MESSAGE#474:1387/1_1", "nwparser.p0", " dst=%{p0}"); + + var select142 = linear_select([ + dup167, + part484, + ]); + + var all109 = all_match({ + processors: [ + dup166, + select142, + dup168, + dup223, + dup169, + dup211, + dup119, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg475 = msg("1387", all109); + + var part485 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{saddr}:%{p0}"); + + var part486 = match("MESSAGE#475:1391/1_0", "nwparser.p0", "%{sport}:%{sinterface}dst=%{p0}"); + + var part487 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{sport}dst=%{p0}"); + + var select143 = linear_select([ + part486, + part487, + ]); + + var part488 = match("MESSAGE#475:1391/3_0", "nwparser.p0", "%{dport}:%{dinterface}:%{dhost}"); + + var select144 = linear_select([ + part488, + dup154, + dup155, + ]); + + var all110 = all_match({ + processors: [ + part485, + select143, + dup153, + select144, + ], + on_success: processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg476 = msg("1391", all110); + + var part489 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg477 = msg("1253", part489); + + var part490 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg478 = msg("1009", part490); + + var part491 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{p0}"); + + var part492 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{dinterface}:%{dhost}srcMac=%{p0}"); + + var part493 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{dinterface}srcMac=%{p0}"); + + var select145 = linear_select([ + part492, + part493, + ]); + + var part494 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); + + var all111 = all_match({ + processors: [ + part491, + select145, + part494, + ], + on_success: processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg479 = msg("910", all111); + + var part495 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup22, + dup44, + ])); + + var msg480 = msg("m:01", part495); + + var part496 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg481 = msg("1011", part496); + + var part497 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup172, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg482 = msg("609", part497); + + var msg483 = msg("796", dup237); + + var part498 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg484 = msg("880", part498); + + var part499 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg485 = msg("1309", part499); + + var msg486 = msg("1310", dup237); + + var part500 = match("MESSAGE#486:1232/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); + + var part501 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} note=\"%{p0}"); + + var part502 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{dinterface->} note=\"%{p0}"); + + var select146 = linear_select([ + part501, + part502, + ]); + + var part503 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); + + var all112 = all_match({ + processors: [ + part500, + select146, + part503, + ], + on_success: processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg487 = msg("1232", all112); + + var part504 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var all113 = all_match({ + processors: [ + part504, + dup211, + dup119, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg488 = msg("1447", all113); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "10": msg9, + "100": msg159, + "1003": msg449, + "1005": msg448, + "1007": msg450, + "1008": msg451, + "1009": msg478, + "101": msg160, + "1011": msg481, + "102": msg161, + "103": msg162, + "104": msg163, + "105": msg164, + "106": msg165, + "107": msg166, + "1079": select139, + "108": msg167, + "1080": msg470, + "1086": msg424, + "109": msg168, + "11": msg10, + "110": msg169, + "1107": msg461, + "111": select57, + "1110": msg408, + "112": msg172, + "113": msg173, + "114": msg174, + "1149": msg426, + "115": select58, + "1153": select135, + "1154": select126, + "1155": select128, + "1159": msg427, + "116": msg177, + "117": msg178, + "118": msg179, + "119": msg180, + "1195": select124, + "1197": msg439, + "1198": msg445, + "1199": select127, + "12": select4, + "120": msg181, + "1201": select129, + "121": msg182, + "122": msg183, + "1220": msg462, + "1222": msg431, + "1226": msg430, + "123": msg184, + "1230": msg463, + "1231": msg464, + "1232": msg487, + "1233": msg465, + "1235": msg438, + "124": msg185, + "125": msg186, + "1253": msg477, + "1254": msg187, + "1256": msg188, + "1257": msg189, + "126": msg190, + "127": msg191, + "128": msg192, + "129": msg193, + "13": msg13, + "130": msg194, + "1309": msg485, + "131": msg195, + "1310": msg486, + "132": msg196, + "133": msg197, + "134": msg198, + "135": msg199, + "136": msg200, + "1369": msg472, + "137": msg201, + "1370": msg473, + "1371": msg474, + "138": msg202, + "1387": msg475, + "139": select59, + "1391": msg476, + "14": select7, + "140": msg205, + "141": msg206, + "142": msg207, + "143": msg208, + "1430": msg425, + "1431": msg209, + "144": msg210, + "1447": msg488, + "145": msg211, + "146": msg212, + "147": msg213, + "148": msg214, + "1480": msg215, + "149": msg216, + "15": msg20, + "150": msg217, + "151": msg218, + "152": msg219, + "153": msg220, + "154": msg221, + "155": msg222, + "156": msg223, + "157": select60, + "158": msg226, + "159": msg227, + "16": msg21, + "160": msg228, + "161": msg229, + "162": msg230, + "163": msg231, + "164": msg232, + "165": msg233, + "166": msg234, + "167": msg235, + "168": msg236, + "169": msg237, + "17": msg22, + "170": msg238, + "171": select61, + "172": select62, + "173": msg245, + "174": select63, + "175": select64, + "176": msg253, + "177": msg254, + "178": msg255, + "179": msg256, + "18": msg23, + "180": select65, + "181": select66, + "19": msg24, + "193": msg261, + "194": msg262, + "195": msg263, + "196": select67, + "199": msg266, + "20": msg25, + "200": msg267, + "21": msg26, + "22": msg27, + "23": select10, + "235": select68, + "236": msg271, + "237": msg272, + "238": msg273, + "239": msg274, + "24": select11, + "240": msg275, + "241": select69, + "242": msg278, + "243": msg403, + "25": msg34, + "252": msg279, + "255": msg280, + "257": msg281, + "26": msg35, + "261": select72, + "262": msg284, + "263": msg413, + "264": msg414, + "267": select121, + "27": msg36, + "273": msg285, + "28": select12, + "29": select13, + "30": select14, + "31": select15, + "32": select16, + "328": msg286, + "329": msg287, + "33": select17, + "34": msg52, + "346": msg288, + "35": select18, + "350": msg289, + "351": msg290, + "352": msg291, + "353": select73, + "354": msg294, + "355": select74, + "356": msg297, + "357": select75, + "358": msg300, + "36": select21, + "37": select23, + "371": select76, + "372": msg303, + "373": msg304, + "38": select25, + "39": msg67, + "4": msg1, + "40": msg68, + "401": msg305, + "402": msg306, + "403": msg400, + "404": msg410, + "406": msg307, + "41": select26, + "412": msg415, + "413": msg308, + "414": msg309, + "42": msg72, + "427": msg156, + "428": msg157, + "43": msg73, + "438": msg310, + "439": msg311, + "44": msg74, + "440": msg312, + "441": select77, + "442": msg315, + "446": msg316, + "45": select27, + "46": select28, + "47": msg82, + "477": msg317, + "48": msg83, + "49": msg84, + "5": select2, + "50": msg85, + "509": msg318, + "51": msg86, + "52": msg87, + "520": msg319, + "522": select80, + "523": msg323, + "524": select83, + "526": select86, + "53": msg88, + "534": msg401, + "537": select101, + "538": msg346, + "549": msg347, + "557": msg348, + "558": msg349, + "561": msg350, + "562": msg351, + "563": msg352, + "565": msg409, + "58": msg89, + "580": msg471, + "583": msg353, + "597": select102, + "598": select103, + "6": select3, + "60": msg90, + "602": select104, + "605": msg363, + "606": msg364, + "608": msg365, + "609": msg482, + "61": msg91, + "614": msg421, + "616": msg366, + "62": msg92, + "63": select29, + "64": msg95, + "65": msg96, + "654": msg455, + "657": select118, + "658": msg367, + "66": msg97, + "67": select30, + "670": msg456, + "68": msg100, + "69": msg101, + "7": msg6, + "70": select32, + "708": msg452, + "709": msg447, + "710": msg368, + "712": select108, + "713": select109, + "714": msg446, + "72": select33, + "73": msg106, + "74": msg107, + "748": msg422, + "75": msg108, + "76": msg109, + "760": select110, + "766": msg378, + "77": msg110, + "78": msg111, + "79": msg112, + "793": msg416, + "794": msg423, + "796": msg483, + "8": msg7, + "80": msg113, + "805": msg417, + "809": select122, + "81": msg114, + "82": select34, + "83": select35, + "84": msg122, + "860": select111, + "866": select113, + "867": select114, + "87": select37, + "88": select38, + "880": msg484, + "882": select115, + "884": msg457, + "888": select116, + "89": select40, + "892": msg389, + "9": msg8, + "90": msg129, + "904": msg390, + "905": msg391, + "906": msg392, + "907": msg393, + "908": msg394, + "909": msg395, + "91": msg130, + "910": msg479, + "914": msg396, + "92": msg131, + "93": msg132, + "931": msg397, + "935": msg420, + "94": msg133, + "95": msg134, + "96": msg135, + "97": select44, + "98": select56, + "986": msg155, + "99": msg158, + "994": msg402, + "995": msg404, + "997": msg405, + "998": select119, + "m": msg480, + "msg": msg436, + "src": msg437, + }), + ]); + + var part505 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part506 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + + var part507 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part508 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); + + var part509 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + + var part510 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); + + var part511 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); + + var part512 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part513 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + + var part514 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); + + var part515 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); + + var part516 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); + + var part517 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); + + var part518 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); + + var part519 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); + + var part520 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); + + var part521 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); + + var part522 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); + + var part523 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); + + var part524 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); + + var part525 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); + + var part526 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); + + var part527 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part528 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); + + var part529 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); + + var part530 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); + + var part531 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); + + var part532 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); + + var part533 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); + + var part534 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); + + var part535 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); + + var part536 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); + + var part537 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); + + var part538 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); + + var part539 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part540 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); + + var part541 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); + + var part542 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); + + var part543 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); + + var part544 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); + + var part545 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part546 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); + + var part547 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); + + var part548 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); + + var part549 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); + + var part550 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); + + var part551 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); + + var part552 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + + var part553 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); + + var part554 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var part555 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); + + var part556 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); + + var part557 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); + + var part558 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); + + var part559 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); + + var part560 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); + + var part561 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); + + var part562 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); + + var part563 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); + + var part564 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); + + var part565 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); + + var part566 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + + var part567 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); + + var part568 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); + + var part569 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); + + var part570 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); + + var part571 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); + + var part572 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); + + var part573 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); + + var part574 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); + + var part575 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part576 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); + + var part577 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); + + var part578 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + + var part579 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); + + var part580 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); + + var part581 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); + + var part582 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); + + var part583 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); + + var part584 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); + + var part585 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); + + var part586 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); + + var part587 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part588 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); + + var part589 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + + var part590 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); + + var part591 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); + + var part592 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); + + var part593 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var part594 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); + + var part595 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); + + var part596 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); + + var part597 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); + + var part598 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + + var part599 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part600 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); + + var part601 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); + + var part602 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); + + var part603 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); + + var part604 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); + + var part605 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); + + var part606 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); + + var part607 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part608 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part609 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); + + var part610 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); + + var part611 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); + + var part612 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); + + var part613 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); + + var part614 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); + + var part615 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); + + var part616 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part617 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); + + var part618 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part619 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); + + var part620 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); + + var part621 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + + var part622 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + + var part623 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + + var select147 = linear_select([ + dup8, + dup9, + ]); + + var select148 = linear_select([ + dup15, + dup16, + ]); + + var part624 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var select149 = linear_select([ + dup26, + dup27, + ]); + + var select150 = linear_select([ + dup28, + dup29, + ]); + + var select151 = linear_select([ + dup35, + dup36, + ]); + + var select152 = linear_select([ + dup37, + dup38, + ]); + + var select153 = linear_select([ + dup39, + dup40, + ]); + + var select154 = linear_select([ + dup26, + dup46, + ]); + + var select155 = linear_select([ + dup48, + dup49, + ]); + + var select156 = linear_select([ + dup52, + dup53, + ]); + + var select157 = linear_select([ + dup55, + dup56, + ]); + + var select158 = linear_select([ + dup57, + dup58, + ]); + + var part625 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup70, + ])); + + var part626 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup5, + ])); + + var select159 = linear_select([ + dup75, + dup76, + ]); + + var select160 = linear_select([ + dup83, + dup84, + ]); + + var part627 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ + dup1, + ])); + + var select161 = linear_select([ + dup94, + dup95, + ]); + + var part628 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup5, + ])); + + var select162 = linear_select([ + dup98, + dup99, + ]); + + var select163 = linear_select([ + dup86, + dup102, + ]); + + var select164 = linear_select([ + dup103, + dup104, + ]); + + var part629 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, + ])); + + var part630 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var part631 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup1, + ])); + + var part632 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, + ])); + + var part633 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var select165 = linear_select([ + dup114, + dup115, + ]); + + var select166 = linear_select([ + dup117, + dup118, + ]); + + var select167 = linear_select([ + dup43, + dup42, + ]); + + var select168 = linear_select([ + dup8, + dup27, + ]); + + var select169 = linear_select([ + dup8, + dup26, + dup46, + ]); + + var select170 = linear_select([ + dup80, + dup15, + dup16, + ]); + + var select171 = linear_select([ + dup124, + dup125, + dup126, + dup38, + ]); + + var select172 = linear_select([ + dup127, + dup128, + ]); + + var select173 = linear_select([ + dup129, + dup130, + ]); + + var select174 = linear_select([ + dup135, + dup136, + dup137, + ]); + + var select175 = linear_select([ + dup138, + dup56, + ]); + + var select176 = linear_select([ + dup140, + dup141, + ]); + + var select177 = linear_select([ + dup142, + dup143, + ]); + + var select178 = linear_select([ + dup150, + dup151, + ]); + + var part634 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup156, + ])); + + var select179 = linear_select([ + dup158, + dup38, + ]); + + var select180 = linear_select([ + dup160, + dup161, + ]); + + var select181 = linear_select([ + dup162, + dup163, + ]); + + var part635 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup5, + ])); + + var part636 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ + dup5, + ])); + + var part637 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ + dup5, + dup24, + ])); + + var part638 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var part639 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + dup24, + ])); + + var part640 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var part641 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ + dup1, + ])); + + var select182 = linear_select([ + dup177, + dup178, + ]); + + var select183 = linear_select([ + dup180, + dup181, + ]); + + var part642 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var all114 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var all115 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup91, + ]), + }); + + var all116 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var all117 = all_match({ + processors: [ + dup101, + dup203, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var all118 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup106, + ]), + }); + + var all119 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var all120 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var all121 = all_match({ + processors: [ + dup108, + dup185, + dup187, + ], + on_success: processor_chain([ + dup109, + ]), + }); + + var all122 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup112, + ]), + }); + + var all123 = all_match({ + processors: [ + dup113, + dup210, + ], + on_success: processor_chain([ + dup93, + ]), + }); + + var all124 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup116, + ]), + }); + + var all125 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup187, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var all126 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var all127 = all_match({ + processors: [ + dup157, + dup225, + dup159, + dup226, + dup227, + dup164, + ], + on_success: processor_chain([ + dup156, + dup59, + dup60, + dup61, + dup62, + dup44, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var all128 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var all129 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/sonicwall/0.8.2/data_stream/firewall/agent/stream/tcp.yml.hbs b/packages/sonicwall/0.8.2/data_stream/firewall/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..7c1f4432d2 --- /dev/null +++ b/packages/sonicwall/0.8.2/data_stream/firewall/agent/stream/tcp.yml.hbs @@ -0,0 +1,9736 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Sonicwall" + product: "Firewalls" + type: "Firewall" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} n=%{fld2->} src=%{p0}"); + + var dup8 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + + var dup9 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var dup10 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); + + var dup11 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup12 = setc("eventcategory","1502010000"); + + var dup13 = setc("eventcategory","1502020000"); + + var dup14 = setc("eventcategory","1002010000"); + + var dup15 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + + var dup16 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); + + var dup17 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); + + var dup18 = setf("hostip","hhostip"); + + var dup19 = setf("id","hid"); + + var dup20 = setf("serial_number","hserial_number"); + + var dup21 = setf("category","hcategory"); + + var dup22 = setf("severity","hseverity"); + + var dup23 = setc("eventcategory","1805010000"); + + var dup24 = call({ + dest: "nwparser.msg", + fn: RMQ, + args: [ + field("msg"), + ], + }); + + var dup25 = setc("eventcategory","1302000000"); + + var dup26 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var dup27 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + + var dup28 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); + + var dup29 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); + + var dup30 = setc("eventcategory","1401050100"); + + var dup31 = setc("eventcategory","1401030000"); + + var dup32 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); + + var dup33 = setc("eventcategory","1301020000"); + + var dup34 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); + + var dup35 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); + + var dup36 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); + + var dup37 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); + + var dup38 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); + + var dup39 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); + + var dup40 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); + + var dup41 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); + + var dup42 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); + + var dup43 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); + + var dup44 = date_time({ + dest: "event_time", + args: ["date","time"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup45 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup46 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); + + var dup47 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); + + var dup48 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); + + var dup49 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); + + var dup50 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); + + var dup51 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); + + var dup52 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); + + var dup53 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); + + var dup54 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); + + var dup55 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); + + var dup56 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); + + var dup57 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var dup58 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); + + var dup59 = setc("ec_subject","NetworkComm"); + + var dup60 = setc("ec_activity","Deny"); + + var dup61 = setc("ec_theme","Communication"); + + var dup62 = setf("msg","$MSG"); + + var dup63 = setc("action","dropped"); + + var dup64 = setc("eventcategory","1608010000"); + + var dup65 = setc("eventcategory","1302010000"); + + var dup66 = setc("eventcategory","1301000000"); + + var dup67 = setc("eventcategory","1001000000"); + + var dup68 = setc("eventcategory","1003030000"); + + var dup69 = setc("eventcategory","1003050000"); + + var dup70 = setc("eventcategory","1103000000"); + + var dup71 = setc("eventcategory","1603110000"); + + var dup72 = setc("eventcategory","1605020000"); + + var dup73 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); + + var dup74 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); + + var dup75 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); + + var dup76 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); + + var dup77 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup78 = setc("eventcategory","1801000000"); + + var dup79 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); + + var dup80 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); + + var dup81 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); + + var dup82 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); + + var dup83 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); + + var dup84 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); + + var dup85 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + + var dup86 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); + + var dup87 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var dup88 = setf("id","hfld1"); + + var dup89 = setc("eventcategory","1001020309"); + + var dup90 = setc("eventcategory","1303000000"); + + var dup91 = setc("eventcategory","1801010100"); + + var dup92 = setc("eventcategory","1604010000"); + + var dup93 = setc("eventcategory","1002020000"); + + var dup94 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); + + var dup95 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); + + var dup96 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); + + var dup97 = setc("eventcategory","1001010000"); + + var dup98 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); + + var dup99 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); + + var dup100 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); + + var dup101 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); + + var dup102 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); + + var dup103 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); + + var dup104 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); + + var dup105 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); + + var dup106 = setc("eventcategory","1401060000"); + + var dup107 = setc("eventcategory","1804000000"); + + var dup108 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + + var dup109 = setc("eventcategory","1401070000"); + + var dup110 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); + + var dup111 = setc("eventcategory","1801030000"); + + var dup112 = setc("eventcategory","1402020300"); + + var dup113 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); + + var dup114 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); + + var dup115 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); + + var dup116 = setc("eventcategory","1402000000"); + + var dup117 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); + + var dup118 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); + + var dup119 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); + + var dup120 = setc("eventcategory","1803020000"); + + var dup121 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); + + var dup122 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup123 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); + + var dup124 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); + + var dup125 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + + var dup126 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); + + var dup127 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); + + var dup128 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); + + var dup129 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); + + var dup130 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); + + var dup131 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); + + var dup132 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); + + var dup133 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); + + var dup134 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup135 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); + + var dup136 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + + var dup137 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); + + var dup138 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); + + var dup139 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); + + var dup140 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var dup141 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); + + var dup142 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); + + var dup143 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); + + var dup144 = setc("event_description","Connection Closed"); + + var dup145 = setc("eventcategory","1801020000"); + + var dup146 = setc("ec_activity","Permit"); + + var dup147 = setc("action","allowed"); + + var dup148 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); + + var dup149 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + + var dup150 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); + + var dup151 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); + + var dup152 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); + + var dup153 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); + + var dup154 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); + + var dup155 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); + + var dup156 = setc("eventcategory","1001030500"); + + var dup157 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); + + var dup158 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); + + var dup159 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var dup160 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var dup161 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); + + var dup162 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); + + var dup163 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); + + var dup164 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); + + var dup165 = setc("eventcategory","1801010000"); + + var dup166 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); + + var dup167 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); + + var dup168 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); + + var dup169 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var dup170 = setc("eventcategory","1003010000"); + + var dup171 = setc("eventcategory","1609000000"); + + var dup172 = setc("eventcategory","1204000000"); + + var dup173 = setc("eventcategory","1602000000"); + + var dup174 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); + + var dup175 = setc("eventcategory","1803000000"); + + var dup176 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var dup177 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); + + var dup178 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); + + var dup179 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + + var dup180 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + + var dup181 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + + var dup182 = linear_select([ + dup8, + dup9, + ]); + + var dup183 = linear_select([ + dup15, + dup16, + ]); + + var dup184 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var dup185 = linear_select([ + dup26, + dup27, + ]); + + var dup186 = linear_select([ + dup28, + dup29, + ]); + + var dup187 = linear_select([ + dup35, + dup36, + ]); + + var dup188 = linear_select([ + dup37, + dup38, + ]); + + var dup189 = linear_select([ + dup39, + dup40, + ]); + + var dup190 = linear_select([ + dup26, + dup46, + ]); + + var dup191 = linear_select([ + dup48, + dup49, + ]); + + var dup192 = linear_select([ + dup52, + dup53, + ]); + + var dup193 = linear_select([ + dup55, + dup56, + ]); + + var dup194 = linear_select([ + dup57, + dup58, + ]); + + var dup195 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup70, + ])); + + var dup196 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup5, + ])); + + var dup197 = linear_select([ + dup75, + dup76, + ]); + + var dup198 = linear_select([ + dup83, + dup84, + ]); + + var dup199 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ + dup1, + ])); + + var dup200 = linear_select([ + dup94, + dup95, + ]); + + var dup201 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup5, + ])); + + var dup202 = linear_select([ + dup98, + dup99, + ]); + + var dup203 = linear_select([ + dup86, + dup102, + ]); + + var dup204 = linear_select([ + dup103, + dup104, + ]); + + var dup205 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, + ])); + + var dup206 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var dup207 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup1, + ])); + + var dup208 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, + ])); + + var dup209 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var dup210 = linear_select([ + dup114, + dup115, + ]); + + var dup211 = linear_select([ + dup117, + dup118, + ]); + + var dup212 = linear_select([ + dup43, + dup42, + ]); + + var dup213 = linear_select([ + dup8, + dup27, + ]); + + var dup214 = linear_select([ + dup8, + dup26, + dup46, + ]); + + var dup215 = linear_select([ + dup80, + dup15, + dup16, + ]); + + var dup216 = linear_select([ + dup124, + dup125, + dup126, + dup38, + ]); + + var dup217 = linear_select([ + dup127, + dup128, + ]); + + var dup218 = linear_select([ + dup129, + dup130, + ]); + + var dup219 = linear_select([ + dup135, + dup136, + dup137, + ]); + + var dup220 = linear_select([ + dup138, + dup56, + ]); + + var dup221 = linear_select([ + dup140, + dup141, + ]); + + var dup222 = linear_select([ + dup142, + dup143, + ]); + + var dup223 = linear_select([ + dup150, + dup151, + ]); + + var dup224 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup156, + ])); + + var dup225 = linear_select([ + dup158, + dup38, + ]); + + var dup226 = linear_select([ + dup160, + dup161, + ]); + + var dup227 = linear_select([ + dup162, + dup163, + ]); + + var dup228 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup5, + ])); + + var dup229 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ + dup5, + ])); + + var dup230 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ + dup5, + dup24, + ])); + + var dup231 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var dup232 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + dup24, + ])); + + var dup233 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var dup234 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ + dup1, + ])); + + var dup235 = linear_select([ + dup177, + dup178, + ]); + + var dup236 = linear_select([ + dup180, + dup181, + ]); + + var dup237 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var dup238 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var dup239 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup91, + ]), + }); + + var dup240 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var dup241 = all_match({ + processors: [ + dup101, + dup203, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var dup242 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup106, + ]), + }); + + var dup243 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var dup244 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var dup245 = all_match({ + processors: [ + dup108, + dup185, + dup187, + ], + on_success: processor_chain([ + dup109, + ]), + }); + + var dup246 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup112, + ]), + }); + + var dup247 = all_match({ + processors: [ + dup113, + dup210, + ], + on_success: processor_chain([ + dup93, + ]), + }); + + var dup248 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup116, + ]), + }); + + var dup249 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup187, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var dup250 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var dup251 = all_match({ + processors: [ + dup157, + dup225, + dup159, + dup226, + dup227, + dup164, + ], + on_success: processor_chain([ + dup156, + dup59, + dup60, + dup61, + dup62, + dup44, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var dup252 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var dup253 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} %{messageid}= %{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("= "), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr4 = match("HEADER#3:0004", "message", "%{hfld20->} id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + ]); + + var part1 = match("MESSAGE#0:4", "nwparser.payload", "SonicWALL activated%{}", processor_chain([ + dup1, + ])); + + var msg1 = msg("4", part1); + + var part2 = match("MESSAGE#1:5", "nwparser.payload", "Log Cleared%{}", processor_chain([ + dup1, + ])); + + var msg2 = msg("5", part2); + + var part3 = match("MESSAGE#2:5:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg3 = msg("5:01", part3); + + var select2 = linear_select([ + msg2, + msg3, + ]); + + var part4 = match("MESSAGE#3:6", "nwparser.payload", "Log successfully sent via email%{}", processor_chain([ + dup1, + ])); + + var msg4 = msg("6", part4); + + var part5 = match("MESSAGE#4:6:01", "nwparser.payload", "msg=\"Log successfully sent via email\" n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg5 = msg("6:01", part5); + + var select3 = linear_select([ + msg4, + msg5, + ]); + + var part6 = match("MESSAGE#5:7", "nwparser.payload", "Log full; deactivating SonicWALL%{}", processor_chain([ + dup2, + ])); + + var msg6 = msg("7", part6); + + var part7 = match("MESSAGE#6:8", "nwparser.payload", "New Filter list loaded%{}", processor_chain([ + dup3, + ])); + + var msg7 = msg("8", part7); + + var part8 = match("MESSAGE#7:9", "nwparser.payload", "No new Filter list available%{}", processor_chain([ + dup4, + ])); + + var msg8 = msg("9", part8); + + var part9 = match("MESSAGE#8:10", "nwparser.payload", "Problem loading the Filter list; check Filter settings%{}", processor_chain([ + dup4, + ])); + + var msg9 = msg("10", part9); + + var part10 = match("MESSAGE#9:11", "nwparser.payload", "Problem loading the Filter list; check your DNS server%{}", processor_chain([ + dup4, + ])); + + var msg10 = msg("11", part10); + + var part11 = match("MESSAGE#10:12", "nwparser.payload", "Problem sending log email; check log settings%{}", processor_chain([ + dup5, + ])); + + var msg11 = msg("12", part11); + + var part12 = match("MESSAGE#11:12:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup5, + ])); + + var msg12 = msg("12:01", part12); + + var select4 = linear_select([ + msg11, + msg12, + ]); + + var part13 = match("MESSAGE#12:13", "nwparser.payload", "Restarting SonicWALL; dumping log to email%{}", processor_chain([ + dup1, + ])); + + var msg13 = msg("13", part13); + + var part14 = match("MESSAGE#13:14/0_0", "nwparser.payload", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode}"); + + var part15 = match("MESSAGE#13:14/0_1", "nwparser.payload", "Web site blocked%{}"); + + var select5 = linear_select([ + part14, + part15, + ]); + + var all1 = all_match({ + processors: [ + select5, + ], + on_success: processor_chain([ + dup6, + setc("action","Web site access denied"), + ]), + }); + + var msg14 = msg("14", all1); + + var part16 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} code= %{p0}"); + + var part17 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{dinterface->} code= %{p0}"); + + var select6 = linear_select([ + part16, + part17, + ]); + + var part18 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{fld3->} Category=%{fld4->} npcs=%{info}"); + + var all2 = all_match({ + processors: [ + dup7, + dup182, + dup10, + select6, + part18, + ], + on_success: processor_chain([ + dup6, + ]), + }); + + var msg15 = msg("14:01", all2); + + var part19 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg16 = msg("14:02", part19); + + var part20 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg17 = msg("14:03", part20); + + var part21 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg18 = msg("14:04", part21); + + var part22 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg19 = msg("14:05", part22); + + var select7 = linear_select([ + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + ]); + + var part23 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([ + dup12, + ])); + + var msg20 = msg("15", part23); + + var part24 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([ + dup13, + ])); + + var msg21 = msg("16", part24); + + var part25 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([ + dup13, + ])); + + var msg22 = msg("17", part25); + + var part26 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([ + dup12, + ])); + + var msg23 = msg("18", part26); + + var part27 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([ + dup12, + ])); + + var msg24 = msg("19", part27); + + var part28 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([ + dup12, + ])); + + var msg25 = msg("20", part28); + + var part29 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([ + dup1, + ])); + + var msg26 = msg("21", part29); + + var part30 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([ + dup14, + ])); + + var msg27 = msg("22", part30); + + var part31 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([ + dup14, + ])); + + var msg28 = msg("23", part31); + + var part32 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part33 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}"); + + var part34 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}"); + + var select8 = linear_select([ + part33, + part34, + ]); + + var part35 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{smacaddr}"); + + var all3 = all_match({ + processors: [ + part32, + dup183, + dup17, + select8, + part35, + ], + on_success: processor_chain([ + dup14, + ]), + }); + + var msg29 = msg("23:01", all3); + + var part36 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([ + dup14, + ])); + + var msg30 = msg("23:02", part36); + + var part37 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); + + var part38 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac= %{p0}"); + + var part39 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{dinterface->} srcMac= %{p0}"); + + var select9 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}"); + + var all4 = all_match({ + processors: [ + part37, + select9, + part40, + ], + on_success: processor_chain([ + dup14, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg31 = msg("23:03", all4); + + var select10 = linear_select([ + msg28, + msg29, + msg30, + msg31, + ]); + + var part41 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([ + dup23, + ])); + + var msg32 = msg("24", part41); + + var msg33 = msg("24:01", dup184); + + var select11 = linear_select([ + msg32, + msg33, + ]); + + var part42 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([ + dup14, + ])); + + var msg34 = msg("25", part42); + + var part43 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([ + dup14, + ])); + + var msg35 = msg("26", part43); + + var part44 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([ + dup14, + ])); + + var msg36 = msg("27", part44); + + var part45 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([ + dup14, + ])); + + var msg37 = msg("28", part45); + + var part46 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup14, + ])); + + var msg38 = msg("28:01", part46); + + var select12 = linear_select([ + msg37, + msg38, + ]); + + var part47 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([ + dup25, + ])); + + var msg39 = msg("29", part47); + + var part48 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + + var all5 = all_match({ + processors: [ + part48, + dup185, + dup186, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var msg40 = msg("29:01", all5); + + var select13 = linear_select([ + msg39, + msg40, + ]); + + var part49 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([ + dup31, + ])); + + var msg41 = msg("30", part49); + + var msg42 = msg("30:01", dup238); + + var select14 = linear_select([ + msg41, + msg42, + ]); + + var part50 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([ + dup25, + ])); + + var msg43 = msg("31", part50); + + var all6 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup25, + ]), + }); + + var msg44 = msg("31:01", all6); + + var part51 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup11, + ])); + + var msg45 = msg("31:02", part51); + + var part52 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup11, + ])); + + var msg46 = msg("31:03", part52); + + var part53 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup11, + ])); + + var msg47 = msg("31:04", part53); + + var select15 = linear_select([ + msg43, + msg44, + msg45, + msg46, + msg47, + ]); + + var part54 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([ + dup31, + ])); + + var msg48 = msg("32", part54); + + var msg49 = msg("32:01", dup238); + + var select16 = linear_select([ + msg48, + msg49, + ]); + + var part55 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([ + dup33, + ])); + + var msg50 = msg("33", part55); + + var all7 = all_match({ + processors: [ + dup34, + dup185, + dup186, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var msg51 = msg("33:01", all7); + + var select17 = linear_select([ + msg50, + msg51, + ]); + + var part56 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([ + dup5, + ])); + + var msg52 = msg("34", part56); + + var part57 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([ + setc("eventcategory","1401040000"), + ])); + + var msg53 = msg("35", part57); + + var all8 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1401050200"), + ]), + }); + + var msg54 = msg("35:01", all8); + + var select18 = linear_select([ + msg53, + msg54, + ]); + + var part58 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([ + dup5, + ])); + + var msg55 = msg("36", part58); + + var part59 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}"); + + var part60 = match("MESSAGE#54:36:01/2", "nwparser.p0", "%{fld1->} src= %{p0}"); + + var part61 = match("MESSAGE#54:36:01/7_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + + var select19 = linear_select([ + part61, + dup42, + dup43, + ]); + + var all9 = all_match({ + processors: [ + part59, + dup188, + part60, + dup189, + dup41, + dup183, + dup17, + select19, + ], + on_success: processor_chain([ + dup5, + dup44, + ]), + }); + + var msg56 = msg("36:01", all9); + + var part62 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} npcs=%{p0}"); + + var part63 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} npcs=%{p0}"); + + var select20 = linear_select([ + part62, + part63, + ]); + + var all10 = all_match({ + processors: [ + dup45, + dup190, + dup17, + dup183, + dup17, + select20, + dup47, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg57 = msg("36:02", all10); + + var select21 = linear_select([ + msg55, + msg56, + msg57, + ]); + + var part64 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg58 = msg("37", part64); + + var part65 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}"); + + var part66 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + + var part67 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}proto=%{protocol->} fw_action=\"%{fld3}\""); + + var part68 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport}rule=%{rule}"); + + var select22 = linear_select([ + part67, + part68, + ]); + + var all11 = all_match({ + processors: [ + part65, + dup188, + part66, + select22, + ], + on_success: processor_chain([ + dup5, + dup44, + ]), + }); + + var msg59 = msg("37:01", all11); + + var part69 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([ + dup5, + ])); + + var msg60 = msg("37:02", part69); + + var all12 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup191, + dup50, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg61 = msg("37:03", all12); + + var part70 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup5, + dup11, + ])); + + var msg62 = msg("37:04", part70); + + var select23 = linear_select([ + msg58, + msg59, + msg60, + msg61, + msg62, + ]); + + var part71 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg63 = msg("38", part71); + + var part72 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code}"); + + var select24 = linear_select([ + part72, + dup42, + ]); + + var all13 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup183, + dup17, + select24, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg64 = msg("38:01", all13); + + var part73 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{fld3->} icmpCode=%{fld4->} npcs=%{info}"); + + var all14 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup192, + part73, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg65 = msg("38:02", all14); + + var part74 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var part75 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\""); + + var all15 = all_match({ + processors: [ + dup54, + dup193, + part74, + dup194, + part75, + ], + on_success: processor_chain([ + dup5, + dup11, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg66 = msg("38:03", all15); + + var select25 = linear_select([ + msg63, + msg64, + msg65, + msg66, + ]); + + var part76 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg67 = msg("39", part76); + + var part77 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg68 = msg("40", part77); + + var part78 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg69 = msg("41:01", part78); + + var part79 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ + dup5, + ])); + + var msg70 = msg("41:02", part79); + + var part80 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([ + dup5, + ])); + + var msg71 = msg("41:03", part80); + + var select26 = linear_select([ + msg69, + msg70, + msg71, + ]); + + var part81 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([ + dup5, + ])); + + var msg72 = msg("42", part81); + + var part82 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([ + dup5, + ])); + + var msg73 = msg("43", part82); + + var part83 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([ + dup5, + ])); + + var msg74 = msg("44", part83); + + var part84 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([ + dup5, + ])); + + var msg75 = msg("45", part84); + + var part85 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup5, + ])); + + var msg76 = msg("45:01", part85); + + var part86 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([ + dup5, + ])); + + var msg77 = msg("45:02", part86); + + var select27 = linear_select([ + msg75, + msg76, + msg77, + ]); + + var part87 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg78 = msg("46:01", part87); + + var part88 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup5, + ])); + + var msg79 = msg("46:02", part88); + + var part89 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg80 = msg("46", part89); + + var part90 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var all16 = all_match({ + processors: [ + part90, + dup182, + dup10, + dup191, + dup50, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg81 = msg("46:03", all16); + + var select28 = linear_select([ + msg78, + msg79, + msg80, + msg81, + ]); + + var part91 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([ + dup5, + ])); + + var msg82 = msg("47", part91); + + var part92 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg83 = msg("48", part92); + + var part93 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([ + dup5, + ])); + + var msg84 = msg("49", part93); + + var part94 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([ + dup5, + ])); + + var msg85 = msg("50", part94); + + var part95 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg86 = msg("51", part95); + + var part96 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([ + dup5, + ])); + + var msg87 = msg("52", part96); + + var part97 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([ + dup2, + ])); + + var msg88 = msg("53", part97); + + var part98 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([ + dup64, + ])); + + var msg89 = msg("58", part98); + + var part99 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([ + dup12, + ])); + + var msg90 = msg("60", part99); + + var part100 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([ + dup1, + ])); + + var msg91 = msg("61", part100); + + var part101 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([ + dup65, + ])); + + var msg92 = msg("62", part101); + + var part102 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([ + dup66, + ])); + + var msg93 = msg("63", part102); + + var part103 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup66, + ])); + + var msg94 = msg("63:01", part103); + + var select29 = linear_select([ + msg93, + msg94, + ]); + + var part104 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([ + dup1, + ])); + + var msg95 = msg("64", part104); + + var part105 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([ + dup66, + ])); + + var msg96 = msg("65", part105); + + var part106 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([ + dup66, + ])); + + var msg97 = msg("66", part106); + + var part107 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([ + dup66, + ])); + + var msg98 = msg("67", part107); + + var all17 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup66, + ]), + }); + + var msg99 = msg("67:01", all17); + + var select30 = linear_select([ + msg98, + msg99, + ]); + + var part108 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([ + dup66, + ])); + + var msg100 = msg("68", part108); + + var part109 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([ + dup66, + ])); + + var msg101 = msg("69", part109); + + var part110 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([ + dup66, + ])); + + var msg102 = msg("70", part110); + + var part111 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst%{p0}"); + + var part112 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "=%{daddr}"); + + var part113 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", "name=%{name}"); + + var select31 = linear_select([ + part112, + part113, + ]); + + var all18 = all_match({ + processors: [ + part111, + select31, + ], + on_success: processor_chain([ + dup66, + ]), + }); + + var msg103 = msg("70:01", all18); + + var select32 = linear_select([ + msg102, + msg103, + ]); + + var part114 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg104 = msg("72", part114); + + var part115 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup67, + ])); + + var msg105 = msg("72:01", part115); + + var select33 = linear_select([ + msg104, + msg105, + ]); + + var part116 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([ + dup68, + ])); + + var msg106 = msg("73", part116); + + var part117 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([ + dup69, + ])); + + var msg107 = msg("74", part117); + + var part118 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([ + dup68, + ])); + + var msg108 = msg("75", part118); + + var part119 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg109 = msg("76", part119); + + var part120 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg110 = msg("77", part120); + + var part121 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([ + dup69, + ])); + + var msg111 = msg("78", part121); + + var part122 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg112 = msg("79", part122); + + var part123 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg113 = msg("80", part123); + + var part124 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([ + dup14, + ])); + + var msg114 = msg("81", part124); + + var part125 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([ + dup70, + ])); + + var msg115 = msg("82", part125); + + var part126 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([ + dup70, + ])); + + var msg116 = msg("82:02", part126); + + var part127 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup70, + ])); + + var msg117 = msg("82:03", part127); + + var msg118 = msg("82:01", dup195); + + var select34 = linear_select([ + msg115, + msg116, + msg117, + msg118, + ]); + + var part128 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([ + dup70, + ])); + + var msg119 = msg("83", part128); + + var msg120 = msg("83:01", dup196); + + var part129 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup5, + ])); + + var msg121 = msg("83:02", part129); + + var select35 = linear_select([ + msg119, + msg120, + msg121, + ]); + + var part130 = match("MESSAGE#120:84/0_0", "nwparser.payload", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost}"); + + var part131 = match("MESSAGE#120:84/0_1", "nwparser.payload", "Failed to resolve name%{}"); + + var select36 = linear_select([ + part130, + part131, + ]); + + var all19 = all_match({ + processors: [ + select36, + ], + on_success: processor_chain([ + dup71, + setc("action","Failed to resolve name"), + ]), + }); + + var msg122 = msg("84", all19); + + var part132 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([ + dup72, + ])); + + var msg123 = msg("87", part132); + + var part133 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup72, + ])); + + var msg124 = msg("87:01", part133); + + var select37 = linear_select([ + msg123, + msg124, + ]); + + var part134 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([ + dup66, + ])); + + var msg125 = msg("88", part134); + + var part135 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup66, + ])); + + var msg126 = msg("88:01", part135); + + var select38 = linear_select([ + msg125, + msg126, + ]); + + var part136 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([ + dup72, + ])); + + var msg127 = msg("89", part136); + + var part137 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface}"); + + var part138 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} dstname=%{name}"); + + var select39 = linear_select([ + part137, + part138, + ]); + + var all20 = all_match({ + processors: [ + dup73, + select39, + ], + on_success: processor_chain([ + dup72, + ]), + }); + + var msg128 = msg("89:01", all20); + + var select40 = linear_select([ + msg127, + msg128, + ]); + + var part139 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([ + dup72, + ])); + + var msg129 = msg("90", part139); + + var part140 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([ + dup72, + ])); + + var msg130 = msg("91", part140); + + var part141 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([ + dup72, + ])); + + var msg131 = msg("92", part141); + + var part142 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([ + dup1, + ])); + + var msg132 = msg("93", part142); + + var part143 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([ + dup1, + ])); + + var msg133 = msg("94", part143); + + var part144 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([ + dup1, + ])); + + var msg134 = msg("95", part144); + + var part145 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([ + dup1, + ])); + + var msg135 = msg("96", part145); + + var part146 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([ + dup1, + ])); + + var msg136 = msg("97", part146); + + var part147 = match("MESSAGE#135:97:01/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} %{p0}"); + + var part148 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}"); + + var part149 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}"); + + var select41 = linear_select([ + part148, + part149, + ]); + + var part150 = match_copy("MESSAGE#135:97:01/7", "nwparser.p0", "name"); + + var all21 = all_match({ + processors: [ + dup74, + dup189, + dup41, + dup183, + part147, + select41, + dup197, + part150, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg137 = msg("97:01", all21); + + var part151 = match("MESSAGE#136:97:02/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} result=%{result}"); + + var all22 = all_match({ + processors: [ + dup74, + dup189, + dup41, + dup183, + part151, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg138 = msg("97:02", all22); + + var part152 = match("MESSAGE#137:97:03/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}"); + + var part153 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{} %{name}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); + + var all23 = all_match({ + processors: [ + dup77, + dup189, + dup41, + dup183, + part152, + dup197, + part153, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg139 = msg("97:03", all23); + + var part154 = match("MESSAGE#138:97:04/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} %{p0}"); + + var part155 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{}arg= %{name}%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); + + var all24 = all_match({ + processors: [ + dup77, + dup189, + dup41, + dup183, + part154, + dup197, + part155, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg140 = msg("97:04", all24); + + var part156 = match("MESSAGE#139:97:05/4", "nwparser.p0", "proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}"); + + var all25 = all_match({ + processors: [ + dup74, + dup189, + dup41, + dup183, + part156, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg141 = msg("97:05", all25); + + var part157 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{p0}"); + + var part158 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{sinterface}:%{shost}dst=%{p0}"); + + var part159 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{sinterface}dst=%{p0}"); + + var select42 = linear_select([ + part158, + part159, + ]); + + var part160 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); + + var all26 = all_match({ + processors: [ + part157, + select42, + part160, + ], + on_success: processor_chain([ + dup78, + dup11, + ]), + }); + + var msg142 = msg("97:06", all26); + + var part161 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); + + var part162 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{dinterface}:%{fld3->} srcMac=%{p0}"); + + var select43 = linear_select([ + part162, + dup79, + ]); + + var part163 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); + + var all27 = all_match({ + processors: [ + part161, + select43, + part163, + ], + on_success: processor_chain([ + dup78, + dup11, + ]), + }); + + var msg143 = msg("97:07", all27); + + var part164 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg144 = msg("97:08", part164); + + var part165 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg145 = msg("97:09", part165); + + var part166 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg146 = msg("97:10", part166); + + var select44 = linear_select([ + msg136, + msg137, + msg138, + msg139, + msg140, + msg141, + msg142, + msg143, + msg144, + msg145, + msg146, + ]); + + var part167 = match("MESSAGE#145:98/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); + + var part168 = match("MESSAGE#145:98/3_0", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + + var part169 = match("MESSAGE#145:98/3_1", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes}"); + + var part170 = match("MESSAGE#145:98/3_2", "nwparser.p0", "%{dinterface} %{protocol}"); + + var select45 = linear_select([ + part168, + part169, + part170, + ]); + + var all28 = all_match({ + processors: [ + dup54, + dup193, + part167, + select45, + ], + on_success: processor_chain([ + dup78, + dup59, + setc("ec_activity","Stop"), + dup61, + dup62, + dup11, + setc("action","Opened"), + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg147 = msg("98", all28); + + var part171 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg148 = msg("98:07", part171); + + var part172 = match("MESSAGE#147:98:01/0", "nwparser.payload", "msg=\"%{msg}\"%{p0}"); + + var part173 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", " app=%{fld2->} sess=\"%{fld3}\"%{p0}"); + + var select46 = linear_select([ + part173, + dup56, + ]); + + var part174 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}"); + + var part175 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}"); + + var part176 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}"); + + var select47 = linear_select([ + part175, + part176, + ]); + + var part177 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); + + var part178 = match("MESSAGE#147:98:01/4_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + + var part179 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); + + var select48 = linear_select([ + part177, + part178, + part179, + ]); + + var part180 = match("MESSAGE#147:98:01/5", "nwparser.p0", "%{} %{p0}"); + + var part181 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + + var part182 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", "%{daddr->} %{p0}"); + + var select49 = linear_select([ + dup80, + part181, + part182, + ]); + + var part183 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + + var part184 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes}"); + + var part185 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); + + var part186 = match("MESSAGE#147:98:01/7_3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + + var select50 = linear_select([ + part183, + part184, + part185, + part186, + dup81, + dup43, + ]); + + var all29 = all_match({ + processors: [ + part172, + select46, + part174, + select47, + select48, + part180, + select49, + select50, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg149 = msg("98:01", all29); + + var part187 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "app=%{fld2->} appName=\"%{application}\" n=%{p0}"); + + var part188 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", "app=%{fld2->} n=%{p0}"); + + var part189 = match("MESSAGE#148:98:06/1_2", "nwparser.p0", "sess=%{fld2->} n=%{p0}"); + + var select51 = linear_select([ + part187, + part188, + part189, + ]); + + var part190 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{fld1->} %{p0}"); + + var part191 = match("MESSAGE#148:98:06/3_0", "nwparser.p0", "usr=%{username->} %{p0}"); + + var select52 = linear_select([ + part191, + dup56, + ]); + + var part192 = match("MESSAGE#148:98:06/4", "nwparser.p0", "src= %{saddr}:%{sport}:%{p0}"); + + var part193 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part194 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part195 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var select53 = linear_select([ + part193, + part194, + dup85, + part195, + ]); + + var part196 = match("MESSAGE#148:98:06/8", "nwparser.p0", "%{protocol->} %{p0}"); + + var part197 = match("MESSAGE#148:98:06/9_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); + + var part198 = match("MESSAGE#148:98:06/9_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}"); + + var part199 = match("MESSAGE#148:98:06/9_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\""); + + var part200 = match("MESSAGE#148:98:06/9_4", "nwparser.p0", "fw_action=\"%{action}\""); + + var select54 = linear_select([ + part197, + part198, + part199, + dup86, + part200, + ]); + + var all30 = all_match({ + processors: [ + dup82, + select51, + part190, + select52, + part192, + dup198, + dup17, + select53, + part196, + select54, + ], + on_success: processor_chain([ + dup78, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg150 = msg("98:06", all30); + + var part201 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}"); + + var all31 = all_match({ + processors: [ + part201, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg151 = msg("98:02", all31); + + var part202 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection%{}"); + + var part203 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}"); + + var select55 = linear_select([ + part202, + part203, + ]); + + var all32 = all_match({ + processors: [ + select55, + ], + on_success: processor_chain([ + dup1, + dup44, + ]), + }); + + var msg152 = msg("98:03", all32); + + var part204 = match("MESSAGE#151:98:04/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}"); + + var all33 = all_match({ + processors: [ + dup7, + dup185, + dup183, + part204, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg153 = msg("98:04", all33); + + var part205 = match("MESSAGE#152:98:05/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} npcs=%{info}"); + + var all34 = all_match({ + processors: [ + dup7, + dup185, + dup183, + part205, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg154 = msg("98:05", all34); + + var select56 = linear_select([ + msg147, + msg148, + msg149, + msg150, + msg151, + msg152, + msg153, + msg154, + ]); + + var part206 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup31, + dup11, + ])); + + var msg155 = msg("986", part206); + + var part207 = match("MESSAGE#154:427/3", "nwparser.p0", "note=\"%{event_description}\""); + + var all35 = all_match({ + processors: [ + dup73, + dup185, + dup183, + part207, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg156 = msg("427", all35); + + var part208 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + + var all36 = all_match({ + processors: [ + dup87, + dup194, + part208, + ], + on_success: processor_chain([ + dup23, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg157 = msg("428", all36); + + var part209 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([ + dup72, + ])); + + var msg158 = msg("99", part209); + + var part210 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([ + dup72, + ])); + + var msg159 = msg("100", part210); + + var part211 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([ + dup72, + ])); + + var msg160 = msg("101", part211); + + var part212 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup72, + ])); + + var msg161 = msg("102", part212); + + var part213 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup72, + ])); + + var msg162 = msg("103", part213); + + var part214 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([ + dup72, + ])); + + var msg163 = msg("104", part214); + + var part215 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([ + dup72, + ])); + + var msg164 = msg("105", part215); + + var part216 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([ + dup71, + ])); + + var msg165 = msg("106", part216); + + var part217 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([ + dup72, + ])); + + var msg166 = msg("107", part217); + + var part218 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([ + dup72, + ])); + + var msg167 = msg("108", part218); + + var part219 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([ + dup71, + ])); + + var msg168 = msg("109", part219); + + var part220 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([ + dup72, + ])); + + var msg169 = msg("110", part220); + + var msg170 = msg("111:01", dup199); + + var part221 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([ + dup72, + ])); + + var msg171 = msg("111", part221); + + var select57 = linear_select([ + msg170, + msg171, + ]); + + var part222 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([ + dup72, + ])); + + var msg172 = msg("112", part222); + + var part223 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([ + dup72, + ])); + + var msg173 = msg("113", part223); + + var part224 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([ + dup72, + ])); + + var msg174 = msg("114", part224); + + var msg175 = msg("115:01", dup199); + + var part225 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([ + dup72, + ])); + + var msg176 = msg("115", part225); + + var select58 = linear_select([ + msg175, + msg176, + ]); + + var part226 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup72, + ])); + + var msg177 = msg("116", part226); + + var part227 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup72, + ])); + + var msg178 = msg("117", part227); + + var part228 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([ + dup72, + ])); + + var msg179 = msg("118", part228); + + var part229 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([ + dup71, + ])); + + var msg180 = msg("119", part229); + + var part230 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([ + dup71, + ])); + + var msg181 = msg("120", part230); + + var part231 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([ + dup72, + ])); + + var msg182 = msg("121", part231); + + var part232 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([ + dup71, + ])); + + var msg183 = msg("122", part232); + + var part233 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([ + dup71, + ])); + + var msg184 = msg("123", part233); + + var part234 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([ + dup72, + ])); + + var msg185 = msg("124", part234); + + var part235 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([ + dup72, + ])); + + var msg186 = msg("125", part235); + + var part236 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup89, + dup11, + ])); + + var msg187 = msg("1254", part236); + + var part237 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg188 = msg("1256", part237); + + var part238 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup89, + dup11, + ])); + + var msg189 = msg("1257", part238); + + var part239 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([ + dup72, + ])); + + var msg190 = msg("126", part239); + + var part240 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([ + dup72, + ])); + + var msg191 = msg("127", part240); + + var part241 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([ + dup5, + ])); + + var msg192 = msg("128", part241); + + var part242 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([ + dup5, + ])); + + var msg193 = msg("129", part242); + + var part243 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([ + dup1, + ])); + + var msg194 = msg("130", part243); + + var part244 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([ + dup1, + ])); + + var msg195 = msg("131", part244); + + var part245 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([ + dup1, + ])); + + var msg196 = msg("132", part245); + + var part246 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([ + dup1, + ])); + + var msg197 = msg("133", part246); + + var part247 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([ + dup1, + ])); + + var msg198 = msg("134", part247); + + var part248 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([ + dup90, + ])); + + var msg199 = msg("135", part248); + + var part249 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([ + dup90, + ])); + + var msg200 = msg("136", part249); + + var part250 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([ + dup3, + ])); + + var msg201 = msg("137", part250); + + var part251 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([ + dup3, + ])); + + var msg202 = msg("138", part251); + + var part252 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([ + dup5, + ])); + + var msg203 = msg("139", part252); + + var all37 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1801020100"), + ]), + }); + + var msg204 = msg("139:01", all37); + + var select59 = linear_select([ + msg203, + msg204, + ]); + + var msg205 = msg("140", dup239); + + var msg206 = msg("141", dup239); + + var part253 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ + dup1, + ])); + + var msg207 = msg("142", part253); + + var part254 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([ + dup1, + ])); + + var msg208 = msg("143", part254); + + var part255 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg209 = msg("1431", part255); + + var part256 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([ + dup1, + ])); + + var msg210 = msg("144", part256); + + var part257 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([ + dup1, + ])); + + var msg211 = msg("145", part257); + + var part258 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([ + dup92, + ])); + + var msg212 = msg("146", part258); + + var part259 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([ + dup92, + ])); + + var msg213 = msg("147", part259); + + var part260 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([ + dup1, + ])); + + var msg214 = msg("148", part260); + + var part261 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + setc("eventcategory","1204010000"), + dup11, + ])); + + var msg215 = msg("1480", part261); + + var part262 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([ + dup1, + ])); + + var msg216 = msg("149", part262); + + var part263 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([ + dup1, + ])); + + var msg217 = msg("150", part263); + + var part264 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([ + dup1, + ])); + + var msg218 = msg("151", part264); + + var part265 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([ + dup1, + ])); + + var msg219 = msg("152", part265); + + var part266 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([ + setc("eventcategory","1603010000"), + ])); + + var msg220 = msg("153", part266); + + var part267 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([ + dup64, + ])); + + var msg221 = msg("154", part267); + + var part268 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([ + dup92, + ])); + + var msg222 = msg("155", part268); + + var part269 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([ + dup92, + ])); + + var msg223 = msg("156", part269); + + var part270 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup1, + ])); + + var msg224 = msg("157:01", part270); + + var part271 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([ + dup5, + ])); + + var msg225 = msg("157", part271); + + var select60 = linear_select([ + msg224, + msg225, + ]); + + var part272 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([ + dup92, + ])); + + var msg226 = msg("158", part272); + + var part273 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([ + dup5, + ])); + + var msg227 = msg("159", part273); + + var part274 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([ + setc("eventcategory","1203000000"), + ])); + + var msg228 = msg("160", part274); + + var part275 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([ + dup65, + ])); + + var msg229 = msg("161", part275); + + var part276 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([ + dup33, + ])); + + var msg230 = msg("162", part276); + + var part277 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([ + dup5, + ])); + + var msg231 = msg("163", part277); + + var part278 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([ + dup5, + ])); + + var msg232 = msg("164", part278); + + var part279 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([ + dup1, + ])); + + var msg233 = msg("165", part279); + + var part280 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([ + dup12, + ])); + + var msg234 = msg("166", part280); + + var part281 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([ + dup12, + ])); + + var msg235 = msg("167", part281); + + var part282 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([ + dup12, + ])); + + var msg236 = msg("168", part282); + + var part283 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([ + dup1, + ])); + + var msg237 = msg("169", part283); + + var part284 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([ + dup1, + ])); + + var msg238 = msg("170", part284); + + var part285 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([ + dup70, + ])); + + var msg239 = msg("171", part285); + + var part286 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var msg240 = msg("171:01", part286); + + var part287 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var msg241 = msg("171:02", part287); + + var part288 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}"); + + var all38 = all_match({ + processors: [ + part288, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup93, + ]), + }); + + var msg242 = msg("171:03", all38); + + var select61 = linear_select([ + msg239, + msg240, + msg241, + msg242, + ]); + + var part289 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([ + dup70, + ])); + + var msg243 = msg("172", part289); + + var part290 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup70, + ])); + + var msg244 = msg("172:01", part290); + + var select62 = linear_select([ + msg243, + msg244, + ]); + + var part291 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([ + dup70, + ])); + + var msg245 = msg("173", part291); + + var part292 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([ + dup67, + ])); + + var msg246 = msg("174", part292); + + var all39 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var msg247 = msg("174:01", all39); + + var all40 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup187, + ], + on_success: processor_chain([ + dup12, + ]), + }); + + var msg248 = msg("174:02", all40); + + var all41 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup191, + dup50, + ], + on_success: processor_chain([ + dup12, + ]), + }); + + var msg249 = msg("174:03", all41); + + var select63 = linear_select([ + msg246, + msg247, + msg248, + msg249, + ]); + + var part293 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([ + dup67, + ])); + + var msg250 = msg("175", part293); + + var part294 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([ + dup67, + ])); + + var msg251 = msg("175:01", part294); + + var part295 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([ + dup67, + ])); + + var msg252 = msg("175:02", part295); + + var select64 = linear_select([ + msg250, + msg251, + msg252, + ]); + + var part296 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([ + dup93, + ])); + + var msg253 = msg("176", part296); + + var msg254 = msg("177", dup196); + + var msg255 = msg("178", dup201); + + var msg256 = msg("179", dup196); + + var all42 = all_match({ + processors: [ + dup34, + dup185, + dup187, + ], + on_success: processor_chain([ + dup97, + ]), + }); + + var msg257 = msg("180", all42); + + var all43 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup97, + ]), + }); + + var msg258 = msg("180:01", all43); + + var select65 = linear_select([ + msg257, + msg258, + ]); + + var msg259 = msg("181", dup195); + + var all44 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup70, + ]), + }); + + var msg260 = msg("181:01", all44); + + var select66 = linear_select([ + msg259, + msg260, + ]); + + var msg261 = msg("193", dup240); + + var msg262 = msg("194", dup241); + + var msg263 = msg("195", dup241); + + var part297 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}"); + + var all45 = all_match({ + processors: [ + part297, + dup204, + dup105, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg264 = msg("196", all45); + + var all46 = all_match({ + processors: [ + dup101, + dup204, + dup105, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg265 = msg("196:01", all46); + + var select67 = linear_select([ + msg264, + msg265, + ]); + + var msg266 = msg("199", dup242); + + var msg267 = msg("200", dup243); + + var part298 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup30, + ])); + + var msg268 = msg("235:02", part298); + + var part299 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}"); + + var all47 = all_match({ + processors: [ + part299, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var msg269 = msg("235", all47); + + var msg270 = msg("235:01", dup244); + + var select68 = linear_select([ + msg268, + msg269, + msg270, + ]); + + var msg271 = msg("236", dup244); + + var msg272 = msg("237", dup242); + + var msg273 = msg("238", dup242); + + var part300 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup107, + ])); + + var msg274 = msg("239", part300); + + var part301 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup107, + ])); + + var msg275 = msg("240", part301); + + var part302 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup78, + ])); + + var msg276 = msg("241", part302); + + var part303 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup78, + ])); + + var msg277 = msg("241:01", part303); + + var select69 = linear_select([ + msg276, + msg277, + ]); + + var part304 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}"); + + var part305 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); + + var select70 = linear_select([ + part304, + part305, + dup40, + ]); + + var part306 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}::"); + + var part307 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport}"); + + var select71 = linear_select([ + part306, + part307, + dup36, + ]); + + var all48 = all_match({ + processors: [ + dup51, + select70, + dup41, + select71, + ], + on_success: processor_chain([ + dup78, + ]), + }); + + var msg278 = msg("242", all48); + + var msg279 = msg("252", dup205); + + var msg280 = msg("255", dup205); + + var msg281 = msg("257", dup205); + + var msg282 = msg("261:01", dup245); + + var msg283 = msg("261", dup205); + + var select72 = linear_select([ + msg282, + msg283, + ]); + + var msg284 = msg("262", dup245); + + var all49 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg285 = msg("273", all49); + + var msg286 = msg("328", dup246); + + var msg287 = msg("329", dup243); + + var msg288 = msg("346", dup205); + + var msg289 = msg("350", dup205); + + var msg290 = msg("351", dup205); + + var msg291 = msg("352", dup205); + + var msg292 = msg("353:01", dup201); + + var part308 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ + dup5, + ])); + + var msg293 = msg("353", part308); + + var select73 = linear_select([ + msg292, + msg293, + ]); + + var part309 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ + dup1, + ])); + + var msg294 = msg("354", part309); + + var msg295 = msg("355", dup206); + + var msg296 = msg("355:01", dup205); + + var select74 = linear_select([ + msg295, + msg296, + ]); + + var msg297 = msg("356", dup207); + + var part310 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name}", processor_chain([ + dup93, + ])); + + var msg298 = msg("357", part310); + + var part311 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, + ])); + + var msg299 = msg("357:01", part311); + + var select75 = linear_select([ + msg298, + msg299, + ]); + + var msg300 = msg("358", dup208); + + var part312 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ + setc("eventcategory","1503000000"), + ])); + + var msg301 = msg("371", part312); + + var msg302 = msg("371:01", dup209); + + var select76 = linear_select([ + msg301, + msg302, + ]); + + var msg303 = msg("372", dup205); + + var msg304 = msg("373", dup207); + + var msg305 = msg("401", dup247); + + var msg306 = msg("402", dup247); + + var msg307 = msg("406", dup208); + + var part313 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, + ])); + + var msg308 = msg("413", part313); + + var msg309 = msg("414", dup205); + + var msg310 = msg("438", dup248); + + var msg311 = msg("439", dup248); + + var all50 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1501020000"), + ]), + }); + + var msg312 = msg("440", all50); + + var all51 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1502050000"), + ]), + }); + + var msg313 = msg("441", all51); + + var part314 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + setc("eventcategory","1001020000"), + ])); + + var msg314 = msg("441:01", part314); + + var select77 = linear_select([ + msg313, + msg314, + ]); + + var all52 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1501030000"), + ]), + }); + + var msg315 = msg("442", all52); + + var part315 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); + + var part316 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); + + var part317 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); + + var select78 = linear_select([ + part316, + part317, + ]); + + var part318 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var all53 = all_match({ + processors: [ + part315, + select78, + part318, + dup211, + dup119, + ], + on_success: processor_chain([ + dup67, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg316 = msg("446", all53); + + var part319 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg317 = msg("477", part319); + + var all54 = all_match({ + processors: [ + dup73, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var msg318 = msg("509", all54); + + var all55 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup109, + ]), + }); + + var msg319 = msg("520", all55); + + var msg320 = msg("522", dup249); + + var part320 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); + + var part321 = match("MESSAGE#318:522:01/2", "nwparser.p0", "dstV6=%{daddr_v6->} dst= %{p0}"); + + var all56 = all_match({ + processors: [ + part320, + dup189, + part321, + dup183, + dup121, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg321 = msg("522:01", all56); + + var part322 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); + + var select79 = linear_select([ + part322, + dup46, + ]); + + var all57 = all_match({ + processors: [ + dup45, + select79, + dup17, + dup183, + dup121, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg322 = msg("522:02", all57); + + var select80 = linear_select([ + msg320, + msg321, + msg322, + ]); + + var msg323 = msg("523", dup249); + + var all58 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup17, + dup212, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg324 = msg("524", all58); + + var part323 = match("MESSAGE#322:524:01/4_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); + + var part324 = match("MESSAGE#322:524:01/4_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); + + var select81 = linear_select([ + part323, + part324, + ]); + + var all59 = all_match({ + processors: [ + dup7, + dup185, + dup183, + dup17, + select81, + dup47, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg325 = msg("524:01", all59); + + var part325 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{rule}\"%{p0}"); + + var part326 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", " note=\"%{rulename}\"%{p0}"); + + var select82 = linear_select([ + part326, + dup56, + ]); + + var part327 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); + + var all60 = all_match({ + processors: [ + part325, + select82, + part327, + ], + on_success: processor_chain([ + dup6, + dup11, + ]), + }); + + var msg326 = msg("524:02", all60); + + var select83 = linear_select([ + msg324, + msg325, + msg326, + ]); + + var msg327 = msg("526", dup250); + + var part328 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); + + var select84 = linear_select([ + dup26, + part328, + dup46, + ]); + + var part329 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", "%{daddr}"); + + var select85 = linear_select([ + dup35, + part329, + ]); + + var all61 = all_match({ + processors: [ + dup73, + select84, + dup17, + select85, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg328 = msg("526:01", all61); + + var all62 = all_match({ + processors: [ + dup7, + dup213, + dup183, + dup121, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg329 = msg("526:02", all62); + + var part330 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + ])); + + var msg330 = msg("526:03", part330); + + var part331 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + ])); + + var msg331 = msg("526:04", part331); + + var part332 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + ])); + + var msg332 = msg("526:05", part332); + + var select86 = linear_select([ + msg327, + msg328, + msg329, + msg330, + msg331, + msg332, + ]); + + var part333 = match("MESSAGE#330:537:01/4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); + + var part334 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3}"); + + var select87 = linear_select([ + part334, + dup123, + ]); + + var all63 = all_match({ + processors: [ + dup122, + dup214, + dup17, + dup215, + part333, + select87, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg333 = msg("537:01", all63); + + var all64 = all_match({ + processors: [ + dup122, + dup214, + dup17, + dup215, + dup81, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg334 = msg("537:02", all64); + + var part335 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); + + var part336 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part337 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", "%{saddr->} %{daddr}srcMac=%{p0}"); + + var select88 = linear_select([ + part335, + part336, + part337, + ]); + + var part338 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); + + var part339 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + + var part340 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", "proto=%{protocol->} sent=%{p0}"); + + var select89 = linear_select([ + part339, + part340, + ]); + + var part341 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\""); + + var part342 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\""); + + var select90 = linear_select([ + part341, + dup131, + part342, + dup132, + dup133, + ]); + + var all65 = all_match({ + processors: [ + dup54, + dup216, + dup217, + select88, + part338, + select89, + dup218, + select90, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg335 = msg("537:08", all65); + + var select91 = linear_select([ + dup125, + dup124, + dup126, + dup38, + ]); + + var part343 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); + + var part344 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); + + var part345 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", "%{saddr->} %{daddr}dstMac=%{p0}"); + + var select92 = linear_select([ + part343, + part344, + part345, + ]); + + var part346 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + + var part347 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", "%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + + var select93 = linear_select([ + part347, + dup131, + dup132, + dup133, + ]); + + var all66 = all_match({ + processors: [ + dup54, + select91, + dup217, + select92, + part346, + dup218, + select93, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg336 = msg("537:09", all66); + + var part348 = match("MESSAGE#334:537:07/3_0", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + + var part349 = match("MESSAGE#334:537:07/3_1", "nwparser.p0", "%{saddr} %{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); + + var part350 = match("MESSAGE#334:537:07/3_2", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7}"); + + var part351 = match("MESSAGE#334:537:07/3_3", "nwparser.p0", "%{saddr} %{fld3->} fw_action=\"%{action}\""); + + var part352 = match("MESSAGE#334:537:07/3_4", "nwparser.p0", "%{saddr} %{fld3}"); + + var select94 = linear_select([ + part348, + part349, + part350, + part351, + part352, + ]); + + var all67 = all_match({ + processors: [ + dup54, + dup216, + dup217, + select94, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg337 = msg("537:07", all67); + + var part353 = match("MESSAGE#335:537/0", "nwparser.payload", "msg=\"%{action}\"%{p0}"); + + var part354 = match("MESSAGE#335:537/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"%{p0}"); + + var select95 = linear_select([ + part354, + dup56, + ]); + + var part355 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); + + var part356 = match("MESSAGE#335:537/3_0", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + + var part357 = match("MESSAGE#335:537/3_1", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}: proto=%{p0}"); + + var part358 = match("MESSAGE#335:537/3_2", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var part359 = match("MESSAGE#335:537/3_3", "nwparser.p0", "%{saddr}%{daddr->} proto=%{p0}"); + + var select96 = linear_select([ + part356, + part357, + part358, + part359, + ]); + + var part360 = match("MESSAGE#335:537/4", "nwparser.p0", "%{protocol->} sent=%{p0}"); + + var part361 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); + + var part362 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); + + var part363 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); + + var part364 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); + + var part365 = match_copy("MESSAGE#335:537/5_4", "nwparser.p0", "sbytes"); + + var select97 = linear_select([ + part361, + part362, + part363, + part364, + part365, + ]); + + var all68 = all_match({ + processors: [ + part353, + select95, + part355, + select96, + part360, + select97, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg338 = msg("537", all68); + + var part366 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); + + var all69 = all_match({ + processors: [ + dup134, + dup190, + dup17, + dup219, + part366, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg339 = msg("537:04", all69); + + var part367 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{fld4->} %{p0}"); + + var part368 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); + + var part369 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "npcs= %{p0}"); + + var select98 = linear_select([ + part368, + part369, + ]); + + var all70 = all_match({ + processors: [ + dup134, + dup190, + dup17, + dup219, + part367, + select98, + dup96, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg340 = msg("537:05", all70); + + var part370 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{fld2->} %{p0}"); + + var part371 = match("MESSAGE#338:537:10/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); + + var part372 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); + + var part373 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); + + var select99 = linear_select([ + part371, + part372, + part373, + ]); + + var part374 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); + + var all71 = all_match({ + processors: [ + part370, + dup220, + dup139, + dup221, + select99, + part374, + dup222, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg341 = msg("537:10", all71); + + var part375 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} %{p0}"); + + var part376 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var part377 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); + + var select100 = linear_select([ + dup85, + part376, + part377, + ]); + + var part378 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); + + var all72 = all_match({ + processors: [ + part375, + dup220, + dup139, + dup221, + select100, + part378, + dup222, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg342 = msg("537:03", all72); + + var part379 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); + + var all73 = all_match({ + processors: [ + dup134, + dup190, + dup17, + dup219, + part379, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg343 = msg("537:06", all73); + + var part380 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup62, + dup11, + dup144, + ])); + + var msg344 = msg("537:11", part380); + + var part381 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup62, + dup11, + dup144, + ])); + + var msg345 = msg("537:12", part381); + + var select101 = linear_select([ + msg333, + msg334, + msg335, + msg336, + msg337, + msg338, + msg339, + msg340, + msg341, + msg342, + msg343, + msg344, + msg345, + ]); + + var msg346 = msg("538", dup240); + + var msg347 = msg("549", dup243); + + var msg348 = msg("557", dup243); + + var all74 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1402020200"), + ]), + }); + + var msg349 = msg("558", all74); + + var msg350 = msg("561", dup246); + + var msg351 = msg("562", dup246); + + var msg352 = msg("563", dup246); + + var all75 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1402020400"), + ]), + }); + + var msg353 = msg("583", all75); + + var part382 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ + dup145, + dup59, + dup146, + dup61, + dup62, + dup11, + dup147, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg354 = msg("597:01", part382); + + var part383 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ + dup1, + ])); + + var msg355 = msg("597:02", part383); + + var part384 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{saddr}:%{sport}:%{p0}"); + + var part385 = match("MESSAGE#353:597:03/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); + + var all76 = all_match({ + processors: [ + part384, + dup198, + part385, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg356 = msg("597:03", all76); + + var select102 = linear_select([ + msg354, + msg355, + msg356, + ]); + + var part386 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ + dup1, + ])); + + var msg357 = msg("598", part386); + + var part387 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{type->} npcs=%{info}"); + + var all77 = all_match({ + processors: [ + dup148, + dup192, + part387, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg358 = msg("598:01", all77); + + var all78 = all_match({ + processors: [ + dup148, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg359 = msg("598:02", all78); + + var select103 = linear_select([ + msg357, + msg358, + msg359, + ]); + + var part388 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ + dup145, + dup59, + dup146, + dup61, + dup62, + dup11, + dup147, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg360 = msg("602:01", part388); + + var msg361 = msg("602:02", dup250); + + var all79 = all_match({ + processors: [ + dup7, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg362 = msg("602:03", all79); + + var select104 = linear_select([ + msg360, + msg361, + msg362, + ]); + + var msg363 = msg("605", dup208); + + var all80 = all_match({ + processors: [ + dup149, + dup223, + dup152, + dup211, + dup119, + ], + on_success: processor_chain([ + dup93, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg364 = msg("606", all80); + + var part389 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); + + var part390 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); + + var part391 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); + + var select105 = linear_select([ + part390, + part391, + ]); + + var part392 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); + + var part393 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); + + var part394 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); + + var select106 = linear_select([ + part393, + part394, + ]); + + var part395 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); + + var select107 = linear_select([ + part395, + dup154, + dup155, + ]); + + var all81 = all_match({ + processors: [ + part389, + select105, + part392, + select106, + dup153, + select107, + ], + on_success: processor_chain([ + dup1, + dup44, + ]), + }); + + var msg365 = msg("608", all81); + + var msg366 = msg("616", dup206); + + var msg367 = msg("658", dup201); + + var msg368 = msg("710", dup224); + + var msg369 = msg("712:02", dup251); + + var msg370 = msg("712", dup224); + + var all82 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup156, + ]), + }); + + var msg371 = msg("712:01", all82); + + var select108 = linear_select([ + msg369, + msg370, + msg371, + ]); + + var part396 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg372 = msg("713:01", part396); + + var msg373 = msg("713:04", dup251); + + var msg374 = msg("713:02", dup224); + + var part397 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg375 = msg("713:03", part397); + + var select109 = linear_select([ + msg372, + msg373, + msg374, + msg375, + ]); + + var part398 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg376 = msg("760", part398); + + var part399 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part400 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{action->} npcs=%{info}"); + + var all83 = all_match({ + processors: [ + part399, + dup182, + dup10, + dup202, + part400, + ], + on_success: processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg377 = msg("760:01", all83); + + var select110 = linear_select([ + msg376, + msg377, + ]); + + var msg378 = msg("766", dup228); + + var msg379 = msg("860", dup228); + + var msg380 = msg("860:01", dup229); + + var select111 = linear_select([ + msg379, + msg380, + ]); + + var part401 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); + + var part402 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + + var part403 = match_copy("MESSAGE#378:866/1_1", "nwparser.p0", "ntype"); + + var select112 = linear_select([ + part402, + part403, + ]); + + var all84 = all_match({ + processors: [ + part401, + select112, + ], + on_success: processor_chain([ + dup5, + dup44, + ]), + }); + + var msg381 = msg("866", all84); + + var msg382 = msg("866:01", dup229); + + var select113 = linear_select([ + msg381, + msg382, + ]); + + var msg383 = msg("867", dup228); + + var msg384 = msg("867:01", dup229); + + var select114 = linear_select([ + msg383, + msg384, + ]); + + var part404 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup1, + ])); + + var msg385 = msg("882", part404); + + var part405 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ + dup1, + ])); + + var msg386 = msg("882:01", part405); + + var select115 = linear_select([ + msg385, + msg386, + ]); + + var part406 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup165, + ])); + + var msg387 = msg("888", part406); + + var part407 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ + dup165, + ])); + + var msg388 = msg("888:01", part407); + + var select116 = linear_select([ + msg387, + msg388, + ]); + + var all85 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup165, + ]), + }); + + var msg389 = msg("892", all85); + + var msg390 = msg("904", dup228); + + var msg391 = msg("905", dup228); + + var msg392 = msg("906", dup228); + + var msg393 = msg("907", dup228); + + var part408 = match("MESSAGE#391:908/1_0", "nwparser.p0", "%{sinterface}:%{shost->} dst=%{p0}"); + + var select117 = linear_select([ + part408, + dup167, + ]); + + var all86 = all_match({ + processors: [ + dup166, + select117, + dup168, + dup223, + dup169, + dup211, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg394 = msg("908", all86); + + var msg395 = msg("909", dup228); + + var msg396 = msg("914", dup230); + + var part409 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup72, + ])); + + var msg397 = msg("931", part409); + + var msg398 = msg("657", dup230); + + var all87 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg399 = msg("657:01", all87); + + var select118 = linear_select([ + msg398, + msg399, + ]); + + var msg400 = msg("403", dup209); + + var msg401 = msg("534", dup184); + + var msg402 = msg("994", dup231); + + var part410 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ + dup1, + dup24, + ])); + + var msg403 = msg("243", part410); + + var msg404 = msg("995", dup184); + + var part411 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ + dup1, + dup59, + dup61, + dup62, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg405 = msg("997", part411); + + var msg406 = msg("998", dup231); + + var part412 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup11, + ])); + + var msg407 = msg("998:01", part412); + + var select119 = linear_select([ + msg406, + msg407, + ]); + + var msg408 = msg("1110", dup232); + + var msg409 = msg("565", dup232); + + var part413 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup62, + ])); + + var msg410 = msg("404", part413); + + var part414 = match("MESSAGE#409:267:01/1_0", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); + + var select120 = linear_select([ + part414, + dup58, + ]); + + var part415 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); + + var all88 = all_match({ + processors: [ + dup87, + select120, + part415, + ], + on_success: processor_chain([ + dup111, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg411 = msg("267:01", all88); + + var part416 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ + dup1, + dup62, + ])); + + var msg412 = msg("267", part416); + + var select121 = linear_select([ + msg411, + msg412, + ]); + + var part417 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ + dup1, + dup24, + ])); + + var msg413 = msg("263", part417); + + var part418 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup109, + dup11, + ])); + + var msg414 = msg("264", part418); + + var msg415 = msg("412", dup209); + + var part419 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ + dup1, + dup24, + ])); + + var msg416 = msg("793", part419); + + var part420 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ + dup1, + dup24, + ])); + + var msg417 = msg("805", part420); + + var part421 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup170, + dup11, + ])); + + var msg418 = msg("809", part421); + + var part422 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup170, + dup11, + ])); + + var msg419 = msg("809:01", part422); + + var select122 = linear_select([ + msg418, + msg419, + ]); + + var msg420 = msg("935", dup230); + + var msg421 = msg("614", dup233); + + var part423 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var all89 = all_match({ + processors: [ + part423, + dup211, + dup119, + ], + on_success: processor_chain([ + dup66, + dup44, + ]), + }); + + var msg422 = msg("748", all89); + + var part424 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var part425 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); + + var select123 = linear_select([ + part425, + dup118, + ]); + + var all90 = all_match({ + processors: [ + part424, + select123, + dup119, + ], + on_success: processor_chain([ + dup171, + dup44, + ]), + }); + + var msg423 = msg("794", all90); + + var msg424 = msg("1086", dup233); + + var part426 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var msg425 = msg("1430", part426); + + var msg426 = msg("1149", dup233); + + var msg427 = msg("1159", dup233); + + var part427 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var msg428 = msg("1195", part427); + + var part428 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ + dup171, + dup44, + ])); + + var msg429 = msg("1195:01", part428); + + var select124 = linear_select([ + msg428, + msg429, + ]); + + var part429 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup5, + dup44, + ])); + + var msg430 = msg("1226", part429); + + var part430 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup44, + ])); + + var msg431 = msg("1222", part430); + + var part431 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ + dup1, + dup24, + ])); + + var msg432 = msg("1154", part431); + + var part432 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); + + var all91 = all_match({ + processors: [ + part432, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + dup24, + ]), + }); + + var msg433 = msg("1154:01", all91); + + var part433 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup172, + dup11, + ])); + + var msg434 = msg("1154:02", part433); + + var part434 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); + + var part435 = match("MESSAGE#434:1154:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac=%{p0}"); + + var select125 = linear_select([ + part435, + dup79, + ]); + + var part436 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); + + var all92 = all_match({ + processors: [ + part434, + select125, + part436, + ], + on_success: processor_chain([ + dup172, + dup11, + ]), + }); + + var msg435 = msg("1154:03", all92); + + var select126 = linear_select([ + msg432, + msg433, + msg434, + msg435, + ]); + + var part437 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ + dup173, + ])); + + var msg436 = msg("msg", part437); + + var part438 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ + dup173, + ])); + + var msg437 = msg("src", part438); + + var all93 = all_match({ + processors: [ + dup7, + dup185, + dup183, + dup17, + dup212, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg438 = msg("1235", all93); + + var part439 = match("MESSAGE#438:1197/4", "nwparser.p0", "\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); + + var all94 = all_match({ + processors: [ + dup7, + dup185, + dup10, + dup202, + part439, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg439 = msg("1197", all94); + + var part440 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var all95 = all_match({ + processors: [ + part440, + dup185, + dup174, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg440 = msg("1199", all95); + + var part441 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup175, + dup11, + ])); + + var msg441 = msg("1199:01", part441); + + var part442 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup175, + dup11, + ])); + + var msg442 = msg("1199:02", part442); + + var select127 = linear_select([ + msg440, + msg441, + msg442, + ]); + + var part443 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); + + var all96 = all_match({ + processors: [ + part443, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg443 = msg("1155", all96); + + var part444 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup111, + ])); + + var msg444 = msg("1155:01", part444); + + var select128 = linear_select([ + msg443, + msg444, + ]); + + var all97 = all_match({ + processors: [ + dup176, + dup213, + dup174, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg445 = msg("1198", all97); + + var all98 = all_match({ + processors: [ + dup7, + dup185, + dup174, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg446 = msg("714", all98); + + var msg447 = msg("709", dup252); + + var msg448 = msg("1005", dup252); + + var msg449 = msg("1003", dup252); + + var msg450 = msg("1007", dup253); + + var part445 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup109, + dup11, + ])); + + var msg451 = msg("1008", part445); + + var msg452 = msg("708", dup253); + + var all99 = all_match({ + processors: [ + dup176, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg453 = msg("1201", all99); + + var msg454 = msg("1201:01", dup253); + + var select129 = linear_select([ + msg453, + msg454, + ]); + + var msg455 = msg("654", dup234); + + var msg456 = msg("670", dup234); + + var msg457 = msg("884", dup253); + + var part446 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ + dup1, + ])); + + var msg458 = msg("1153", part446); + + var part447 = match("MESSAGE#458:1153:01/1_0", "nwparser.p0", " app=%{fld1->} sess=%{fld2->} n=%{p0}"); + + var part448 = match("MESSAGE#458:1153:01/1_1", "nwparser.p0", " sess=%{fld2->} n=%{p0}"); + + var part449 = match("MESSAGE#458:1153:01/1_2", "nwparser.p0", " n=%{p0}"); + + var select130 = linear_select([ + part447, + part448, + part449, + ]); + + var part450 = match("MESSAGE#458:1153:01/2", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); + + var part451 = match("MESSAGE#458:1153:01/3_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + + var select131 = linear_select([ + part451, + dup26, + ]); + + var part452 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); + + var part453 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); + + var part454 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); + + var select132 = linear_select([ + part452, + part453, + part454, + ]); + + var part455 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); + + var part456 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{p0}"); + + var part457 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{p0}"); + + var part458 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{p0}"); + + var select133 = linear_select([ + part456, + part457, + part458, + ]); + + var all100 = all_match({ + processors: [ + dup54, + select130, + part450, + select131, + select132, + part455, + select133, + dup123, + ], + on_success: processor_chain([ + dup1, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg459 = msg("1153:01", all100); + + var part459 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part460 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", "n=%{fld2->} src=%{p0}"); + + var select134 = linear_select([ + part459, + part460, + ]); + + var part461 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes}"); + + var all101 = all_match({ + processors: [ + dup82, + select134, + part461, + ], + on_success: processor_chain([ + dup1, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg460 = msg("1153:02", all101); + + var select135 = linear_select([ + msg458, + msg459, + msg460, + ]); + + var part462 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg461 = msg("1107", part462); + + var part463 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); + + var part464 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part465 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst= %{p0}"); + + var select136 = linear_select([ + part464, + part465, + ]); + + var all102 = all_match({ + processors: [ + part463, + select136, + dup153, + dup235, + dup179, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg462 = msg("1220", all102); + + var all103 = all_match({ + processors: [ + dup149, + dup235, + dup179, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg463 = msg("1230", all103); + + var part466 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ + dup1, + ])); + + var msg464 = msg("1231", part466); + + var part467 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup175, + dup11, + ])); + + var msg465 = msg("1233", part467); + + var part468 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); + + var part469 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); + + var part470 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); + + var select137 = linear_select([ + part469, + part470, + ]); + + var part471 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); + + var part472 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{p0}"); + + var part473 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{p0}"); + + var select138 = linear_select([ + part472, + part473, + dup38, + ]); + + var part474 = match_copy("MESSAGE#465:1079/4", "nwparser.p0", "fld1"); + + var all104 = all_match({ + processors: [ + part468, + select137, + part471, + select138, + part474, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg466 = msg("1079", all104); + + var part475 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg467 = msg("1079:01", part475); + + var part476 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ + dup1, + dup11, + setc("event_description","destination is not allowed by access control"), + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg468 = msg("1079:02", part476); + + var part477 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ + dup1, + dup11, + setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"), + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg469 = msg("1079:03", part477); + + var select139 = linear_select([ + msg466, + msg467, + msg468, + msg469, + ]); + + var part478 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); + + var part479 = match("MESSAGE#469:1080/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var select140 = linear_select([ + dup8, + part479, + ]); + + var part480 = match("MESSAGE#469:1080/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + + var select141 = linear_select([ + dup135, + part480, + ]); + + var part481 = match_copy("MESSAGE#469:1080/3", "nwparser.p0", "protocol"); + + var all105 = all_match({ + processors: [ + part478, + select140, + select141, + part481, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg470 = msg("1080", all105); + + var part482 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg471 = msg("580", part482); + + var part483 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); + + var all106 = all_match({ + processors: [ + part483, + dup236, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg472 = msg("1369", all106); + + var all107 = all_match({ + processors: [ + dup149, + dup223, + dup152, + dup236, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg473 = msg("1370", all107); + + var all108 = all_match({ + processors: [ + dup149, + dup223, + dup169, + dup211, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg474 = msg("1371", all108); + + var part484 = match("MESSAGE#474:1387/1_1", "nwparser.p0", " dst=%{p0}"); + + var select142 = linear_select([ + dup167, + part484, + ]); + + var all109 = all_match({ + processors: [ + dup166, + select142, + dup168, + dup223, + dup169, + dup211, + dup119, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg475 = msg("1387", all109); + + var part485 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{saddr}:%{p0}"); + + var part486 = match("MESSAGE#475:1391/1_0", "nwparser.p0", "%{sport}:%{sinterface}dst=%{p0}"); + + var part487 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{sport}dst=%{p0}"); + + var select143 = linear_select([ + part486, + part487, + ]); + + var part488 = match("MESSAGE#475:1391/3_0", "nwparser.p0", "%{dport}:%{dinterface}:%{dhost}"); + + var select144 = linear_select([ + part488, + dup154, + dup155, + ]); + + var all110 = all_match({ + processors: [ + part485, + select143, + dup153, + select144, + ], + on_success: processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg476 = msg("1391", all110); + + var part489 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg477 = msg("1253", part489); + + var part490 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg478 = msg("1009", part490); + + var part491 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{p0}"); + + var part492 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{dinterface}:%{dhost}srcMac=%{p0}"); + + var part493 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{dinterface}srcMac=%{p0}"); + + var select145 = linear_select([ + part492, + part493, + ]); + + var part494 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); + + var all111 = all_match({ + processors: [ + part491, + select145, + part494, + ], + on_success: processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg479 = msg("910", all111); + + var part495 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup22, + dup44, + ])); + + var msg480 = msg("m:01", part495); + + var part496 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg481 = msg("1011", part496); + + var part497 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup172, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg482 = msg("609", part497); + + var msg483 = msg("796", dup237); + + var part498 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg484 = msg("880", part498); + + var part499 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg485 = msg("1309", part499); + + var msg486 = msg("1310", dup237); + + var part500 = match("MESSAGE#486:1232/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); + + var part501 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} note=\"%{p0}"); + + var part502 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{dinterface->} note=\"%{p0}"); + + var select146 = linear_select([ + part501, + part502, + ]); + + var part503 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); + + var all112 = all_match({ + processors: [ + part500, + select146, + part503, + ], + on_success: processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg487 = msg("1232", all112); + + var part504 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var all113 = all_match({ + processors: [ + part504, + dup211, + dup119, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg488 = msg("1447", all113); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "10": msg9, + "100": msg159, + "1003": msg449, + "1005": msg448, + "1007": msg450, + "1008": msg451, + "1009": msg478, + "101": msg160, + "1011": msg481, + "102": msg161, + "103": msg162, + "104": msg163, + "105": msg164, + "106": msg165, + "107": msg166, + "1079": select139, + "108": msg167, + "1080": msg470, + "1086": msg424, + "109": msg168, + "11": msg10, + "110": msg169, + "1107": msg461, + "111": select57, + "1110": msg408, + "112": msg172, + "113": msg173, + "114": msg174, + "1149": msg426, + "115": select58, + "1153": select135, + "1154": select126, + "1155": select128, + "1159": msg427, + "116": msg177, + "117": msg178, + "118": msg179, + "119": msg180, + "1195": select124, + "1197": msg439, + "1198": msg445, + "1199": select127, + "12": select4, + "120": msg181, + "1201": select129, + "121": msg182, + "122": msg183, + "1220": msg462, + "1222": msg431, + "1226": msg430, + "123": msg184, + "1230": msg463, + "1231": msg464, + "1232": msg487, + "1233": msg465, + "1235": msg438, + "124": msg185, + "125": msg186, + "1253": msg477, + "1254": msg187, + "1256": msg188, + "1257": msg189, + "126": msg190, + "127": msg191, + "128": msg192, + "129": msg193, + "13": msg13, + "130": msg194, + "1309": msg485, + "131": msg195, + "1310": msg486, + "132": msg196, + "133": msg197, + "134": msg198, + "135": msg199, + "136": msg200, + "1369": msg472, + "137": msg201, + "1370": msg473, + "1371": msg474, + "138": msg202, + "1387": msg475, + "139": select59, + "1391": msg476, + "14": select7, + "140": msg205, + "141": msg206, + "142": msg207, + "143": msg208, + "1430": msg425, + "1431": msg209, + "144": msg210, + "1447": msg488, + "145": msg211, + "146": msg212, + "147": msg213, + "148": msg214, + "1480": msg215, + "149": msg216, + "15": msg20, + "150": msg217, + "151": msg218, + "152": msg219, + "153": msg220, + "154": msg221, + "155": msg222, + "156": msg223, + "157": select60, + "158": msg226, + "159": msg227, + "16": msg21, + "160": msg228, + "161": msg229, + "162": msg230, + "163": msg231, + "164": msg232, + "165": msg233, + "166": msg234, + "167": msg235, + "168": msg236, + "169": msg237, + "17": msg22, + "170": msg238, + "171": select61, + "172": select62, + "173": msg245, + "174": select63, + "175": select64, + "176": msg253, + "177": msg254, + "178": msg255, + "179": msg256, + "18": msg23, + "180": select65, + "181": select66, + "19": msg24, + "193": msg261, + "194": msg262, + "195": msg263, + "196": select67, + "199": msg266, + "20": msg25, + "200": msg267, + "21": msg26, + "22": msg27, + "23": select10, + "235": select68, + "236": msg271, + "237": msg272, + "238": msg273, + "239": msg274, + "24": select11, + "240": msg275, + "241": select69, + "242": msg278, + "243": msg403, + "25": msg34, + "252": msg279, + "255": msg280, + "257": msg281, + "26": msg35, + "261": select72, + "262": msg284, + "263": msg413, + "264": msg414, + "267": select121, + "27": msg36, + "273": msg285, + "28": select12, + "29": select13, + "30": select14, + "31": select15, + "32": select16, + "328": msg286, + "329": msg287, + "33": select17, + "34": msg52, + "346": msg288, + "35": select18, + "350": msg289, + "351": msg290, + "352": msg291, + "353": select73, + "354": msg294, + "355": select74, + "356": msg297, + "357": select75, + "358": msg300, + "36": select21, + "37": select23, + "371": select76, + "372": msg303, + "373": msg304, + "38": select25, + "39": msg67, + "4": msg1, + "40": msg68, + "401": msg305, + "402": msg306, + "403": msg400, + "404": msg410, + "406": msg307, + "41": select26, + "412": msg415, + "413": msg308, + "414": msg309, + "42": msg72, + "427": msg156, + "428": msg157, + "43": msg73, + "438": msg310, + "439": msg311, + "44": msg74, + "440": msg312, + "441": select77, + "442": msg315, + "446": msg316, + "45": select27, + "46": select28, + "47": msg82, + "477": msg317, + "48": msg83, + "49": msg84, + "5": select2, + "50": msg85, + "509": msg318, + "51": msg86, + "52": msg87, + "520": msg319, + "522": select80, + "523": msg323, + "524": select83, + "526": select86, + "53": msg88, + "534": msg401, + "537": select101, + "538": msg346, + "549": msg347, + "557": msg348, + "558": msg349, + "561": msg350, + "562": msg351, + "563": msg352, + "565": msg409, + "58": msg89, + "580": msg471, + "583": msg353, + "597": select102, + "598": select103, + "6": select3, + "60": msg90, + "602": select104, + "605": msg363, + "606": msg364, + "608": msg365, + "609": msg482, + "61": msg91, + "614": msg421, + "616": msg366, + "62": msg92, + "63": select29, + "64": msg95, + "65": msg96, + "654": msg455, + "657": select118, + "658": msg367, + "66": msg97, + "67": select30, + "670": msg456, + "68": msg100, + "69": msg101, + "7": msg6, + "70": select32, + "708": msg452, + "709": msg447, + "710": msg368, + "712": select108, + "713": select109, + "714": msg446, + "72": select33, + "73": msg106, + "74": msg107, + "748": msg422, + "75": msg108, + "76": msg109, + "760": select110, + "766": msg378, + "77": msg110, + "78": msg111, + "79": msg112, + "793": msg416, + "794": msg423, + "796": msg483, + "8": msg7, + "80": msg113, + "805": msg417, + "809": select122, + "81": msg114, + "82": select34, + "83": select35, + "84": msg122, + "860": select111, + "866": select113, + "867": select114, + "87": select37, + "88": select38, + "880": msg484, + "882": select115, + "884": msg457, + "888": select116, + "89": select40, + "892": msg389, + "9": msg8, + "90": msg129, + "904": msg390, + "905": msg391, + "906": msg392, + "907": msg393, + "908": msg394, + "909": msg395, + "91": msg130, + "910": msg479, + "914": msg396, + "92": msg131, + "93": msg132, + "931": msg397, + "935": msg420, + "94": msg133, + "95": msg134, + "96": msg135, + "97": select44, + "98": select56, + "986": msg155, + "99": msg158, + "994": msg402, + "995": msg404, + "997": msg405, + "998": select119, + "m": msg480, + "msg": msg436, + "src": msg437, + }), + ]); + + var part505 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part506 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + + var part507 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part508 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); + + var part509 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + + var part510 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); + + var part511 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); + + var part512 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part513 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + + var part514 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); + + var part515 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); + + var part516 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); + + var part517 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); + + var part518 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); + + var part519 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); + + var part520 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); + + var part521 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); + + var part522 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); + + var part523 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); + + var part524 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); + + var part525 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); + + var part526 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); + + var part527 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part528 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); + + var part529 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); + + var part530 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); + + var part531 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); + + var part532 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); + + var part533 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); + + var part534 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); + + var part535 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); + + var part536 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); + + var part537 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); + + var part538 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); + + var part539 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part540 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); + + var part541 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); + + var part542 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); + + var part543 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); + + var part544 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); + + var part545 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part546 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); + + var part547 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); + + var part548 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); + + var part549 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); + + var part550 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); + + var part551 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); + + var part552 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + + var part553 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); + + var part554 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var part555 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); + + var part556 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); + + var part557 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); + + var part558 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); + + var part559 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); + + var part560 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); + + var part561 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); + + var part562 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); + + var part563 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); + + var part564 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); + + var part565 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); + + var part566 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + + var part567 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); + + var part568 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); + + var part569 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); + + var part570 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); + + var part571 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); + + var part572 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); + + var part573 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); + + var part574 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); + + var part575 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part576 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); + + var part577 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); + + var part578 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + + var part579 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); + + var part580 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); + + var part581 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); + + var part582 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); + + var part583 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); + + var part584 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); + + var part585 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); + + var part586 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); + + var part587 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part588 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); + + var part589 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + + var part590 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); + + var part591 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); + + var part592 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); + + var part593 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var part594 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); + + var part595 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); + + var part596 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); + + var part597 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); + + var part598 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + + var part599 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part600 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); + + var part601 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); + + var part602 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); + + var part603 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); + + var part604 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); + + var part605 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); + + var part606 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); + + var part607 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part608 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part609 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); + + var part610 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); + + var part611 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); + + var part612 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); + + var part613 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); + + var part614 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); + + var part615 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); + + var part616 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part617 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); + + var part618 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part619 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); + + var part620 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); + + var part621 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + + var part622 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + + var part623 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + + var select147 = linear_select([ + dup8, + dup9, + ]); + + var select148 = linear_select([ + dup15, + dup16, + ]); + + var part624 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var select149 = linear_select([ + dup26, + dup27, + ]); + + var select150 = linear_select([ + dup28, + dup29, + ]); + + var select151 = linear_select([ + dup35, + dup36, + ]); + + var select152 = linear_select([ + dup37, + dup38, + ]); + + var select153 = linear_select([ + dup39, + dup40, + ]); + + var select154 = linear_select([ + dup26, + dup46, + ]); + + var select155 = linear_select([ + dup48, + dup49, + ]); + + var select156 = linear_select([ + dup52, + dup53, + ]); + + var select157 = linear_select([ + dup55, + dup56, + ]); + + var select158 = linear_select([ + dup57, + dup58, + ]); + + var part625 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup70, + ])); + + var part626 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup5, + ])); + + var select159 = linear_select([ + dup75, + dup76, + ]); + + var select160 = linear_select([ + dup83, + dup84, + ]); + + var part627 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ + dup1, + ])); + + var select161 = linear_select([ + dup94, + dup95, + ]); + + var part628 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup5, + ])); + + var select162 = linear_select([ + dup98, + dup99, + ]); + + var select163 = linear_select([ + dup86, + dup102, + ]); + + var select164 = linear_select([ + dup103, + dup104, + ]); + + var part629 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, + ])); + + var part630 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var part631 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup1, + ])); + + var part632 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, + ])); + + var part633 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var select165 = linear_select([ + dup114, + dup115, + ]); + + var select166 = linear_select([ + dup117, + dup118, + ]); + + var select167 = linear_select([ + dup43, + dup42, + ]); + + var select168 = linear_select([ + dup8, + dup27, + ]); + + var select169 = linear_select([ + dup8, + dup26, + dup46, + ]); + + var select170 = linear_select([ + dup80, + dup15, + dup16, + ]); + + var select171 = linear_select([ + dup124, + dup125, + dup126, + dup38, + ]); + + var select172 = linear_select([ + dup127, + dup128, + ]); + + var select173 = linear_select([ + dup129, + dup130, + ]); + + var select174 = linear_select([ + dup135, + dup136, + dup137, + ]); + + var select175 = linear_select([ + dup138, + dup56, + ]); + + var select176 = linear_select([ + dup140, + dup141, + ]); + + var select177 = linear_select([ + dup142, + dup143, + ]); + + var select178 = linear_select([ + dup150, + dup151, + ]); + + var part634 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup156, + ])); + + var select179 = linear_select([ + dup158, + dup38, + ]); + + var select180 = linear_select([ + dup160, + dup161, + ]); + + var select181 = linear_select([ + dup162, + dup163, + ]); + + var part635 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup5, + ])); + + var part636 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ + dup5, + ])); + + var part637 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ + dup5, + dup24, + ])); + + var part638 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var part639 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + dup24, + ])); + + var part640 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var part641 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ + dup1, + ])); + + var select182 = linear_select([ + dup177, + dup178, + ]); + + var select183 = linear_select([ + dup180, + dup181, + ]); + + var part642 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var all114 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var all115 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup91, + ]), + }); + + var all116 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var all117 = all_match({ + processors: [ + dup101, + dup203, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var all118 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup106, + ]), + }); + + var all119 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var all120 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var all121 = all_match({ + processors: [ + dup108, + dup185, + dup187, + ], + on_success: processor_chain([ + dup109, + ]), + }); + + var all122 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup112, + ]), + }); + + var all123 = all_match({ + processors: [ + dup113, + dup210, + ], + on_success: processor_chain([ + dup93, + ]), + }); + + var all124 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup116, + ]), + }); + + var all125 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup187, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var all126 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var all127 = all_match({ + processors: [ + dup157, + dup225, + dup159, + dup226, + dup227, + dup164, + ], + on_success: processor_chain([ + dup156, + dup59, + dup60, + dup61, + dup62, + dup44, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var all128 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var all129 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/sonicwall/0.8.2/data_stream/firewall/agent/stream/udp.yml.hbs b/packages/sonicwall/0.8.2/data_stream/firewall/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..62b0a8c15e --- /dev/null +++ b/packages/sonicwall/0.8.2/data_stream/firewall/agent/stream/udp.yml.hbs @@ -0,0 +1,9736 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Sonicwall" + product: "Firewalls" + type: "Firewall" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} n=%{fld2->} src=%{p0}"); + + var dup8 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + + var dup9 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var dup10 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); + + var dup11 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup12 = setc("eventcategory","1502010000"); + + var dup13 = setc("eventcategory","1502020000"); + + var dup14 = setc("eventcategory","1002010000"); + + var dup15 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + + var dup16 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); + + var dup17 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); + + var dup18 = setf("hostip","hhostip"); + + var dup19 = setf("id","hid"); + + var dup20 = setf("serial_number","hserial_number"); + + var dup21 = setf("category","hcategory"); + + var dup22 = setf("severity","hseverity"); + + var dup23 = setc("eventcategory","1805010000"); + + var dup24 = call({ + dest: "nwparser.msg", + fn: RMQ, + args: [ + field("msg"), + ], + }); + + var dup25 = setc("eventcategory","1302000000"); + + var dup26 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var dup27 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + + var dup28 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); + + var dup29 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); + + var dup30 = setc("eventcategory","1401050100"); + + var dup31 = setc("eventcategory","1401030000"); + + var dup32 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); + + var dup33 = setc("eventcategory","1301020000"); + + var dup34 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); + + var dup35 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); + + var dup36 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); + + var dup37 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); + + var dup38 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); + + var dup39 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); + + var dup40 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); + + var dup41 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); + + var dup42 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); + + var dup43 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); + + var dup44 = date_time({ + dest: "event_time", + args: ["date","time"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup45 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup46 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); + + var dup47 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); + + var dup48 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); + + var dup49 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); + + var dup50 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); + + var dup51 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); + + var dup52 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); + + var dup53 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); + + var dup54 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); + + var dup55 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); + + var dup56 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); + + var dup57 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var dup58 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); + + var dup59 = setc("ec_subject","NetworkComm"); + + var dup60 = setc("ec_activity","Deny"); + + var dup61 = setc("ec_theme","Communication"); + + var dup62 = setf("msg","$MSG"); + + var dup63 = setc("action","dropped"); + + var dup64 = setc("eventcategory","1608010000"); + + var dup65 = setc("eventcategory","1302010000"); + + var dup66 = setc("eventcategory","1301000000"); + + var dup67 = setc("eventcategory","1001000000"); + + var dup68 = setc("eventcategory","1003030000"); + + var dup69 = setc("eventcategory","1003050000"); + + var dup70 = setc("eventcategory","1103000000"); + + var dup71 = setc("eventcategory","1603110000"); + + var dup72 = setc("eventcategory","1605020000"); + + var dup73 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); + + var dup74 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); + + var dup75 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); + + var dup76 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); + + var dup77 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup78 = setc("eventcategory","1801000000"); + + var dup79 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); + + var dup80 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); + + var dup81 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); + + var dup82 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); + + var dup83 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); + + var dup84 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); + + var dup85 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + + var dup86 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); + + var dup87 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var dup88 = setf("id","hfld1"); + + var dup89 = setc("eventcategory","1001020309"); + + var dup90 = setc("eventcategory","1303000000"); + + var dup91 = setc("eventcategory","1801010100"); + + var dup92 = setc("eventcategory","1604010000"); + + var dup93 = setc("eventcategory","1002020000"); + + var dup94 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); + + var dup95 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); + + var dup96 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); + + var dup97 = setc("eventcategory","1001010000"); + + var dup98 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); + + var dup99 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); + + var dup100 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); + + var dup101 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); + + var dup102 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); + + var dup103 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); + + var dup104 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); + + var dup105 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); + + var dup106 = setc("eventcategory","1401060000"); + + var dup107 = setc("eventcategory","1804000000"); + + var dup108 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + + var dup109 = setc("eventcategory","1401070000"); + + var dup110 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); + + var dup111 = setc("eventcategory","1801030000"); + + var dup112 = setc("eventcategory","1402020300"); + + var dup113 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); + + var dup114 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); + + var dup115 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); + + var dup116 = setc("eventcategory","1402000000"); + + var dup117 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); + + var dup118 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); + + var dup119 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); + + var dup120 = setc("eventcategory","1803020000"); + + var dup121 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); + + var dup122 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup123 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); + + var dup124 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); + + var dup125 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + + var dup126 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); + + var dup127 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); + + var dup128 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); + + var dup129 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); + + var dup130 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); + + var dup131 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); + + var dup132 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); + + var dup133 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); + + var dup134 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var dup135 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); + + var dup136 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + + var dup137 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); + + var dup138 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); + + var dup139 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); + + var dup140 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var dup141 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); + + var dup142 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); + + var dup143 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); + + var dup144 = setc("event_description","Connection Closed"); + + var dup145 = setc("eventcategory","1801020000"); + + var dup146 = setc("ec_activity","Permit"); + + var dup147 = setc("action","allowed"); + + var dup148 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); + + var dup149 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + + var dup150 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); + + var dup151 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); + + var dup152 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); + + var dup153 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); + + var dup154 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); + + var dup155 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); + + var dup156 = setc("eventcategory","1001030500"); + + var dup157 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); + + var dup158 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); + + var dup159 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var dup160 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var dup161 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); + + var dup162 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); + + var dup163 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); + + var dup164 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); + + var dup165 = setc("eventcategory","1801010000"); + + var dup166 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); + + var dup167 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); + + var dup168 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); + + var dup169 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var dup170 = setc("eventcategory","1003010000"); + + var dup171 = setc("eventcategory","1609000000"); + + var dup172 = setc("eventcategory","1204000000"); + + var dup173 = setc("eventcategory","1602000000"); + + var dup174 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); + + var dup175 = setc("eventcategory","1803000000"); + + var dup176 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var dup177 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); + + var dup178 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); + + var dup179 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + + var dup180 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + + var dup181 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + + var dup182 = linear_select([ + dup8, + dup9, + ]); + + var dup183 = linear_select([ + dup15, + dup16, + ]); + + var dup184 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var dup185 = linear_select([ + dup26, + dup27, + ]); + + var dup186 = linear_select([ + dup28, + dup29, + ]); + + var dup187 = linear_select([ + dup35, + dup36, + ]); + + var dup188 = linear_select([ + dup37, + dup38, + ]); + + var dup189 = linear_select([ + dup39, + dup40, + ]); + + var dup190 = linear_select([ + dup26, + dup46, + ]); + + var dup191 = linear_select([ + dup48, + dup49, + ]); + + var dup192 = linear_select([ + dup52, + dup53, + ]); + + var dup193 = linear_select([ + dup55, + dup56, + ]); + + var dup194 = linear_select([ + dup57, + dup58, + ]); + + var dup195 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup70, + ])); + + var dup196 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup5, + ])); + + var dup197 = linear_select([ + dup75, + dup76, + ]); + + var dup198 = linear_select([ + dup83, + dup84, + ]); + + var dup199 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ + dup1, + ])); + + var dup200 = linear_select([ + dup94, + dup95, + ]); + + var dup201 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup5, + ])); + + var dup202 = linear_select([ + dup98, + dup99, + ]); + + var dup203 = linear_select([ + dup86, + dup102, + ]); + + var dup204 = linear_select([ + dup103, + dup104, + ]); + + var dup205 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, + ])); + + var dup206 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var dup207 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup1, + ])); + + var dup208 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, + ])); + + var dup209 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var dup210 = linear_select([ + dup114, + dup115, + ]); + + var dup211 = linear_select([ + dup117, + dup118, + ]); + + var dup212 = linear_select([ + dup43, + dup42, + ]); + + var dup213 = linear_select([ + dup8, + dup27, + ]); + + var dup214 = linear_select([ + dup8, + dup26, + dup46, + ]); + + var dup215 = linear_select([ + dup80, + dup15, + dup16, + ]); + + var dup216 = linear_select([ + dup124, + dup125, + dup126, + dup38, + ]); + + var dup217 = linear_select([ + dup127, + dup128, + ]); + + var dup218 = linear_select([ + dup129, + dup130, + ]); + + var dup219 = linear_select([ + dup135, + dup136, + dup137, + ]); + + var dup220 = linear_select([ + dup138, + dup56, + ]); + + var dup221 = linear_select([ + dup140, + dup141, + ]); + + var dup222 = linear_select([ + dup142, + dup143, + ]); + + var dup223 = linear_select([ + dup150, + dup151, + ]); + + var dup224 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup156, + ])); + + var dup225 = linear_select([ + dup158, + dup38, + ]); + + var dup226 = linear_select([ + dup160, + dup161, + ]); + + var dup227 = linear_select([ + dup162, + dup163, + ]); + + var dup228 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup5, + ])); + + var dup229 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ + dup5, + ])); + + var dup230 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ + dup5, + dup24, + ])); + + var dup231 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var dup232 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + dup24, + ])); + + var dup233 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var dup234 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ + dup1, + ])); + + var dup235 = linear_select([ + dup177, + dup178, + ]); + + var dup236 = linear_select([ + dup180, + dup181, + ]); + + var dup237 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var dup238 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var dup239 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup91, + ]), + }); + + var dup240 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var dup241 = all_match({ + processors: [ + dup101, + dup203, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var dup242 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup106, + ]), + }); + + var dup243 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var dup244 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var dup245 = all_match({ + processors: [ + dup108, + dup185, + dup187, + ], + on_success: processor_chain([ + dup109, + ]), + }); + + var dup246 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup112, + ]), + }); + + var dup247 = all_match({ + processors: [ + dup113, + dup210, + ], + on_success: processor_chain([ + dup93, + ]), + }); + + var dup248 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup116, + ]), + }); + + var dup249 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup187, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var dup250 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var dup251 = all_match({ + processors: [ + dup157, + dup225, + dup159, + dup226, + dup227, + dup164, + ], + on_success: processor_chain([ + dup156, + dup59, + dup60, + dup61, + dup62, + dup44, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var dup252 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var dup253 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} %{messageid}= %{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("= "), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr4 = match("HEADER#3:0004", "message", "%{hfld20->} id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + ]); + + var part1 = match("MESSAGE#0:4", "nwparser.payload", "SonicWALL activated%{}", processor_chain([ + dup1, + ])); + + var msg1 = msg("4", part1); + + var part2 = match("MESSAGE#1:5", "nwparser.payload", "Log Cleared%{}", processor_chain([ + dup1, + ])); + + var msg2 = msg("5", part2); + + var part3 = match("MESSAGE#2:5:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg3 = msg("5:01", part3); + + var select2 = linear_select([ + msg2, + msg3, + ]); + + var part4 = match("MESSAGE#3:6", "nwparser.payload", "Log successfully sent via email%{}", processor_chain([ + dup1, + ])); + + var msg4 = msg("6", part4); + + var part5 = match("MESSAGE#4:6:01", "nwparser.payload", "msg=\"Log successfully sent via email\" n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg5 = msg("6:01", part5); + + var select3 = linear_select([ + msg4, + msg5, + ]); + + var part6 = match("MESSAGE#5:7", "nwparser.payload", "Log full; deactivating SonicWALL%{}", processor_chain([ + dup2, + ])); + + var msg6 = msg("7", part6); + + var part7 = match("MESSAGE#6:8", "nwparser.payload", "New Filter list loaded%{}", processor_chain([ + dup3, + ])); + + var msg7 = msg("8", part7); + + var part8 = match("MESSAGE#7:9", "nwparser.payload", "No new Filter list available%{}", processor_chain([ + dup4, + ])); + + var msg8 = msg("9", part8); + + var part9 = match("MESSAGE#8:10", "nwparser.payload", "Problem loading the Filter list; check Filter settings%{}", processor_chain([ + dup4, + ])); + + var msg9 = msg("10", part9); + + var part10 = match("MESSAGE#9:11", "nwparser.payload", "Problem loading the Filter list; check your DNS server%{}", processor_chain([ + dup4, + ])); + + var msg10 = msg("11", part10); + + var part11 = match("MESSAGE#10:12", "nwparser.payload", "Problem sending log email; check log settings%{}", processor_chain([ + dup5, + ])); + + var msg11 = msg("12", part11); + + var part12 = match("MESSAGE#11:12:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup5, + ])); + + var msg12 = msg("12:01", part12); + + var select4 = linear_select([ + msg11, + msg12, + ]); + + var part13 = match("MESSAGE#12:13", "nwparser.payload", "Restarting SonicWALL; dumping log to email%{}", processor_chain([ + dup1, + ])); + + var msg13 = msg("13", part13); + + var part14 = match("MESSAGE#13:14/0_0", "nwparser.payload", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode}"); + + var part15 = match("MESSAGE#13:14/0_1", "nwparser.payload", "Web site blocked%{}"); + + var select5 = linear_select([ + part14, + part15, + ]); + + var all1 = all_match({ + processors: [ + select5, + ], + on_success: processor_chain([ + dup6, + setc("action","Web site access denied"), + ]), + }); + + var msg14 = msg("14", all1); + + var part16 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} code= %{p0}"); + + var part17 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{dinterface->} code= %{p0}"); + + var select6 = linear_select([ + part16, + part17, + ]); + + var part18 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{fld3->} Category=%{fld4->} npcs=%{info}"); + + var all2 = all_match({ + processors: [ + dup7, + dup182, + dup10, + select6, + part18, + ], + on_success: processor_chain([ + dup6, + ]), + }); + + var msg15 = msg("14:01", all2); + + var part19 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg16 = msg("14:02", part19); + + var part20 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg17 = msg("14:03", part20); + + var part21 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg18 = msg("14:04", part21); + + var part22 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup6, + dup11, + ])); + + var msg19 = msg("14:05", part22); + + var select7 = linear_select([ + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + ]); + + var part23 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([ + dup12, + ])); + + var msg20 = msg("15", part23); + + var part24 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([ + dup13, + ])); + + var msg21 = msg("16", part24); + + var part25 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([ + dup13, + ])); + + var msg22 = msg("17", part25); + + var part26 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([ + dup12, + ])); + + var msg23 = msg("18", part26); + + var part27 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([ + dup12, + ])); + + var msg24 = msg("19", part27); + + var part28 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([ + dup12, + ])); + + var msg25 = msg("20", part28); + + var part29 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([ + dup1, + ])); + + var msg26 = msg("21", part29); + + var part30 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([ + dup14, + ])); + + var msg27 = msg("22", part30); + + var part31 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([ + dup14, + ])); + + var msg28 = msg("23", part31); + + var part32 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part33 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}"); + + var part34 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}"); + + var select8 = linear_select([ + part33, + part34, + ]); + + var part35 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{smacaddr}"); + + var all3 = all_match({ + processors: [ + part32, + dup183, + dup17, + select8, + part35, + ], + on_success: processor_chain([ + dup14, + ]), + }); + + var msg29 = msg("23:01", all3); + + var part36 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([ + dup14, + ])); + + var msg30 = msg("23:02", part36); + + var part37 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); + + var part38 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac= %{p0}"); + + var part39 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{dinterface->} srcMac= %{p0}"); + + var select9 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}"); + + var all4 = all_match({ + processors: [ + part37, + select9, + part40, + ], + on_success: processor_chain([ + dup14, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg31 = msg("23:03", all4); + + var select10 = linear_select([ + msg28, + msg29, + msg30, + msg31, + ]); + + var part41 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([ + dup23, + ])); + + var msg32 = msg("24", part41); + + var msg33 = msg("24:01", dup184); + + var select11 = linear_select([ + msg32, + msg33, + ]); + + var part42 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([ + dup14, + ])); + + var msg34 = msg("25", part42); + + var part43 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([ + dup14, + ])); + + var msg35 = msg("26", part43); + + var part44 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([ + dup14, + ])); + + var msg36 = msg("27", part44); + + var part45 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([ + dup14, + ])); + + var msg37 = msg("28", part45); + + var part46 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup14, + ])); + + var msg38 = msg("28:01", part46); + + var select12 = linear_select([ + msg37, + msg38, + ]); + + var part47 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([ + dup25, + ])); + + var msg39 = msg("29", part47); + + var part48 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + + var all5 = all_match({ + processors: [ + part48, + dup185, + dup186, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var msg40 = msg("29:01", all5); + + var select13 = linear_select([ + msg39, + msg40, + ]); + + var part49 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([ + dup31, + ])); + + var msg41 = msg("30", part49); + + var msg42 = msg("30:01", dup238); + + var select14 = linear_select([ + msg41, + msg42, + ]); + + var part50 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([ + dup25, + ])); + + var msg43 = msg("31", part50); + + var all6 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup25, + ]), + }); + + var msg44 = msg("31:01", all6); + + var part51 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup11, + ])); + + var msg45 = msg("31:02", part51); + + var part52 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup11, + ])); + + var msg46 = msg("31:03", part52); + + var part53 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, + dup11, + ])); + + var msg47 = msg("31:04", part53); + + var select15 = linear_select([ + msg43, + msg44, + msg45, + msg46, + msg47, + ]); + + var part54 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([ + dup31, + ])); + + var msg48 = msg("32", part54); + + var msg49 = msg("32:01", dup238); + + var select16 = linear_select([ + msg48, + msg49, + ]); + + var part55 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([ + dup33, + ])); + + var msg50 = msg("33", part55); + + var all7 = all_match({ + processors: [ + dup34, + dup185, + dup186, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var msg51 = msg("33:01", all7); + + var select17 = linear_select([ + msg50, + msg51, + ]); + + var part56 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([ + dup5, + ])); + + var msg52 = msg("34", part56); + + var part57 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([ + setc("eventcategory","1401040000"), + ])); + + var msg53 = msg("35", part57); + + var all8 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1401050200"), + ]), + }); + + var msg54 = msg("35:01", all8); + + var select18 = linear_select([ + msg53, + msg54, + ]); + + var part58 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([ + dup5, + ])); + + var msg55 = msg("36", part58); + + var part59 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}"); + + var part60 = match("MESSAGE#54:36:01/2", "nwparser.p0", "%{fld1->} src= %{p0}"); + + var part61 = match("MESSAGE#54:36:01/7_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + + var select19 = linear_select([ + part61, + dup42, + dup43, + ]); + + var all9 = all_match({ + processors: [ + part59, + dup188, + part60, + dup189, + dup41, + dup183, + dup17, + select19, + ], + on_success: processor_chain([ + dup5, + dup44, + ]), + }); + + var msg56 = msg("36:01", all9); + + var part62 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} npcs=%{p0}"); + + var part63 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} npcs=%{p0}"); + + var select20 = linear_select([ + part62, + part63, + ]); + + var all10 = all_match({ + processors: [ + dup45, + dup190, + dup17, + dup183, + dup17, + select20, + dup47, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg57 = msg("36:02", all10); + + var select21 = linear_select([ + msg55, + msg56, + msg57, + ]); + + var part64 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg58 = msg("37", part64); + + var part65 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}"); + + var part66 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + + var part67 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}proto=%{protocol->} fw_action=\"%{fld3}\""); + + var part68 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport}rule=%{rule}"); + + var select22 = linear_select([ + part67, + part68, + ]); + + var all11 = all_match({ + processors: [ + part65, + dup188, + part66, + select22, + ], + on_success: processor_chain([ + dup5, + dup44, + ]), + }); + + var msg59 = msg("37:01", all11); + + var part69 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([ + dup5, + ])); + + var msg60 = msg("37:02", part69); + + var all12 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup191, + dup50, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg61 = msg("37:03", all12); + + var part70 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup5, + dup11, + ])); + + var msg62 = msg("37:04", part70); + + var select23 = linear_select([ + msg58, + msg59, + msg60, + msg61, + msg62, + ]); + + var part71 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg63 = msg("38", part71); + + var part72 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code}"); + + var select24 = linear_select([ + part72, + dup42, + ]); + + var all13 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup183, + dup17, + select24, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg64 = msg("38:01", all13); + + var part73 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{fld3->} icmpCode=%{fld4->} npcs=%{info}"); + + var all14 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup192, + part73, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg65 = msg("38:02", all14); + + var part74 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var part75 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\""); + + var all15 = all_match({ + processors: [ + dup54, + dup193, + part74, + dup194, + part75, + ], + on_success: processor_chain([ + dup5, + dup11, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg66 = msg("38:03", all15); + + var select25 = linear_select([ + msg63, + msg64, + msg65, + msg66, + ]); + + var part76 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg67 = msg("39", part76); + + var part77 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg68 = msg("40", part77); + + var part78 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg69 = msg("41:01", part78); + + var part79 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ + dup5, + ])); + + var msg70 = msg("41:02", part79); + + var part80 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([ + dup5, + ])); + + var msg71 = msg("41:03", part80); + + var select26 = linear_select([ + msg69, + msg70, + msg71, + ]); + + var part81 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([ + dup5, + ])); + + var msg72 = msg("42", part81); + + var part82 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([ + dup5, + ])); + + var msg73 = msg("43", part82); + + var part83 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([ + dup5, + ])); + + var msg74 = msg("44", part83); + + var part84 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([ + dup5, + ])); + + var msg75 = msg("45", part84); + + var part85 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup5, + ])); + + var msg76 = msg("45:01", part85); + + var part86 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([ + dup5, + ])); + + var msg77 = msg("45:02", part86); + + var select27 = linear_select([ + msg75, + msg76, + msg77, + ]); + + var part87 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg78 = msg("46:01", part87); + + var part88 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup5, + ])); + + var msg79 = msg("46:02", part88); + + var part89 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg80 = msg("46", part89); + + var part90 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var all16 = all_match({ + processors: [ + part90, + dup182, + dup10, + dup191, + dup50, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg81 = msg("46:03", all16); + + var select28 = linear_select([ + msg78, + msg79, + msg80, + msg81, + ]); + + var part91 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([ + dup5, + ])); + + var msg82 = msg("47", part91); + + var part92 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg83 = msg("48", part92); + + var part93 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([ + dup5, + ])); + + var msg84 = msg("49", part93); + + var part94 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([ + dup5, + ])); + + var msg85 = msg("50", part94); + + var part95 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([ + dup5, + ])); + + var msg86 = msg("51", part95); + + var part96 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([ + dup5, + ])); + + var msg87 = msg("52", part96); + + var part97 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([ + dup2, + ])); + + var msg88 = msg("53", part97); + + var part98 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([ + dup64, + ])); + + var msg89 = msg("58", part98); + + var part99 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([ + dup12, + ])); + + var msg90 = msg("60", part99); + + var part100 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([ + dup1, + ])); + + var msg91 = msg("61", part100); + + var part101 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([ + dup65, + ])); + + var msg92 = msg("62", part101); + + var part102 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([ + dup66, + ])); + + var msg93 = msg("63", part102); + + var part103 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup66, + ])); + + var msg94 = msg("63:01", part103); + + var select29 = linear_select([ + msg93, + msg94, + ]); + + var part104 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([ + dup1, + ])); + + var msg95 = msg("64", part104); + + var part105 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([ + dup66, + ])); + + var msg96 = msg("65", part105); + + var part106 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([ + dup66, + ])); + + var msg97 = msg("66", part106); + + var part107 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([ + dup66, + ])); + + var msg98 = msg("67", part107); + + var all17 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup66, + ]), + }); + + var msg99 = msg("67:01", all17); + + var select30 = linear_select([ + msg98, + msg99, + ]); + + var part108 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([ + dup66, + ])); + + var msg100 = msg("68", part108); + + var part109 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([ + dup66, + ])); + + var msg101 = msg("69", part109); + + var part110 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([ + dup66, + ])); + + var msg102 = msg("70", part110); + + var part111 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst%{p0}"); + + var part112 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "=%{daddr}"); + + var part113 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", "name=%{name}"); + + var select31 = linear_select([ + part112, + part113, + ]); + + var all18 = all_match({ + processors: [ + part111, + select31, + ], + on_success: processor_chain([ + dup66, + ]), + }); + + var msg103 = msg("70:01", all18); + + var select32 = linear_select([ + msg102, + msg103, + ]); + + var part114 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg104 = msg("72", part114); + + var part115 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup67, + ])); + + var msg105 = msg("72:01", part115); + + var select33 = linear_select([ + msg104, + msg105, + ]); + + var part116 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([ + dup68, + ])); + + var msg106 = msg("73", part116); + + var part117 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([ + dup69, + ])); + + var msg107 = msg("74", part117); + + var part118 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([ + dup68, + ])); + + var msg108 = msg("75", part118); + + var part119 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg109 = msg("76", part119); + + var part120 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg110 = msg("77", part120); + + var part121 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([ + dup69, + ])); + + var msg111 = msg("78", part121); + + var part122 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg112 = msg("79", part122); + + var part123 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([ + dup67, + ])); + + var msg113 = msg("80", part123); + + var part124 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([ + dup14, + ])); + + var msg114 = msg("81", part124); + + var part125 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([ + dup70, + ])); + + var msg115 = msg("82", part125); + + var part126 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([ + dup70, + ])); + + var msg116 = msg("82:02", part126); + + var part127 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup70, + ])); + + var msg117 = msg("82:03", part127); + + var msg118 = msg("82:01", dup195); + + var select34 = linear_select([ + msg115, + msg116, + msg117, + msg118, + ]); + + var part128 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([ + dup70, + ])); + + var msg119 = msg("83", part128); + + var msg120 = msg("83:01", dup196); + + var part129 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup5, + ])); + + var msg121 = msg("83:02", part129); + + var select35 = linear_select([ + msg119, + msg120, + msg121, + ]); + + var part130 = match("MESSAGE#120:84/0_0", "nwparser.payload", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost}"); + + var part131 = match("MESSAGE#120:84/0_1", "nwparser.payload", "Failed to resolve name%{}"); + + var select36 = linear_select([ + part130, + part131, + ]); + + var all19 = all_match({ + processors: [ + select36, + ], + on_success: processor_chain([ + dup71, + setc("action","Failed to resolve name"), + ]), + }); + + var msg122 = msg("84", all19); + + var part132 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([ + dup72, + ])); + + var msg123 = msg("87", part132); + + var part133 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup72, + ])); + + var msg124 = msg("87:01", part133); + + var select37 = linear_select([ + msg123, + msg124, + ]); + + var part134 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([ + dup66, + ])); + + var msg125 = msg("88", part134); + + var part135 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup66, + ])); + + var msg126 = msg("88:01", part135); + + var select38 = linear_select([ + msg125, + msg126, + ]); + + var part136 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([ + dup72, + ])); + + var msg127 = msg("89", part136); + + var part137 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface}"); + + var part138 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} dstname=%{name}"); + + var select39 = linear_select([ + part137, + part138, + ]); + + var all20 = all_match({ + processors: [ + dup73, + select39, + ], + on_success: processor_chain([ + dup72, + ]), + }); + + var msg128 = msg("89:01", all20); + + var select40 = linear_select([ + msg127, + msg128, + ]); + + var part139 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([ + dup72, + ])); + + var msg129 = msg("90", part139); + + var part140 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([ + dup72, + ])); + + var msg130 = msg("91", part140); + + var part141 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([ + dup72, + ])); + + var msg131 = msg("92", part141); + + var part142 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([ + dup1, + ])); + + var msg132 = msg("93", part142); + + var part143 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([ + dup1, + ])); + + var msg133 = msg("94", part143); + + var part144 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([ + dup1, + ])); + + var msg134 = msg("95", part144); + + var part145 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([ + dup1, + ])); + + var msg135 = msg("96", part145); + + var part146 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([ + dup1, + ])); + + var msg136 = msg("97", part146); + + var part147 = match("MESSAGE#135:97:01/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} %{p0}"); + + var part148 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}"); + + var part149 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}"); + + var select41 = linear_select([ + part148, + part149, + ]); + + var part150 = match_copy("MESSAGE#135:97:01/7", "nwparser.p0", "name"); + + var all21 = all_match({ + processors: [ + dup74, + dup189, + dup41, + dup183, + part147, + select41, + dup197, + part150, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg137 = msg("97:01", all21); + + var part151 = match("MESSAGE#136:97:02/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} result=%{result}"); + + var all22 = all_match({ + processors: [ + dup74, + dup189, + dup41, + dup183, + part151, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg138 = msg("97:02", all22); + + var part152 = match("MESSAGE#137:97:03/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}"); + + var part153 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{} %{name}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); + + var all23 = all_match({ + processors: [ + dup77, + dup189, + dup41, + dup183, + part152, + dup197, + part153, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg139 = msg("97:03", all23); + + var part154 = match("MESSAGE#138:97:04/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} %{p0}"); + + var part155 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{}arg= %{name}%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); + + var all24 = all_match({ + processors: [ + dup77, + dup189, + dup41, + dup183, + part154, + dup197, + part155, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg140 = msg("97:04", all24); + + var part156 = match("MESSAGE#139:97:05/4", "nwparser.p0", "proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}"); + + var all25 = all_match({ + processors: [ + dup74, + dup189, + dup41, + dup183, + part156, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg141 = msg("97:05", all25); + + var part157 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{p0}"); + + var part158 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{sinterface}:%{shost}dst=%{p0}"); + + var part159 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{sinterface}dst=%{p0}"); + + var select42 = linear_select([ + part158, + part159, + ]); + + var part160 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); + + var all26 = all_match({ + processors: [ + part157, + select42, + part160, + ], + on_success: processor_chain([ + dup78, + dup11, + ]), + }); + + var msg142 = msg("97:06", all26); + + var part161 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); + + var part162 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{dinterface}:%{fld3->} srcMac=%{p0}"); + + var select43 = linear_select([ + part162, + dup79, + ]); + + var part163 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); + + var all27 = all_match({ + processors: [ + part161, + select43, + part163, + ], + on_success: processor_chain([ + dup78, + dup11, + ]), + }); + + var msg143 = msg("97:07", all27); + + var part164 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg144 = msg("97:08", part164); + + var part165 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg145 = msg("97:09", part165); + + var part166 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg146 = msg("97:10", part166); + + var select44 = linear_select([ + msg136, + msg137, + msg138, + msg139, + msg140, + msg141, + msg142, + msg143, + msg144, + msg145, + msg146, + ]); + + var part167 = match("MESSAGE#145:98/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); + + var part168 = match("MESSAGE#145:98/3_0", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + + var part169 = match("MESSAGE#145:98/3_1", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes}"); + + var part170 = match("MESSAGE#145:98/3_2", "nwparser.p0", "%{dinterface} %{protocol}"); + + var select45 = linear_select([ + part168, + part169, + part170, + ]); + + var all28 = all_match({ + processors: [ + dup54, + dup193, + part167, + select45, + ], + on_success: processor_chain([ + dup78, + dup59, + setc("ec_activity","Stop"), + dup61, + dup62, + dup11, + setc("action","Opened"), + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg147 = msg("98", all28); + + var part171 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg148 = msg("98:07", part171); + + var part172 = match("MESSAGE#147:98:01/0", "nwparser.payload", "msg=\"%{msg}\"%{p0}"); + + var part173 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", " app=%{fld2->} sess=\"%{fld3}\"%{p0}"); + + var select46 = linear_select([ + part173, + dup56, + ]); + + var part174 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}"); + + var part175 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}"); + + var part176 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}"); + + var select47 = linear_select([ + part175, + part176, + ]); + + var part177 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); + + var part178 = match("MESSAGE#147:98:01/4_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + + var part179 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); + + var select48 = linear_select([ + part177, + part178, + part179, + ]); + + var part180 = match("MESSAGE#147:98:01/5", "nwparser.p0", "%{} %{p0}"); + + var part181 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + + var part182 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", "%{daddr->} %{p0}"); + + var select49 = linear_select([ + dup80, + part181, + part182, + ]); + + var part183 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + + var part184 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes}"); + + var part185 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); + + var part186 = match("MESSAGE#147:98:01/7_3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + + var select50 = linear_select([ + part183, + part184, + part185, + part186, + dup81, + dup43, + ]); + + var all29 = all_match({ + processors: [ + part172, + select46, + part174, + select47, + select48, + part180, + select49, + select50, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg149 = msg("98:01", all29); + + var part187 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "app=%{fld2->} appName=\"%{application}\" n=%{p0}"); + + var part188 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", "app=%{fld2->} n=%{p0}"); + + var part189 = match("MESSAGE#148:98:06/1_2", "nwparser.p0", "sess=%{fld2->} n=%{p0}"); + + var select51 = linear_select([ + part187, + part188, + part189, + ]); + + var part190 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{fld1->} %{p0}"); + + var part191 = match("MESSAGE#148:98:06/3_0", "nwparser.p0", "usr=%{username->} %{p0}"); + + var select52 = linear_select([ + part191, + dup56, + ]); + + var part192 = match("MESSAGE#148:98:06/4", "nwparser.p0", "src= %{saddr}:%{sport}:%{p0}"); + + var part193 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part194 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part195 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var select53 = linear_select([ + part193, + part194, + dup85, + part195, + ]); + + var part196 = match("MESSAGE#148:98:06/8", "nwparser.p0", "%{protocol->} %{p0}"); + + var part197 = match("MESSAGE#148:98:06/9_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); + + var part198 = match("MESSAGE#148:98:06/9_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}"); + + var part199 = match("MESSAGE#148:98:06/9_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\""); + + var part200 = match("MESSAGE#148:98:06/9_4", "nwparser.p0", "fw_action=\"%{action}\""); + + var select54 = linear_select([ + part197, + part198, + part199, + dup86, + part200, + ]); + + var all30 = all_match({ + processors: [ + dup82, + select51, + part190, + select52, + part192, + dup198, + dup17, + select53, + part196, + select54, + ], + on_success: processor_chain([ + dup78, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg150 = msg("98:06", all30); + + var part201 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}"); + + var all31 = all_match({ + processors: [ + part201, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg151 = msg("98:02", all31); + + var part202 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection%{}"); + + var part203 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}"); + + var select55 = linear_select([ + part202, + part203, + ]); + + var all32 = all_match({ + processors: [ + select55, + ], + on_success: processor_chain([ + dup1, + dup44, + ]), + }); + + var msg152 = msg("98:03", all32); + + var part204 = match("MESSAGE#151:98:04/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}"); + + var all33 = all_match({ + processors: [ + dup7, + dup185, + dup183, + part204, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg153 = msg("98:04", all33); + + var part205 = match("MESSAGE#152:98:05/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} npcs=%{info}"); + + var all34 = all_match({ + processors: [ + dup7, + dup185, + dup183, + part205, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg154 = msg("98:05", all34); + + var select56 = linear_select([ + msg147, + msg148, + msg149, + msg150, + msg151, + msg152, + msg153, + msg154, + ]); + + var part206 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup31, + dup11, + ])); + + var msg155 = msg("986", part206); + + var part207 = match("MESSAGE#154:427/3", "nwparser.p0", "note=\"%{event_description}\""); + + var all35 = all_match({ + processors: [ + dup73, + dup185, + dup183, + part207, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg156 = msg("427", all35); + + var part208 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + + var all36 = all_match({ + processors: [ + dup87, + dup194, + part208, + ], + on_success: processor_chain([ + dup23, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg157 = msg("428", all36); + + var part209 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([ + dup72, + ])); + + var msg158 = msg("99", part209); + + var part210 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([ + dup72, + ])); + + var msg159 = msg("100", part210); + + var part211 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([ + dup72, + ])); + + var msg160 = msg("101", part211); + + var part212 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup72, + ])); + + var msg161 = msg("102", part212); + + var part213 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup72, + ])); + + var msg162 = msg("103", part213); + + var part214 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([ + dup72, + ])); + + var msg163 = msg("104", part214); + + var part215 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([ + dup72, + ])); + + var msg164 = msg("105", part215); + + var part216 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([ + dup71, + ])); + + var msg165 = msg("106", part216); + + var part217 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([ + dup72, + ])); + + var msg166 = msg("107", part217); + + var part218 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([ + dup72, + ])); + + var msg167 = msg("108", part218); + + var part219 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([ + dup71, + ])); + + var msg168 = msg("109", part219); + + var part220 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([ + dup72, + ])); + + var msg169 = msg("110", part220); + + var msg170 = msg("111:01", dup199); + + var part221 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([ + dup72, + ])); + + var msg171 = msg("111", part221); + + var select57 = linear_select([ + msg170, + msg171, + ]); + + var part222 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([ + dup72, + ])); + + var msg172 = msg("112", part222); + + var part223 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([ + dup72, + ])); + + var msg173 = msg("113", part223); + + var part224 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([ + dup72, + ])); + + var msg174 = msg("114", part224); + + var msg175 = msg("115:01", dup199); + + var part225 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([ + dup72, + ])); + + var msg176 = msg("115", part225); + + var select58 = linear_select([ + msg175, + msg176, + ]); + + var part226 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup72, + ])); + + var msg177 = msg("116", part226); + + var part227 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup72, + ])); + + var msg178 = msg("117", part227); + + var part228 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([ + dup72, + ])); + + var msg179 = msg("118", part228); + + var part229 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([ + dup71, + ])); + + var msg180 = msg("119", part229); + + var part230 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([ + dup71, + ])); + + var msg181 = msg("120", part230); + + var part231 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([ + dup72, + ])); + + var msg182 = msg("121", part231); + + var part232 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([ + dup71, + ])); + + var msg183 = msg("122", part232); + + var part233 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([ + dup71, + ])); + + var msg184 = msg("123", part233); + + var part234 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([ + dup72, + ])); + + var msg185 = msg("124", part234); + + var part235 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([ + dup72, + ])); + + var msg186 = msg("125", part235); + + var part236 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup89, + dup11, + ])); + + var msg187 = msg("1254", part236); + + var part237 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg188 = msg("1256", part237); + + var part238 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup89, + dup11, + ])); + + var msg189 = msg("1257", part238); + + var part239 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([ + dup72, + ])); + + var msg190 = msg("126", part239); + + var part240 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([ + dup72, + ])); + + var msg191 = msg("127", part240); + + var part241 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([ + dup5, + ])); + + var msg192 = msg("128", part241); + + var part242 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([ + dup5, + ])); + + var msg193 = msg("129", part242); + + var part243 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([ + dup1, + ])); + + var msg194 = msg("130", part243); + + var part244 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([ + dup1, + ])); + + var msg195 = msg("131", part244); + + var part245 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([ + dup1, + ])); + + var msg196 = msg("132", part245); + + var part246 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([ + dup1, + ])); + + var msg197 = msg("133", part246); + + var part247 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([ + dup1, + ])); + + var msg198 = msg("134", part247); + + var part248 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([ + dup90, + ])); + + var msg199 = msg("135", part248); + + var part249 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([ + dup90, + ])); + + var msg200 = msg("136", part249); + + var part250 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([ + dup3, + ])); + + var msg201 = msg("137", part250); + + var part251 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([ + dup3, + ])); + + var msg202 = msg("138", part251); + + var part252 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([ + dup5, + ])); + + var msg203 = msg("139", part252); + + var all37 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1801020100"), + ]), + }); + + var msg204 = msg("139:01", all37); + + var select59 = linear_select([ + msg203, + msg204, + ]); + + var msg205 = msg("140", dup239); + + var msg206 = msg("141", dup239); + + var part253 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ + dup1, + ])); + + var msg207 = msg("142", part253); + + var part254 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([ + dup1, + ])); + + var msg208 = msg("143", part254); + + var part255 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup78, + dup11, + ])); + + var msg209 = msg("1431", part255); + + var part256 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([ + dup1, + ])); + + var msg210 = msg("144", part256); + + var part257 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([ + dup1, + ])); + + var msg211 = msg("145", part257); + + var part258 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([ + dup92, + ])); + + var msg212 = msg("146", part258); + + var part259 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([ + dup92, + ])); + + var msg213 = msg("147", part259); + + var part260 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([ + dup1, + ])); + + var msg214 = msg("148", part260); + + var part261 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + setc("eventcategory","1204010000"), + dup11, + ])); + + var msg215 = msg("1480", part261); + + var part262 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([ + dup1, + ])); + + var msg216 = msg("149", part262); + + var part263 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([ + dup1, + ])); + + var msg217 = msg("150", part263); + + var part264 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([ + dup1, + ])); + + var msg218 = msg("151", part264); + + var part265 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([ + dup1, + ])); + + var msg219 = msg("152", part265); + + var part266 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([ + setc("eventcategory","1603010000"), + ])); + + var msg220 = msg("153", part266); + + var part267 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([ + dup64, + ])); + + var msg221 = msg("154", part267); + + var part268 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([ + dup92, + ])); + + var msg222 = msg("155", part268); + + var part269 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([ + dup92, + ])); + + var msg223 = msg("156", part269); + + var part270 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup1, + ])); + + var msg224 = msg("157:01", part270); + + var part271 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([ + dup5, + ])); + + var msg225 = msg("157", part271); + + var select60 = linear_select([ + msg224, + msg225, + ]); + + var part272 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([ + dup92, + ])); + + var msg226 = msg("158", part272); + + var part273 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([ + dup5, + ])); + + var msg227 = msg("159", part273); + + var part274 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([ + setc("eventcategory","1203000000"), + ])); + + var msg228 = msg("160", part274); + + var part275 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([ + dup65, + ])); + + var msg229 = msg("161", part275); + + var part276 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([ + dup33, + ])); + + var msg230 = msg("162", part276); + + var part277 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([ + dup5, + ])); + + var msg231 = msg("163", part277); + + var part278 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([ + dup5, + ])); + + var msg232 = msg("164", part278); + + var part279 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([ + dup1, + ])); + + var msg233 = msg("165", part279); + + var part280 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([ + dup12, + ])); + + var msg234 = msg("166", part280); + + var part281 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([ + dup12, + ])); + + var msg235 = msg("167", part281); + + var part282 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([ + dup12, + ])); + + var msg236 = msg("168", part282); + + var part283 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([ + dup1, + ])); + + var msg237 = msg("169", part283); + + var part284 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([ + dup1, + ])); + + var msg238 = msg("170", part284); + + var part285 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([ + dup70, + ])); + + var msg239 = msg("171", part285); + + var part286 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var msg240 = msg("171:01", part286); + + var part287 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var msg241 = msg("171:02", part287); + + var part288 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}"); + + var all38 = all_match({ + processors: [ + part288, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup93, + ]), + }); + + var msg242 = msg("171:03", all38); + + var select61 = linear_select([ + msg239, + msg240, + msg241, + msg242, + ]); + + var part289 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([ + dup70, + ])); + + var msg243 = msg("172", part289); + + var part290 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup70, + ])); + + var msg244 = msg("172:01", part290); + + var select62 = linear_select([ + msg243, + msg244, + ]); + + var part291 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([ + dup70, + ])); + + var msg245 = msg("173", part291); + + var part292 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([ + dup67, + ])); + + var msg246 = msg("174", part292); + + var all39 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var msg247 = msg("174:01", all39); + + var all40 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup187, + ], + on_success: processor_chain([ + dup12, + ]), + }); + + var msg248 = msg("174:02", all40); + + var all41 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup191, + dup50, + ], + on_success: processor_chain([ + dup12, + ]), + }); + + var msg249 = msg("174:03", all41); + + var select63 = linear_select([ + msg246, + msg247, + msg248, + msg249, + ]); + + var part293 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([ + dup67, + ])); + + var msg250 = msg("175", part293); + + var part294 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([ + dup67, + ])); + + var msg251 = msg("175:01", part294); + + var part295 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([ + dup67, + ])); + + var msg252 = msg("175:02", part295); + + var select64 = linear_select([ + msg250, + msg251, + msg252, + ]); + + var part296 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([ + dup93, + ])); + + var msg253 = msg("176", part296); + + var msg254 = msg("177", dup196); + + var msg255 = msg("178", dup201); + + var msg256 = msg("179", dup196); + + var all42 = all_match({ + processors: [ + dup34, + dup185, + dup187, + ], + on_success: processor_chain([ + dup97, + ]), + }); + + var msg257 = msg("180", all42); + + var all43 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup97, + ]), + }); + + var msg258 = msg("180:01", all43); + + var select65 = linear_select([ + msg257, + msg258, + ]); + + var msg259 = msg("181", dup195); + + var all44 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup70, + ]), + }); + + var msg260 = msg("181:01", all44); + + var select66 = linear_select([ + msg259, + msg260, + ]); + + var msg261 = msg("193", dup240); + + var msg262 = msg("194", dup241); + + var msg263 = msg("195", dup241); + + var part297 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}"); + + var all45 = all_match({ + processors: [ + part297, + dup204, + dup105, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg264 = msg("196", all45); + + var all46 = all_match({ + processors: [ + dup101, + dup204, + dup105, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg265 = msg("196:01", all46); + + var select67 = linear_select([ + msg264, + msg265, + ]); + + var msg266 = msg("199", dup242); + + var msg267 = msg("200", dup243); + + var part298 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup30, + ])); + + var msg268 = msg("235:02", part298); + + var part299 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}"); + + var all47 = all_match({ + processors: [ + part299, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var msg269 = msg("235", all47); + + var msg270 = msg("235:01", dup244); + + var select68 = linear_select([ + msg268, + msg269, + msg270, + ]); + + var msg271 = msg("236", dup244); + + var msg272 = msg("237", dup242); + + var msg273 = msg("238", dup242); + + var part300 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup107, + ])); + + var msg274 = msg("239", part300); + + var part301 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup107, + ])); + + var msg275 = msg("240", part301); + + var part302 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup78, + ])); + + var msg276 = msg("241", part302); + + var part303 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup78, + ])); + + var msg277 = msg("241:01", part303); + + var select69 = linear_select([ + msg276, + msg277, + ]); + + var part304 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}"); + + var part305 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); + + var select70 = linear_select([ + part304, + part305, + dup40, + ]); + + var part306 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}::"); + + var part307 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport}"); + + var select71 = linear_select([ + part306, + part307, + dup36, + ]); + + var all48 = all_match({ + processors: [ + dup51, + select70, + dup41, + select71, + ], + on_success: processor_chain([ + dup78, + ]), + }); + + var msg278 = msg("242", all48); + + var msg279 = msg("252", dup205); + + var msg280 = msg("255", dup205); + + var msg281 = msg("257", dup205); + + var msg282 = msg("261:01", dup245); + + var msg283 = msg("261", dup205); + + var select72 = linear_select([ + msg282, + msg283, + ]); + + var msg284 = msg("262", dup245); + + var all49 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg285 = msg("273", all49); + + var msg286 = msg("328", dup246); + + var msg287 = msg("329", dup243); + + var msg288 = msg("346", dup205); + + var msg289 = msg("350", dup205); + + var msg290 = msg("351", dup205); + + var msg291 = msg("352", dup205); + + var msg292 = msg("353:01", dup201); + + var part308 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ + dup5, + ])); + + var msg293 = msg("353", part308); + + var select73 = linear_select([ + msg292, + msg293, + ]); + + var part309 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ + dup1, + ])); + + var msg294 = msg("354", part309); + + var msg295 = msg("355", dup206); + + var msg296 = msg("355:01", dup205); + + var select74 = linear_select([ + msg295, + msg296, + ]); + + var msg297 = msg("356", dup207); + + var part310 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name}", processor_chain([ + dup93, + ])); + + var msg298 = msg("357", part310); + + var part311 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, + ])); + + var msg299 = msg("357:01", part311); + + var select75 = linear_select([ + msg298, + msg299, + ]); + + var msg300 = msg("358", dup208); + + var part312 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ + setc("eventcategory","1503000000"), + ])); + + var msg301 = msg("371", part312); + + var msg302 = msg("371:01", dup209); + + var select76 = linear_select([ + msg301, + msg302, + ]); + + var msg303 = msg("372", dup205); + + var msg304 = msg("373", dup207); + + var msg305 = msg("401", dup247); + + var msg306 = msg("402", dup247); + + var msg307 = msg("406", dup208); + + var part313 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, + ])); + + var msg308 = msg("413", part313); + + var msg309 = msg("414", dup205); + + var msg310 = msg("438", dup248); + + var msg311 = msg("439", dup248); + + var all50 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1501020000"), + ]), + }); + + var msg312 = msg("440", all50); + + var all51 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1502050000"), + ]), + }); + + var msg313 = msg("441", all51); + + var part314 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + setc("eventcategory","1001020000"), + ])); + + var msg314 = msg("441:01", part314); + + var select77 = linear_select([ + msg313, + msg314, + ]); + + var all52 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1501030000"), + ]), + }); + + var msg315 = msg("442", all52); + + var part315 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); + + var part316 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); + + var part317 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); + + var select78 = linear_select([ + part316, + part317, + ]); + + var part318 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var all53 = all_match({ + processors: [ + part315, + select78, + part318, + dup211, + dup119, + ], + on_success: processor_chain([ + dup67, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg316 = msg("446", all53); + + var part319 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg317 = msg("477", part319); + + var all54 = all_match({ + processors: [ + dup73, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var msg318 = msg("509", all54); + + var all55 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup109, + ]), + }); + + var msg319 = msg("520", all55); + + var msg320 = msg("522", dup249); + + var part320 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); + + var part321 = match("MESSAGE#318:522:01/2", "nwparser.p0", "dstV6=%{daddr_v6->} dst= %{p0}"); + + var all56 = all_match({ + processors: [ + part320, + dup189, + part321, + dup183, + dup121, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg321 = msg("522:01", all56); + + var part322 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); + + var select79 = linear_select([ + part322, + dup46, + ]); + + var all57 = all_match({ + processors: [ + dup45, + select79, + dup17, + dup183, + dup121, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg322 = msg("522:02", all57); + + var select80 = linear_select([ + msg320, + msg321, + msg322, + ]); + + var msg323 = msg("523", dup249); + + var all58 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup17, + dup212, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg324 = msg("524", all58); + + var part323 = match("MESSAGE#322:524:01/4_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); + + var part324 = match("MESSAGE#322:524:01/4_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); + + var select81 = linear_select([ + part323, + part324, + ]); + + var all59 = all_match({ + processors: [ + dup7, + dup185, + dup183, + dup17, + select81, + dup47, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg325 = msg("524:01", all59); + + var part325 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{rule}\"%{p0}"); + + var part326 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", " note=\"%{rulename}\"%{p0}"); + + var select82 = linear_select([ + part326, + dup56, + ]); + + var part327 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); + + var all60 = all_match({ + processors: [ + part325, + select82, + part327, + ], + on_success: processor_chain([ + dup6, + dup11, + ]), + }); + + var msg326 = msg("524:02", all60); + + var select83 = linear_select([ + msg324, + msg325, + msg326, + ]); + + var msg327 = msg("526", dup250); + + var part328 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); + + var select84 = linear_select([ + dup26, + part328, + dup46, + ]); + + var part329 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", "%{daddr}"); + + var select85 = linear_select([ + dup35, + part329, + ]); + + var all61 = all_match({ + processors: [ + dup73, + select84, + dup17, + select85, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg328 = msg("526:01", all61); + + var all62 = all_match({ + processors: [ + dup7, + dup213, + dup183, + dup121, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg329 = msg("526:02", all62); + + var part330 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + ])); + + var msg330 = msg("526:03", part330); + + var part331 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + ])); + + var msg331 = msg("526:04", part331); + + var part332 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup11, + ])); + + var msg332 = msg("526:05", part332); + + var select86 = linear_select([ + msg327, + msg328, + msg329, + msg330, + msg331, + msg332, + ]); + + var part333 = match("MESSAGE#330:537:01/4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); + + var part334 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3}"); + + var select87 = linear_select([ + part334, + dup123, + ]); + + var all63 = all_match({ + processors: [ + dup122, + dup214, + dup17, + dup215, + part333, + select87, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg333 = msg("537:01", all63); + + var all64 = all_match({ + processors: [ + dup122, + dup214, + dup17, + dup215, + dup81, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg334 = msg("537:02", all64); + + var part335 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); + + var part336 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part337 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", "%{saddr->} %{daddr}srcMac=%{p0}"); + + var select88 = linear_select([ + part335, + part336, + part337, + ]); + + var part338 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); + + var part339 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + + var part340 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", "proto=%{protocol->} sent=%{p0}"); + + var select89 = linear_select([ + part339, + part340, + ]); + + var part341 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\""); + + var part342 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\""); + + var select90 = linear_select([ + part341, + dup131, + part342, + dup132, + dup133, + ]); + + var all65 = all_match({ + processors: [ + dup54, + dup216, + dup217, + select88, + part338, + select89, + dup218, + select90, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg335 = msg("537:08", all65); + + var select91 = linear_select([ + dup125, + dup124, + dup126, + dup38, + ]); + + var part343 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); + + var part344 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); + + var part345 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", "%{saddr->} %{daddr}dstMac=%{p0}"); + + var select92 = linear_select([ + part343, + part344, + part345, + ]); + + var part346 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); + + var part347 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", "%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + + var select93 = linear_select([ + part347, + dup131, + dup132, + dup133, + ]); + + var all66 = all_match({ + processors: [ + dup54, + select91, + dup217, + select92, + part346, + dup218, + select93, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg336 = msg("537:09", all66); + + var part348 = match("MESSAGE#334:537:07/3_0", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + + var part349 = match("MESSAGE#334:537:07/3_1", "nwparser.p0", "%{saddr} %{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); + + var part350 = match("MESSAGE#334:537:07/3_2", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7}"); + + var part351 = match("MESSAGE#334:537:07/3_3", "nwparser.p0", "%{saddr} %{fld3->} fw_action=\"%{action}\""); + + var part352 = match("MESSAGE#334:537:07/3_4", "nwparser.p0", "%{saddr} %{fld3}"); + + var select94 = linear_select([ + part348, + part349, + part350, + part351, + part352, + ]); + + var all67 = all_match({ + processors: [ + dup54, + dup216, + dup217, + select94, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg337 = msg("537:07", all67); + + var part353 = match("MESSAGE#335:537/0", "nwparser.payload", "msg=\"%{action}\"%{p0}"); + + var part354 = match("MESSAGE#335:537/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"%{p0}"); + + var select95 = linear_select([ + part354, + dup56, + ]); + + var part355 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); + + var part356 = match("MESSAGE#335:537/3_0", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + + var part357 = match("MESSAGE#335:537/3_1", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}: proto=%{p0}"); + + var part358 = match("MESSAGE#335:537/3_2", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var part359 = match("MESSAGE#335:537/3_3", "nwparser.p0", "%{saddr}%{daddr->} proto=%{p0}"); + + var select96 = linear_select([ + part356, + part357, + part358, + part359, + ]); + + var part360 = match("MESSAGE#335:537/4", "nwparser.p0", "%{protocol->} sent=%{p0}"); + + var part361 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); + + var part362 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); + + var part363 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); + + var part364 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); + + var part365 = match_copy("MESSAGE#335:537/5_4", "nwparser.p0", "sbytes"); + + var select97 = linear_select([ + part361, + part362, + part363, + part364, + part365, + ]); + + var all68 = all_match({ + processors: [ + part353, + select95, + part355, + select96, + part360, + select97, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg338 = msg("537", all68); + + var part366 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); + + var all69 = all_match({ + processors: [ + dup134, + dup190, + dup17, + dup219, + part366, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg339 = msg("537:04", all69); + + var part367 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{fld4->} %{p0}"); + + var part368 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); + + var part369 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "npcs= %{p0}"); + + var select98 = linear_select([ + part368, + part369, + ]); + + var all70 = all_match({ + processors: [ + dup134, + dup190, + dup17, + dup219, + part367, + select98, + dup96, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg340 = msg("537:05", all70); + + var part370 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{fld2->} %{p0}"); + + var part371 = match("MESSAGE#338:537:10/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); + + var part372 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); + + var part373 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); + + var select99 = linear_select([ + part371, + part372, + part373, + ]); + + var part374 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); + + var all71 = all_match({ + processors: [ + part370, + dup220, + dup139, + dup221, + select99, + part374, + dup222, + ], + on_success: processor_chain([ + dup111, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg341 = msg("537:10", all71); + + var part375 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} %{p0}"); + + var part376 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var part377 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); + + var select100 = linear_select([ + dup85, + part376, + part377, + ]); + + var part378 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); + + var all72 = all_match({ + processors: [ + part375, + dup220, + dup139, + dup221, + select100, + part378, + dup222, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg342 = msg("537:03", all72); + + var part379 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); + + var all73 = all_match({ + processors: [ + dup134, + dup190, + dup17, + dup219, + part379, + ], + on_success: processor_chain([ + dup111, + ]), + }); + + var msg343 = msg("537:06", all73); + + var part380 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup62, + dup11, + dup144, + ])); + + var msg344 = msg("537:11", part380); + + var part381 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup62, + dup11, + dup144, + ])); + + var msg345 = msg("537:12", part381); + + var select101 = linear_select([ + msg333, + msg334, + msg335, + msg336, + msg337, + msg338, + msg339, + msg340, + msg341, + msg342, + msg343, + msg344, + msg345, + ]); + + var msg346 = msg("538", dup240); + + var msg347 = msg("549", dup243); + + var msg348 = msg("557", dup243); + + var all74 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1402020200"), + ]), + }); + + var msg349 = msg("558", all74); + + var msg350 = msg("561", dup246); + + var msg351 = msg("562", dup246); + + var msg352 = msg("563", dup246); + + var all75 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + setc("eventcategory","1402020400"), + ]), + }); + + var msg353 = msg("583", all75); + + var part382 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ + dup145, + dup59, + dup146, + dup61, + dup62, + dup11, + dup147, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg354 = msg("597:01", part382); + + var part383 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ + dup1, + ])); + + var msg355 = msg("597:02", part383); + + var part384 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{saddr}:%{sport}:%{p0}"); + + var part385 = match("MESSAGE#353:597:03/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); + + var all76 = all_match({ + processors: [ + part384, + dup198, + part385, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg356 = msg("597:03", all76); + + var select102 = linear_select([ + msg354, + msg355, + msg356, + ]); + + var part386 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ + dup1, + ])); + + var msg357 = msg("598", part386); + + var part387 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{type->} npcs=%{info}"); + + var all77 = all_match({ + processors: [ + dup148, + dup192, + part387, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg358 = msg("598:01", all77); + + var all78 = all_match({ + processors: [ + dup148, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg359 = msg("598:02", all78); + + var select103 = linear_select([ + msg357, + msg358, + msg359, + ]); + + var part388 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ + dup145, + dup59, + dup146, + dup61, + dup62, + dup11, + dup147, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg360 = msg("602:01", part388); + + var msg361 = msg("602:02", dup250); + + var all79 = all_match({ + processors: [ + dup7, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg362 = msg("602:03", all79); + + var select104 = linear_select([ + msg360, + msg361, + msg362, + ]); + + var msg363 = msg("605", dup208); + + var all80 = all_match({ + processors: [ + dup149, + dup223, + dup152, + dup211, + dup119, + ], + on_success: processor_chain([ + dup93, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg364 = msg("606", all80); + + var part389 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); + + var part390 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); + + var part391 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); + + var select105 = linear_select([ + part390, + part391, + ]); + + var part392 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); + + var part393 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); + + var part394 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); + + var select106 = linear_select([ + part393, + part394, + ]); + + var part395 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); + + var select107 = linear_select([ + part395, + dup154, + dup155, + ]); + + var all81 = all_match({ + processors: [ + part389, + select105, + part392, + select106, + dup153, + select107, + ], + on_success: processor_chain([ + dup1, + dup44, + ]), + }); + + var msg365 = msg("608", all81); + + var msg366 = msg("616", dup206); + + var msg367 = msg("658", dup201); + + var msg368 = msg("710", dup224); + + var msg369 = msg("712:02", dup251); + + var msg370 = msg("712", dup224); + + var all82 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup156, + ]), + }); + + var msg371 = msg("712:01", all82); + + var select108 = linear_select([ + msg369, + msg370, + msg371, + ]); + + var part396 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg372 = msg("713:01", part396); + + var msg373 = msg("713:04", dup251); + + var msg374 = msg("713:02", dup224); + + var part397 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ + dup5, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg375 = msg("713:03", part397); + + var select109 = linear_select([ + msg372, + msg373, + msg374, + msg375, + ]); + + var part398 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg376 = msg("760", part398); + + var part399 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part400 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{action->} npcs=%{info}"); + + var all83 = all_match({ + processors: [ + part399, + dup182, + dup10, + dup202, + part400, + ], + on_success: processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, + dup11, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg377 = msg("760:01", all83); + + var select110 = linear_select([ + msg376, + msg377, + ]); + + var msg378 = msg("766", dup228); + + var msg379 = msg("860", dup228); + + var msg380 = msg("860:01", dup229); + + var select111 = linear_select([ + msg379, + msg380, + ]); + + var part401 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); + + var part402 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); + + var part403 = match_copy("MESSAGE#378:866/1_1", "nwparser.p0", "ntype"); + + var select112 = linear_select([ + part402, + part403, + ]); + + var all84 = all_match({ + processors: [ + part401, + select112, + ], + on_success: processor_chain([ + dup5, + dup44, + ]), + }); + + var msg381 = msg("866", all84); + + var msg382 = msg("866:01", dup229); + + var select113 = linear_select([ + msg381, + msg382, + ]); + + var msg383 = msg("867", dup228); + + var msg384 = msg("867:01", dup229); + + var select114 = linear_select([ + msg383, + msg384, + ]); + + var part404 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup1, + ])); + + var msg385 = msg("882", part404); + + var part405 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ + dup1, + ])); + + var msg386 = msg("882:01", part405); + + var select115 = linear_select([ + msg385, + msg386, + ]); + + var part406 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup165, + ])); + + var msg387 = msg("888", part406); + + var part407 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ + dup165, + ])); + + var msg388 = msg("888:01", part407); + + var select116 = linear_select([ + msg387, + msg388, + ]); + + var all85 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup165, + ]), + }); + + var msg389 = msg("892", all85); + + var msg390 = msg("904", dup228); + + var msg391 = msg("905", dup228); + + var msg392 = msg("906", dup228); + + var msg393 = msg("907", dup228); + + var part408 = match("MESSAGE#391:908/1_0", "nwparser.p0", "%{sinterface}:%{shost->} dst=%{p0}"); + + var select117 = linear_select([ + part408, + dup167, + ]); + + var all86 = all_match({ + processors: [ + dup166, + select117, + dup168, + dup223, + dup169, + dup211, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg394 = msg("908", all86); + + var msg395 = msg("909", dup228); + + var msg396 = msg("914", dup230); + + var part409 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup72, + ])); + + var msg397 = msg("931", part409); + + var msg398 = msg("657", dup230); + + var all87 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var msg399 = msg("657:01", all87); + + var select118 = linear_select([ + msg398, + msg399, + ]); + + var msg400 = msg("403", dup209); + + var msg401 = msg("534", dup184); + + var msg402 = msg("994", dup231); + + var part410 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ + dup1, + dup24, + ])); + + var msg403 = msg("243", part410); + + var msg404 = msg("995", dup184); + + var part411 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ + dup1, + dup59, + dup61, + dup62, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg405 = msg("997", part411); + + var msg406 = msg("998", dup231); + + var part412 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup11, + ])); + + var msg407 = msg("998:01", part412); + + var select119 = linear_select([ + msg406, + msg407, + ]); + + var msg408 = msg("1110", dup232); + + var msg409 = msg("565", dup232); + + var part413 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup62, + ])); + + var msg410 = msg("404", part413); + + var part414 = match("MESSAGE#409:267:01/1_0", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); + + var select120 = linear_select([ + part414, + dup58, + ]); + + var part415 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); + + var all88 = all_match({ + processors: [ + dup87, + select120, + part415, + ], + on_success: processor_chain([ + dup111, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg411 = msg("267:01", all88); + + var part416 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ + dup1, + dup62, + ])); + + var msg412 = msg("267", part416); + + var select121 = linear_select([ + msg411, + msg412, + ]); + + var part417 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ + dup1, + dup24, + ])); + + var msg413 = msg("263", part417); + + var part418 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup109, + dup11, + ])); + + var msg414 = msg("264", part418); + + var msg415 = msg("412", dup209); + + var part419 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ + dup1, + dup24, + ])); + + var msg416 = msg("793", part419); + + var part420 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ + dup1, + dup24, + ])); + + var msg417 = msg("805", part420); + + var part421 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup170, + dup11, + ])); + + var msg418 = msg("809", part421); + + var part422 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup170, + dup11, + ])); + + var msg419 = msg("809:01", part422); + + var select122 = linear_select([ + msg418, + msg419, + ]); + + var msg420 = msg("935", dup230); + + var msg421 = msg("614", dup233); + + var part423 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var all89 = all_match({ + processors: [ + part423, + dup211, + dup119, + ], + on_success: processor_chain([ + dup66, + dup44, + ]), + }); + + var msg422 = msg("748", all89); + + var part424 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); + + var part425 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); + + var select123 = linear_select([ + part425, + dup118, + ]); + + var all90 = all_match({ + processors: [ + part424, + select123, + dup119, + ], + on_success: processor_chain([ + dup171, + dup44, + ]), + }); + + var msg423 = msg("794", all90); + + var msg424 = msg("1086", dup233); + + var part426 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var msg425 = msg("1430", part426); + + var msg426 = msg("1149", dup233); + + var msg427 = msg("1159", dup233); + + var part427 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var msg428 = msg("1195", part427); + + var part428 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ + dup171, + dup44, + ])); + + var msg429 = msg("1195:01", part428); + + var select124 = linear_select([ + msg428, + msg429, + ]); + + var part429 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup5, + dup44, + ])); + + var msg430 = msg("1226", part429); + + var part430 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup44, + ])); + + var msg431 = msg("1222", part430); + + var part431 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ + dup1, + dup24, + ])); + + var msg432 = msg("1154", part431); + + var part432 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); + + var all91 = all_match({ + processors: [ + part432, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + dup24, + ]), + }); + + var msg433 = msg("1154:01", all91); + + var part433 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup172, + dup11, + ])); + + var msg434 = msg("1154:02", part433); + + var part434 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); + + var part435 = match("MESSAGE#434:1154:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac=%{p0}"); + + var select125 = linear_select([ + part435, + dup79, + ]); + + var part436 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); + + var all92 = all_match({ + processors: [ + part434, + select125, + part436, + ], + on_success: processor_chain([ + dup172, + dup11, + ]), + }); + + var msg435 = msg("1154:03", all92); + + var select126 = linear_select([ + msg432, + msg433, + msg434, + msg435, + ]); + + var part437 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ + dup173, + ])); + + var msg436 = msg("msg", part437); + + var part438 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ + dup173, + ])); + + var msg437 = msg("src", part438); + + var all93 = all_match({ + processors: [ + dup7, + dup185, + dup183, + dup17, + dup212, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg438 = msg("1235", all93); + + var part439 = match("MESSAGE#438:1197/4", "nwparser.p0", "\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); + + var all94 = all_match({ + processors: [ + dup7, + dup185, + dup10, + dup202, + part439, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg439 = msg("1197", all94); + + var part440 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var all95 = all_match({ + processors: [ + part440, + dup185, + dup174, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg440 = msg("1199", all95); + + var part441 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup175, + dup11, + ])); + + var msg441 = msg("1199:01", part441); + + var part442 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup175, + dup11, + ])); + + var msg442 = msg("1199:02", part442); + + var select127 = linear_select([ + msg440, + msg441, + msg442, + ]); + + var part443 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); + + var all96 = all_match({ + processors: [ + part443, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg443 = msg("1155", all96); + + var part444 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup111, + ])); + + var msg444 = msg("1155:01", part444); + + var select128 = linear_select([ + msg443, + msg444, + ]); + + var all97 = all_match({ + processors: [ + dup176, + dup213, + dup174, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg445 = msg("1198", all97); + + var all98 = all_match({ + processors: [ + dup7, + dup185, + dup174, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg446 = msg("714", all98); + + var msg447 = msg("709", dup252); + + var msg448 = msg("1005", dup252); + + var msg449 = msg("1003", dup252); + + var msg450 = msg("1007", dup253); + + var part445 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup109, + dup11, + ])); + + var msg451 = msg("1008", part445); + + var msg452 = msg("708", dup253); + + var all99 = all_match({ + processors: [ + dup176, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg453 = msg("1201", all99); + + var msg454 = msg("1201:01", dup253); + + var select129 = linear_select([ + msg453, + msg454, + ]); + + var msg455 = msg("654", dup234); + + var msg456 = msg("670", dup234); + + var msg457 = msg("884", dup253); + + var part446 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ + dup1, + ])); + + var msg458 = msg("1153", part446); + + var part447 = match("MESSAGE#458:1153:01/1_0", "nwparser.p0", " app=%{fld1->} sess=%{fld2->} n=%{p0}"); + + var part448 = match("MESSAGE#458:1153:01/1_1", "nwparser.p0", " sess=%{fld2->} n=%{p0}"); + + var part449 = match("MESSAGE#458:1153:01/1_2", "nwparser.p0", " n=%{p0}"); + + var select130 = linear_select([ + part447, + part448, + part449, + ]); + + var part450 = match("MESSAGE#458:1153:01/2", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); + + var part451 = match("MESSAGE#458:1153:01/3_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + + var select131 = linear_select([ + part451, + dup26, + ]); + + var part452 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); + + var part453 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); + + var part454 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); + + var select132 = linear_select([ + part452, + part453, + part454, + ]); + + var part455 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); + + var part456 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{p0}"); + + var part457 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{p0}"); + + var part458 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{p0}"); + + var select133 = linear_select([ + part456, + part457, + part458, + ]); + + var all100 = all_match({ + processors: [ + dup54, + select130, + part450, + select131, + select132, + part455, + select133, + dup123, + ], + on_success: processor_chain([ + dup1, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg459 = msg("1153:01", all100); + + var part459 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part460 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", "n=%{fld2->} src=%{p0}"); + + var select134 = linear_select([ + part459, + part460, + ]); + + var part461 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes}"); + + var all101 = all_match({ + processors: [ + dup82, + select134, + part461, + ], + on_success: processor_chain([ + dup1, + dup11, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var msg460 = msg("1153:02", all101); + + var select135 = linear_select([ + msg458, + msg459, + msg460, + ]); + + var part462 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg461 = msg("1107", part462); + + var part463 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); + + var part464 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part465 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst= %{p0}"); + + var select136 = linear_select([ + part464, + part465, + ]); + + var all102 = all_match({ + processors: [ + part463, + select136, + dup153, + dup235, + dup179, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg462 = msg("1220", all102); + + var all103 = all_match({ + processors: [ + dup149, + dup235, + dup179, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg463 = msg("1230", all103); + + var part466 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ + dup1, + ])); + + var msg464 = msg("1231", part466); + + var part467 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup175, + dup11, + ])); + + var msg465 = msg("1233", part467); + + var part468 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); + + var part469 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); + + var part470 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); + + var select137 = linear_select([ + part469, + part470, + ]); + + var part471 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); + + var part472 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{p0}"); + + var part473 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{p0}"); + + var select138 = linear_select([ + part472, + part473, + dup38, + ]); + + var part474 = match_copy("MESSAGE#465:1079/4", "nwparser.p0", "fld1"); + + var all104 = all_match({ + processors: [ + part468, + select137, + part471, + select138, + part474, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg466 = msg("1079", all104); + + var part475 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + ])); + + var msg467 = msg("1079:01", part475); + + var part476 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ + dup1, + dup11, + setc("event_description","destination is not allowed by access control"), + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg468 = msg("1079:02", part476); + + var part477 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ + dup1, + dup11, + setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"), + dup18, + dup19, + dup20, + dup21, + dup22, + ])); + + var msg469 = msg("1079:03", part477); + + var select139 = linear_select([ + msg466, + msg467, + msg468, + msg469, + ]); + + var part478 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); + + var part479 = match("MESSAGE#469:1080/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var select140 = linear_select([ + dup8, + part479, + ]); + + var part480 = match("MESSAGE#469:1080/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + + var select141 = linear_select([ + dup135, + part480, + ]); + + var part481 = match_copy("MESSAGE#469:1080/3", "nwparser.p0", "protocol"); + + var all105 = all_match({ + processors: [ + part478, + select140, + select141, + part481, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var msg470 = msg("1080", all105); + + var part482 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg471 = msg("580", part482); + + var part483 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); + + var all106 = all_match({ + processors: [ + part483, + dup236, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg472 = msg("1369", all106); + + var all107 = all_match({ + processors: [ + dup149, + dup223, + dup152, + dup236, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg473 = msg("1370", all107); + + var all108 = all_match({ + processors: [ + dup149, + dup223, + dup169, + dup211, + dup119, + ], + on_success: processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg474 = msg("1371", all108); + + var part484 = match("MESSAGE#474:1387/1_1", "nwparser.p0", " dst=%{p0}"); + + var select142 = linear_select([ + dup167, + part484, + ]); + + var all109 = all_match({ + processors: [ + dup166, + select142, + dup168, + dup223, + dup169, + dup211, + dup119, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg475 = msg("1387", all109); + + var part485 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{saddr}:%{p0}"); + + var part486 = match("MESSAGE#475:1391/1_0", "nwparser.p0", "%{sport}:%{sinterface}dst=%{p0}"); + + var part487 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{sport}dst=%{p0}"); + + var select143 = linear_select([ + part486, + part487, + ]); + + var part488 = match("MESSAGE#475:1391/3_0", "nwparser.p0", "%{dport}:%{dinterface}:%{dhost}"); + + var select144 = linear_select([ + part488, + dup154, + dup155, + ]); + + var all110 = all_match({ + processors: [ + part485, + select143, + dup153, + select144, + ], + on_success: processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg476 = msg("1391", all110); + + var part489 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg477 = msg("1253", part489); + + var part490 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg478 = msg("1009", part490); + + var part491 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{p0}"); + + var part492 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{dinterface}:%{dhost}srcMac=%{p0}"); + + var part493 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{dinterface}srcMac=%{p0}"); + + var select145 = linear_select([ + part492, + part493, + ]); + + var part494 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); + + var all111 = all_match({ + processors: [ + part491, + select145, + part494, + ], + on_success: processor_chain([ + dup5, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg479 = msg("910", all111); + + var part495 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup22, + dup44, + ])); + + var msg480 = msg("m:01", part495); + + var part496 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg481 = msg("1011", part496); + + var part497 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup172, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg482 = msg("609", part497); + + var msg483 = msg("796", dup237); + + var part498 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg484 = msg("880", part498); + + var part499 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var msg485 = msg("1309", part499); + + var msg486 = msg("1310", dup237); + + var part500 = match("MESSAGE#486:1232/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); + + var part501 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} note=\"%{p0}"); + + var part502 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{dinterface->} note=\"%{p0}"); + + var select146 = linear_select([ + part501, + part502, + ]); + + var part503 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); + + var all112 = all_match({ + processors: [ + part500, + select146, + part503, + ], + on_success: processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg487 = msg("1232", all112); + + var part504 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var all113 = all_match({ + processors: [ + part504, + dup211, + dup119, + ], + on_success: processor_chain([ + dup165, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ]), + }); + + var msg488 = msg("1447", all113); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "10": msg9, + "100": msg159, + "1003": msg449, + "1005": msg448, + "1007": msg450, + "1008": msg451, + "1009": msg478, + "101": msg160, + "1011": msg481, + "102": msg161, + "103": msg162, + "104": msg163, + "105": msg164, + "106": msg165, + "107": msg166, + "1079": select139, + "108": msg167, + "1080": msg470, + "1086": msg424, + "109": msg168, + "11": msg10, + "110": msg169, + "1107": msg461, + "111": select57, + "1110": msg408, + "112": msg172, + "113": msg173, + "114": msg174, + "1149": msg426, + "115": select58, + "1153": select135, + "1154": select126, + "1155": select128, + "1159": msg427, + "116": msg177, + "117": msg178, + "118": msg179, + "119": msg180, + "1195": select124, + "1197": msg439, + "1198": msg445, + "1199": select127, + "12": select4, + "120": msg181, + "1201": select129, + "121": msg182, + "122": msg183, + "1220": msg462, + "1222": msg431, + "1226": msg430, + "123": msg184, + "1230": msg463, + "1231": msg464, + "1232": msg487, + "1233": msg465, + "1235": msg438, + "124": msg185, + "125": msg186, + "1253": msg477, + "1254": msg187, + "1256": msg188, + "1257": msg189, + "126": msg190, + "127": msg191, + "128": msg192, + "129": msg193, + "13": msg13, + "130": msg194, + "1309": msg485, + "131": msg195, + "1310": msg486, + "132": msg196, + "133": msg197, + "134": msg198, + "135": msg199, + "136": msg200, + "1369": msg472, + "137": msg201, + "1370": msg473, + "1371": msg474, + "138": msg202, + "1387": msg475, + "139": select59, + "1391": msg476, + "14": select7, + "140": msg205, + "141": msg206, + "142": msg207, + "143": msg208, + "1430": msg425, + "1431": msg209, + "144": msg210, + "1447": msg488, + "145": msg211, + "146": msg212, + "147": msg213, + "148": msg214, + "1480": msg215, + "149": msg216, + "15": msg20, + "150": msg217, + "151": msg218, + "152": msg219, + "153": msg220, + "154": msg221, + "155": msg222, + "156": msg223, + "157": select60, + "158": msg226, + "159": msg227, + "16": msg21, + "160": msg228, + "161": msg229, + "162": msg230, + "163": msg231, + "164": msg232, + "165": msg233, + "166": msg234, + "167": msg235, + "168": msg236, + "169": msg237, + "17": msg22, + "170": msg238, + "171": select61, + "172": select62, + "173": msg245, + "174": select63, + "175": select64, + "176": msg253, + "177": msg254, + "178": msg255, + "179": msg256, + "18": msg23, + "180": select65, + "181": select66, + "19": msg24, + "193": msg261, + "194": msg262, + "195": msg263, + "196": select67, + "199": msg266, + "20": msg25, + "200": msg267, + "21": msg26, + "22": msg27, + "23": select10, + "235": select68, + "236": msg271, + "237": msg272, + "238": msg273, + "239": msg274, + "24": select11, + "240": msg275, + "241": select69, + "242": msg278, + "243": msg403, + "25": msg34, + "252": msg279, + "255": msg280, + "257": msg281, + "26": msg35, + "261": select72, + "262": msg284, + "263": msg413, + "264": msg414, + "267": select121, + "27": msg36, + "273": msg285, + "28": select12, + "29": select13, + "30": select14, + "31": select15, + "32": select16, + "328": msg286, + "329": msg287, + "33": select17, + "34": msg52, + "346": msg288, + "35": select18, + "350": msg289, + "351": msg290, + "352": msg291, + "353": select73, + "354": msg294, + "355": select74, + "356": msg297, + "357": select75, + "358": msg300, + "36": select21, + "37": select23, + "371": select76, + "372": msg303, + "373": msg304, + "38": select25, + "39": msg67, + "4": msg1, + "40": msg68, + "401": msg305, + "402": msg306, + "403": msg400, + "404": msg410, + "406": msg307, + "41": select26, + "412": msg415, + "413": msg308, + "414": msg309, + "42": msg72, + "427": msg156, + "428": msg157, + "43": msg73, + "438": msg310, + "439": msg311, + "44": msg74, + "440": msg312, + "441": select77, + "442": msg315, + "446": msg316, + "45": select27, + "46": select28, + "47": msg82, + "477": msg317, + "48": msg83, + "49": msg84, + "5": select2, + "50": msg85, + "509": msg318, + "51": msg86, + "52": msg87, + "520": msg319, + "522": select80, + "523": msg323, + "524": select83, + "526": select86, + "53": msg88, + "534": msg401, + "537": select101, + "538": msg346, + "549": msg347, + "557": msg348, + "558": msg349, + "561": msg350, + "562": msg351, + "563": msg352, + "565": msg409, + "58": msg89, + "580": msg471, + "583": msg353, + "597": select102, + "598": select103, + "6": select3, + "60": msg90, + "602": select104, + "605": msg363, + "606": msg364, + "608": msg365, + "609": msg482, + "61": msg91, + "614": msg421, + "616": msg366, + "62": msg92, + "63": select29, + "64": msg95, + "65": msg96, + "654": msg455, + "657": select118, + "658": msg367, + "66": msg97, + "67": select30, + "670": msg456, + "68": msg100, + "69": msg101, + "7": msg6, + "70": select32, + "708": msg452, + "709": msg447, + "710": msg368, + "712": select108, + "713": select109, + "714": msg446, + "72": select33, + "73": msg106, + "74": msg107, + "748": msg422, + "75": msg108, + "76": msg109, + "760": select110, + "766": msg378, + "77": msg110, + "78": msg111, + "79": msg112, + "793": msg416, + "794": msg423, + "796": msg483, + "8": msg7, + "80": msg113, + "805": msg417, + "809": select122, + "81": msg114, + "82": select34, + "83": select35, + "84": msg122, + "860": select111, + "866": select113, + "867": select114, + "87": select37, + "88": select38, + "880": msg484, + "882": select115, + "884": msg457, + "888": select116, + "89": select40, + "892": msg389, + "9": msg8, + "90": msg129, + "904": msg390, + "905": msg391, + "906": msg392, + "907": msg393, + "908": msg394, + "909": msg395, + "91": msg130, + "910": msg479, + "914": msg396, + "92": msg131, + "93": msg132, + "931": msg397, + "935": msg420, + "94": msg133, + "95": msg134, + "96": msg135, + "97": select44, + "98": select56, + "986": msg155, + "99": msg158, + "994": msg402, + "995": msg404, + "997": msg405, + "998": select119, + "m": msg480, + "msg": msg436, + "src": msg437, + }), + ]); + + var part505 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part506 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); + + var part507 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part508 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); + + var part509 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + + var part510 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); + + var part511 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); + + var part512 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + + var part513 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + + var part514 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); + + var part515 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); + + var part516 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); + + var part517 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); + + var part518 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); + + var part519 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); + + var part520 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); + + var part521 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); + + var part522 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); + + var part523 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); + + var part524 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); + + var part525 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); + + var part526 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); + + var part527 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part528 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); + + var part529 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); + + var part530 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); + + var part531 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); + + var part532 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); + + var part533 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); + + var part534 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); + + var part535 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); + + var part536 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); + + var part537 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); + + var part538 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); + + var part539 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part540 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); + + var part541 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); + + var part542 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); + + var part543 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); + + var part544 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); + + var part545 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part546 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); + + var part547 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); + + var part548 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); + + var part549 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); + + var part550 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); + + var part551 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); + + var part552 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); + + var part553 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); + + var part554 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var part555 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); + + var part556 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); + + var part557 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); + + var part558 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); + + var part559 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); + + var part560 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); + + var part561 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); + + var part562 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); + + var part563 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); + + var part564 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); + + var part565 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); + + var part566 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); + + var part567 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); + + var part568 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); + + var part569 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); + + var part570 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); + + var part571 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); + + var part572 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); + + var part573 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); + + var part574 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); + + var part575 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part576 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); + + var part577 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); + + var part578 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); + + var part579 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); + + var part580 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); + + var part581 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); + + var part582 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); + + var part583 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); + + var part584 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); + + var part585 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); + + var part586 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); + + var part587 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + + var part588 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); + + var part589 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + + var part590 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); + + var part591 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); + + var part592 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); + + var part593 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); + + var part594 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); + + var part595 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); + + var part596 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); + + var part597 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); + + var part598 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); + + var part599 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part600 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); + + var part601 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); + + var part602 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); + + var part603 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); + + var part604 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); + + var part605 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); + + var part606 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); + + var part607 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); + + var part608 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part609 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); + + var part610 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); + + var part611 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); + + var part612 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); + + var part613 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); + + var part614 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); + + var part615 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); + + var part616 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + + var part617 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); + + var part618 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + + var part619 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); + + var part620 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); + + var part621 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + + var part622 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + + var part623 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + + var select147 = linear_select([ + dup8, + dup9, + ]); + + var select148 = linear_select([ + dup15, + dup16, + ]); + + var part624 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var select149 = linear_select([ + dup26, + dup27, + ]); + + var select150 = linear_select([ + dup28, + dup29, + ]); + + var select151 = linear_select([ + dup35, + dup36, + ]); + + var select152 = linear_select([ + dup37, + dup38, + ]); + + var select153 = linear_select([ + dup39, + dup40, + ]); + + var select154 = linear_select([ + dup26, + dup46, + ]); + + var select155 = linear_select([ + dup48, + dup49, + ]); + + var select156 = linear_select([ + dup52, + dup53, + ]); + + var select157 = linear_select([ + dup55, + dup56, + ]); + + var select158 = linear_select([ + dup57, + dup58, + ]); + + var part625 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup70, + ])); + + var part626 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup5, + ])); + + var select159 = linear_select([ + dup75, + dup76, + ]); + + var select160 = linear_select([ + dup83, + dup84, + ]); + + var part627 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ + dup1, + ])); + + var select161 = linear_select([ + dup94, + dup95, + ]); + + var part628 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup5, + ])); + + var select162 = linear_select([ + dup98, + dup99, + ]); + + var select163 = linear_select([ + dup86, + dup102, + ]); + + var select164 = linear_select([ + dup103, + dup104, + ]); + + var part629 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, + ])); + + var part630 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, + ])); + + var part631 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup1, + ])); + + var part632 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup1, + ])); + + var part633 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var select165 = linear_select([ + dup114, + dup115, + ]); + + var select166 = linear_select([ + dup117, + dup118, + ]); + + var select167 = linear_select([ + dup43, + dup42, + ]); + + var select168 = linear_select([ + dup8, + dup27, + ]); + + var select169 = linear_select([ + dup8, + dup26, + dup46, + ]); + + var select170 = linear_select([ + dup80, + dup15, + dup16, + ]); + + var select171 = linear_select([ + dup124, + dup125, + dup126, + dup38, + ]); + + var select172 = linear_select([ + dup127, + dup128, + ]); + + var select173 = linear_select([ + dup129, + dup130, + ]); + + var select174 = linear_select([ + dup135, + dup136, + dup137, + ]); + + var select175 = linear_select([ + dup138, + dup56, + ]); + + var select176 = linear_select([ + dup140, + dup141, + ]); + + var select177 = linear_select([ + dup142, + dup143, + ]); + + var select178 = linear_select([ + dup150, + dup151, + ]); + + var part634 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup156, + ])); + + var select179 = linear_select([ + dup158, + dup38, + ]); + + var select180 = linear_select([ + dup160, + dup161, + ]); + + var select181 = linear_select([ + dup162, + dup163, + ]); + + var part635 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ + dup5, + ])); + + var part636 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ + dup5, + ])); + + var part637 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ + dup5, + dup24, + ])); + + var part638 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ + dup1, + dup24, + ])); + + var part639 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ + dup1, + dup24, + ])); + + var part640 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, + ])); + + var part641 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ + dup1, + ])); + + var select182 = linear_select([ + dup177, + dup178, + ]); + + var select183 = linear_select([ + dup180, + dup181, + ]); + + var part642 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup1, + dup62, + dup18, + dup88, + dup20, + dup21, + dup22, + dup44, + ])); + + var all114 = all_match({ + processors: [ + dup32, + dup185, + dup186, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var all115 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup91, + ]), + }); + + var all116 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var all117 = all_match({ + processors: [ + dup101, + dup203, + ], + on_success: processor_chain([ + dup67, + ]), + }); + + var all118 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup106, + ]), + }); + + var all119 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup31, + ]), + }); + + var all120 = all_match({ + processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ + dup30, + ]), + }); + + var all121 = all_match({ + processors: [ + dup108, + dup185, + dup187, + ], + on_success: processor_chain([ + dup109, + ]), + }); + + var all122 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup112, + ]), + }); + + var all123 = all_match({ + processors: [ + dup113, + dup210, + ], + on_success: processor_chain([ + dup93, + ]), + }); + + var all124 = all_match({ + processors: [ + dup110, + dup185, + dup187, + ], + on_success: processor_chain([ + dup116, + ]), + }); + + var all125 = all_match({ + processors: [ + dup51, + dup189, + dup41, + dup187, + ], + on_success: processor_chain([ + dup5, + ]), + }); + + var all126 = all_match({ + processors: [ + dup73, + dup185, + dup183, + dup43, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var all127 = all_match({ + processors: [ + dup157, + dup225, + dup159, + dup226, + dup227, + dup164, + ], + on_success: processor_chain([ + dup156, + dup59, + dup60, + dup61, + dup62, + dup44, + dup63, + dup18, + dup19, + dup20, + dup21, + dup22, + ]), + }); + + var all128 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup202, + dup100, + ], + on_success: processor_chain([ + dup1, + ]), + }); + + var all129 = all_match({ + processors: [ + dup7, + dup182, + dup10, + dup200, + dup96, + ], + on_success: processor_chain([ + dup1, + ]), + }); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/sonicwall/0.8.2/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/sonicwall/0.8.2/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..06c87bf0a9 --- /dev/null +++ b/packages/sonicwall/0.8.2/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,84 @@ +--- +description: Pipeline for Sonicwall-FW + +processors: + - set: + field: ecs.version + value: '8.2.0' + - gsub: + field: destination.mac + ignore_missing: true + pattern: '[:]' + replacement: '-' + - gsub: + field: source.mac + ignore_missing: true + pattern: '[:]' + replacement: '-' + - uppercase: + field: destination.mac + ignore_missing: true + - uppercase: + field: source.mac + ignore_missing: true + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/sonicwall/0.8.2/data_stream/firewall/fields/base-fields.yml b/packages/sonicwall/0.8.2/data_stream/firewall/fields/base-fields.yml new file mode 100755 index 0000000000..a73f5492de --- /dev/null +++ b/packages/sonicwall/0.8.2/data_stream/firewall/fields/base-fields.yml @@ -0,0 +1,46 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: sonicwall +- name: event.dataset + type: constant_keyword + description: Event dataset + value: sonicwall.firewall +- name: '@timestamp' + type: date + description: Event timestamp. +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/sonicwall/0.8.2/data_stream/firewall/fields/ecs.yml b/packages/sonicwall/0.8.2/data_stream/firewall/fields/ecs.yml new file mode 100755 index 0000000000..ded07b52f3 --- /dev/null +++ b/packages/sonicwall/0.8.2/data_stream/firewall/fields/ecs.yml @@ -0,0 +1,553 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/sonicwall/0.8.2/data_stream/firewall/fields/fields.yml b/packages/sonicwall/0.8.2/data_stream/firewall/fields/fields.yml new file mode 100755 index 0000000000..ea69cd79e3 --- /dev/null +++ b/packages/sonicwall/0.8.2/data_stream/firewall/fields/fields.yml @@ -0,0 +1,1754 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + ignore_above: 1024 + description: Server domain. +- name: network.interface.name + type: keyword diff --git a/packages/sonicwall/0.8.2/data_stream/firewall/manifest.yml b/packages/sonicwall/0.8.2/data_stream/firewall/manifest.yml new file mode 100755 index 0000000000..ee20464f38 --- /dev/null +++ b/packages/sonicwall/0.8.2/data_stream/firewall/manifest.yml @@ -0,0 +1,204 @@ +title: Sonicwall-FW logs +release: experimental +type: logs +streams: + - input: udp + title: Sonicwall-FW logs + description: Collect Sonicwall-FW logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - sonicwall-firewall + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9536 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Sonicwall-FW logs + description: Collect Sonicwall-FW logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - sonicwall-firewall + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9536 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Sonicwall-FW logs + description: Collect Sonicwall-FW logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/sonicwall-firewall.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - sonicwall-firewall + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/sonicwall/0.8.2/docs/README.md b/packages/sonicwall/0.8.2/docs/README.md new file mode 100755 index 0000000000..2cfbe9f565 --- /dev/null +++ b/packages/sonicwall/0.8.2/docs/README.md @@ -0,0 +1,832 @@ +# Sonicwall integration (Deprecated) + +_This integration is deprecated. Please use the SonicWall Firewall +integration instead._ + +This integration is for Sonicwall device's logs. It includes the following +datasets for receiving logs over syslog or read from a file: +- `firewall` dataset: supports Sonicwall-FW logs. + +### Firewall + +The `firewall` dataset collects Sonicwall-FW logs. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| container.id | Unique container id. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.domain | Server domain. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + diff --git a/packages/sonicwall/0.8.2/img/logo.svg b/packages/sonicwall/0.8.2/img/logo.svg new file mode 100755 index 0000000000..fb1aded68a --- /dev/null +++ b/packages/sonicwall/0.8.2/img/logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/sonicwall/0.8.2/manifest.yml b/packages/sonicwall/0.8.2/manifest.yml new file mode 100755 index 0000000000..262ab60e52 --- /dev/null +++ b/packages/sonicwall/0.8.2/manifest.yml @@ -0,0 +1,32 @@ +format_version: 1.0.0 +name: sonicwall +title: Sonicwall-FW Logs +version: "0.8.2" +description: Deprecated. Collect logs from Sonicwall devices with Elastic Agent. +categories: ["network", "security"] +release: experimental +license: basic +type: integration +conditions: + kibana.version: "^7.14.1 || ^8.0.0" +policy_templates: + - name: firewall + title: Sonicwall-FW + description: Collect Sonicwall-FW logs from syslog or a file. + inputs: + - type: udp + title: Collect logs from Sonicwall-FW via UDP + description: Collecting syslog from Sonicwall-FW via UDP + - type: tcp + title: Collect logs from Sonicwall-FW via TCP + description: Collecting syslog from Sonicwall-FW via TCP + - type: logfile + title: Collect logs from Sonicwall-FW via file + description: Collecting syslog from Sonicwall-FW via file. +icons: + - src: /img/logo.svg + title: Sonicwall-FW logo + size: 32x32 + type: image/svg+xml +owner: + github: elastic/security-external-integrations diff --git a/packages/ti_abusech/1.6.0/changelog.yml b/packages/ti_abusech/1.6.0/changelog.yml new file mode 100755 index 0000000000..ad725f1474 --- /dev/null +++ b/packages/ti_abusech/1.6.0/changelog.yml @@ -0,0 +1,111 @@ +# newer versions go on top +- version: "1.6.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3871 +- version: "1.5.1" + changes: + - description: Fix proxy URL documentation rendering. + type: bugfix + link: https://github.com/elastic/integrations/pull/3881 +- version: "1.5.0" + changes: + - description: Update categories to include `threat_intel`. + type: enhancement + link: https://github.com/elastic/integrations/pull/3689 +- version: "1.4.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "1.3.2" + changes: + - description: Added link to AbuseCH documentation in readme + type: enhancement + link: https://github.com/elastic/integrations/pull/3166 +- version: "1.3.1" + changes: + - description: Update package descriptions + type: enhancement + link: https://github.com/elastic/integrations/pull/3398 +- version: "1.3.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2781 +- version: "1.2.3" + changes: + - description: Add mapping for event.created + type: enhancement + link: https://github.com/elastic/integrations/pull/3042 +- version: "1.2.2" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.2.1" + changes: + - description: Fix field mapping conflicts in `threat.indicator.file.x509.not_before/not_after` + type: bugfix + link: https://github.com/elastic/integrations/pull/2893 +- version: "1.2.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2445 +- version: "1.1.5" + changes: + - description: Removes extra tag from dashboards + type: bugfix + link: https://github.com/elastic/integrations/pull/2544 +- version: "1.1.4" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.1.3" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.1.2" + changes: + - description: Fixing typo in base-fields.yml + type: enhancement + link: https://github.com/elastic/integrations/pull/2331 +- version: "1.1.1" + changes: + - description: Update ECS fields for threat.feed.name + type: enhancement + link: https://github.com/elastic/integrations/pull/2293 +- version: "1.1.0" + changes: + - description: Adding dashboards and adding minor tweaks to pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/2072 +- version: "1.0.4" + changes: + - description: Bump minimum version in manifest + type: enhancement + link: https://github.com/elastic/integrations/pull/2072 +- version: "1.0.3" + changes: + - description: Bump minimum version + type: enhancement + link: https://github.com/elastic/integrations/pull/2063 +- version: "1.0.2" + changes: + - description: Update title and description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1997 +- version: "1.0.1" + changes: + - description: Fix invisible package icon + type: enhancement + link: https://github.com/elastic/integrations/pull/1939 +- version: "1.0.0" + changes: + - description: Initial Release + type: enhancement + link: https://github.com/elastic/integrations/pull/1866 diff --git a/packages/ti_abusech/1.6.0/data_stream/malware/agent/stream/httpjson.yml.hbs b/packages/ti_abusech/1.6.0/data_stream/malware/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..457acc00d6 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/malware/agent/stream/httpjson.yml.hbs @@ -0,0 +1,38 @@ +config_version: "2" +interval: {{interval}} +request.method: "GET" + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: +- set: + target: header.Content-Type + value: application/json + +response.split: + target: body.payloads + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_abusech/1.6.0/data_stream/malware/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/1.6.0/data_stream/malware/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..9bf4d0aec0 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/malware/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,156 @@ +--- +description: Pipeline for parsing Abuse.ch URL Threat Intel +processors: + #################### + # Event ECS fields # + #################### + - set: + field: ecs.version + value: '8.4.0' + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator + + ###################### + # General ECS fields # + ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: abusech.malware + - fingerprint: + fields: + - abusech.malware.md5_hash + - abusech.malware.sha256_hash + target_field: "_id" + + ##################### + # Threat ECS Fields # + ##################### + - date: + field: abusech.malware.firstseen + target_field: threat.indicator.first_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + - "yyyy-MM-dd HH:mm:ss" + if: "ctx.abusech?.malware?.firstseen != null" + - set: + field: threat.indicator.type + value: file + - rename: + field: abusech.malware.file_size + target_field: threat.indicator.file.size + ignore_missing: true + - rename: + field: abusech.malware.file_type + target_field: threat.indicator.file.type + ignore_missing: true + # This includes a direct link to malicious files, we do not want them to appear in Kibana + # in case they are accidently clicked. + - remove: + field: abusech.malware.urlhaus_download + ignore_missing: true + - convert: + field: threat.indicator.file.size + type: long + ignore_missing: true + - convert: + field: abusech.malware.virustotal.percent + type: float + ignore_missing: true + - rename: + field: abusech.malware.md5_hash + target_field: threat.indicator.file.hash.md5 + ignore_missing: true + - rename: + field: abusech.malware.sha256_hash + target_field: threat.indicator.file.hash.sha256 + ignore_missing: true + - rename: + field: abusech.malware.imphash + target_field: threat.indicator.file.pe.imphash + ignore_missing: true + - rename: + field: abusech.malware.ssdeep + target_field: threat.indicator.file.hash.ssdeep + ignore_missing: true + - rename: + field: abusech.malware.tlsh + target_field: threat.indicator.file.hash.tlsh + ignore_missing: true + - append: + field: related.hash + value: "{{{threat.indicator.file.hash.md5}}}" + if: ctx?.threat?.indicator?.file?.hash?.md5 != null + - append: + field: related.hash + value: "{{{threat.indicator.file.hash.sha256}}}" + if: ctx?.threat?.indicator?.file?.hash?.sha256 != null + - append: + field: related.hash + value: "{{{threat.indicator.file.hash.ssdeep}}}" + if: ctx?.threat?.indicator?.file?.hash?.ssdeep != null + - append: + field: related.hash + value: "{{{threat.indicator.file.pe.imphash}}}" + if: ctx?.threat?.indicator?.file?.pe?.imphash != null + - append: + field: related.hash + value: "{{{threat.indicator.file.hash.tlsh}}}" + if: ctx?.threat?.indicator?.file?.hash?.tlsh != null + + ###################### + # Cleanup processors # + ###################### + - set: + field: threat.indicator.type + value: unknown + if: ctx?.threat?.indicator?.type == null + - script: + lang: painless + if: ctx?.abusech != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: + - abusech.malware.firstseen + - message + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_abusech/1.6.0/data_stream/malware/fields/agent.yml b/packages/ti_abusech/1.6.0/data_stream/malware/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/malware/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/ti_abusech/1.6.0/data_stream/malware/fields/base-fields.yml b/packages/ti_abusech/1.6.0/data_stream/malware/fields/base-fields.yml new file mode 100755 index 0000000000..6803389c14 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/malware/fields/base-fields.yml @@ -0,0 +1,28 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: ti_abusech +- name: event.dataset + type: constant_keyword + description: Event dataset + value: ti_abusech.malware +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name + value: AbuseCH Malware +- name: threat.feed.dashboard_id + type: constant_keyword + description: Dashboard ID used for Kibana CTI UI + value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6 +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/ti_abusech/1.6.0/data_stream/malware/fields/beats.yml b/packages/ti_abusech/1.6.0/data_stream/malware/fields/beats.yml new file mode 100755 index 0000000000..cb44bb2944 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/malware/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/ti_abusech/1.6.0/data_stream/malware/fields/ecs.yml b/packages/ti_abusech/1.6.0/data_stream/malware/fields/ecs.yml new file mode 100755 index 0000000000..11361b18a1 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/malware/fields/ecs.yml @@ -0,0 +1,92 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: Error message. + name: error.message + type: match_only_text +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: Type of indicator as represented by Cyber Observable in STIX 2.0. + name: threat.indicator.type + type: keyword +- description: The date and time when intelligence source first reported sighting this indicator. + name: threat.indicator.first_seen + type: date +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: threat.indicator.file.size + type: long +- description: File type (file, dir, or symlink). + name: threat.indicator.file.type + type: keyword +- description: MD5 hash. + name: threat.indicator.file.hash.md5 + type: keyword +- description: SHA256 hash. + name: threat.indicator.file.hash.sha256 + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: threat.indicator.file.pe.imphash + type: keyword +- description: SSDEEP hash. + name: threat.indicator.file.hash.ssdeep + type: keyword +- description: The file's import tlsh, if available. + name: threat.indicator.file.hash.tlsh + type: keyword +- description: The name of the indicator's provider. + name: threat.indicator.provider + type: keyword diff --git a/packages/ti_abusech/1.6.0/data_stream/malware/fields/fields.yml b/packages/ti_abusech/1.6.0/data_stream/malware/fields/fields.yml new file mode 100755 index 0000000000..970fa42a04 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/malware/fields/fields.yml @@ -0,0 +1,24 @@ +- name: abusech.malware + type: group + description: All fields related to AbuseCH URL indicators. + fields: + - name: signature + type: keyword + description: > + Malware familiy. + + - name: virustotal.result + type: keyword + description: > + AV detection ration. + + - name: virustotal.percent + type: float + description: > + AV detection in percent. + + - name: virustotal.link + type: keyword + description: > + Link to the Virustotal report. + diff --git a/packages/ti_abusech/1.6.0/data_stream/malware/manifest.yml b/packages/ti_abusech/1.6.0/data_stream/malware/manifest.yml new file mode 100755 index 0000000000..e78edee86d --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/malware/manifest.yml @@ -0,0 +1,68 @@ +type: logs +title: AbuseCH Malware logs +streams: + - input: httpjson + vars: + - name: url + type: text + title: AbuseCH Malware API endpoint + multi: false + required: true + show_user: false + default: https://urlhaus-api.abuse.ch/v1/payloads/recent/ + - name: http_client_timeout + type: text + title: HTTP Client Timeout + multi: false + required: false + show_user: false + default: 30s + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 10m + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - abusech-malware + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: AbuseCH Malware logs + description: Collect AbuseCH Malware logs diff --git a/packages/ti_abusech/1.6.0/data_stream/malware/sample_event.json b/packages/ti_abusech/1.6.0/data_stream/malware/sample_event.json new file mode 100755 index 0000000000..9b1f6ac709 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/malware/sample_event.json @@ -0,0 +1,69 @@ +{ + "@timestamp": "2022-04-11T08:43:51.252Z", + "abusech": { + "malware": {} + }, + "agent": { + "ephemeral_id": "3c096aaa-3fd9-4560-87fe-375b99890402", + "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "ti_abusech.malware", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-04-11T08:43:51.252Z", + "dataset": "ti_abusech.malware", + "ingested": "2022-04-11T08:43:52Z", + "kind": "enrichment", + "original": "{\"file_size\":\"1563\",\"file_type\":\"unknown\",\"firstseen\":\"2021-10-05 04:17:02\",\"imphash\":null,\"md5_hash\":\"9cd5a4f0231a47823c4adba7c8ef370f\",\"sha256_hash\":\"7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2\",\"signature\":null,\"ssdeep\":\"48:yazkS7neW+mfe4CJjNXcq5Co4Fr1PpsHn:yrmGNt5mbP2n\",\"tlsh\":\"T109314C5E7822CA70B91AD69300C22D8C2F53EAF229E6686C3BDD4C86FA1344208CF1\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2/\",\"virustotal\":null}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "9cd5a4f0231a47823c4adba7c8ef370f", + "7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2", + "48:yazkS7neW+mfe4CJjNXcq5Co4Fr1PpsHn:yrmGNt5mbP2n", + "T109314C5E7822CA70B91AD69300C22D8C2F53EAF229E6686C3BDD4C86FA1344208CF1" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "abusech-malware" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "md5": "9cd5a4f0231a47823c4adba7c8ef370f", + "sha256": "7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2", + "ssdeep": "48:yazkS7neW+mfe4CJjNXcq5Co4Fr1PpsHn:yrmGNt5mbP2n", + "tlsh": "T109314C5E7822CA70B91AD69300C22D8C2F53EAF229E6686C3BDD4C86FA1344208CF1" + }, + "pe": {}, + "size": 1563, + "type": "unknown" + }, + "first_seen": "2021-10-05T04:17:02.000Z", + "type": "file" + } + } +} \ No newline at end of file diff --git a/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/agent/stream/httpjson.yml.hbs b/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..1684323a35 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/agent/stream/httpjson.yml.hbs @@ -0,0 +1,44 @@ +config_version: "2" +interval: {{interval}} +request.method: "POST" + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: +- set: + target: header.Content-Type + value: application/x-www-form-urlencoded +- set: + target: url.params.query + value: get_recent +- set: + target: url.params.selector + value: time + +response.split: + target: body.data + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..d76bedbf8a --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,242 @@ +--- +description: Pipeline for parsing Abuse.ch URL Threat Intel +processors: + #################### + # Event ECS fields # + #################### + - set: + field: ecs.version + value: '8.4.0' + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator + + ###################### + # General ECS fields # + ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: abusech.malwarebazaar + - fingerprint: + fields: + - abusech.malwarebazaar.md5_hash + - abusech.malwarebazaar.sha256_hash + target_field: "_id" + + ##################### + # Threat ECS Fields # + ##################### + - date: + field: abusech.malwarebazaar.first_seen + target_field: threat.indicator.first_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + - "yyyy-MM-dd HH:mm:ss" + if: "ctx.abusech?.malwarebazaar?.first_seen != null" + - date: + field: abusech.malwarebazaar.last_seen + target_field: threat.indicator.last_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + - "yyyy-MM-dd HH:mm:ss" + if: "ctx.abusech?.malwarebazaar?.last_seen != null" + - set: + field: threat.indicator.type + value: file + - rename: + field: abusech.malwarebazaar.file_name + target_field: threat.indicator.file.name + ignore_missing: true + - rename: + field: abusech.malwarebazaar.file_type_mime + target_field: threat.indicator.file.mime_type + ignore_missing: true + - rename: + field: abusech.malwarebazaar.reporter + target_field: threat.indicator.provider + ignore_missing: true + - rename: + field: abusech.malwarebazaar.origin_country + target_field: threat.indicator.geo.country_iso_code + ignore_missing: true + - rename: + field: abusech.malwarebazaar.signature + target_field: threat.software.alias + ignore_missing: true + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: + rename: + field: _ingest._value.subject_cn + target_field: threat.indicator.file.x509.subject.common_name + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: + rename: + field: _ingest._value.issuer_cn + target_field: threat.indicator.file.x509.issuer.common_name + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: + rename: + field: _ingest._value.algorithm + target_field: threat.indicator.file.x509.public_key_algorithm + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: + rename: + field: _ingest._value.valid_from + target_field: threat.indicator.file.x509.not_before + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: + rename: + field: _ingest._value.valid_to + target_field: threat.indicator.file.x509.not_after + - foreach: + field: abusech.malwarebazaar.code_sign + ignore_missing: true + processor: + rename: + field: _ingest._value.serial_number + target_field: threat.indicator.file.x509.serial_number + - rename: + field: abusech.malwarebazaar.file_size + target_field: threat.indicator.file.size + ignore_missing: true + - rename: + field: abusech.malwarebazaar.file_type + target_field: threat.indicator.file.extension + ignore_missing: true + - rename: + field: abusech.malwarebazaar.md5_hash + target_field: threat.indicator.file.hash.md5 + ignore_missing: true + - rename: + field: abusech.malwarebazaar.sha256_hash + target_field: threat.indicator.file.hash.sha256 + ignore_missing: true + - rename: + field: abusech.malwarebazaar.sha1_hash + target_field: threat.indicator.file.hash.sha1 + ignore_missing: true + - rename: + field: abusech.malwarebazaar.sha3_384_hash + target_field: threat.indicator.file.hash.sha384 + ignore_missing: true + - rename: + field: abusech.malwarebazaar.imphash + target_field: threat.indicator.file.pe.imphash + ignore_missing: true + - rename: + field: abusech.malwarebazaar.ssdeep + target_field: threat.indicator.file.hash.ssdeep + ignore_missing: true + - rename: + field: abusech.malwarebazaar.tlsh + target_field: threat.indicator.file.hash.tlsh + ignore_missing: true + - rename: + field: abusech.malwarebazaar.telfhash + target_field: threat.indicator.file.elf.telfhash + ignore_missing: true + - append: + field: related.hash + value: "{{ threat.indicator.file.hash.md5 }}" + if: ctx?.threat?.indicator?.file?.hash?.md5 != null + - append: + field: related.hash + value: "{{ threat.indicator.file.hash.sha256 }}" + if: ctx?.threat?.indicator?.file?.hash?.sha256 != null + - append: + field: related.hash + value: "{{ threat.indicator.file.hash.ssdeep }}" + if: ctx?.threat?.indicator?.file?.hash?.ssdeep != null + - append: + field: related.hash + value: "{{ threat.indicator.file.pe.imphash }}" + if: ctx?.threat?.indicator?.file?.pe?.imphash != null + - append: + field: related.hash + value: "{{ threat.indicator.file.elf.telfhash }}" + if: ctx?.threat?.indicator?.file?.elf?.telfhash != null + - append: + field: related.hash + value: "{{ threat.indicator.file.hash.tlsh }}" + if: ctx?.threat?.indicator?.file?.hash?.tlsh != null + - convert: + field: threat.indicator.file.size + type: long + ignore_missing: true + - convert: + field: abusech.malwarebazaar.intelligence.downloads + type: long + ignore_missing: true + - convert: + field: abusech.malwarebazaar.intelligence.uploads + type: long + ignore_missing: true + + ###################### + # Cleanup processors # + ###################### + - set: + field: threat.indicator.type + value: unknown + if: ctx?.threat?.indicator?.type == null + - script: + lang: painless + if: ctx?.abusech != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: + - abusech.malwarebazaar.first_seen + - abusech.malwarebazaar.last_seen + - message + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/fields/agent.yml b/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/fields/base-fields.yml b/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/fields/base-fields.yml new file mode 100755 index 0000000000..d71e6e59d4 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/fields/base-fields.yml @@ -0,0 +1,28 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: ti_abusech +- name: event.dataset + type: constant_keyword + description: Event dataset + value: ti_abusech.malwarebazaar +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name + value: AbuseCH MalwareBazaar +- name: threat.feed.dashboard_id + type: constant_keyword + description: Dashboard ID used for Kibana CTI UI + value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6 +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/fields/beats.yml b/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/fields/beats.yml new file mode 100755 index 0000000000..cb44bb2944 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/fields/ecs.yml b/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/fields/ecs.yml new file mode 100755 index 0000000000..31555883ca --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/fields/ecs.yml @@ -0,0 +1,141 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: Error message. + name: error.message + type: match_only_text +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: Type of indicator as represented by Cyber Observable in STIX 2.0. + name: threat.indicator.type + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: The date and time when intelligence source first reported sighting this indicator. + name: threat.indicator.first_seen + type: date +- description: The date and time when intelligence source last reported sighting this indicator. + name: threat.indicator.last_seen + type: date +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: threat.indicator.file.size + type: long +- description: File type (file, dir, or symlink). + name: threat.indicator.file.type + type: keyword +- description: Name of the file including the extension, without the directory. + name: threat.indicator.file.name + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: threat.indicator.file.extension + type: keyword +- description: SHA1 hash. + name: threat.indicator.file.hash.sha1 + type: keyword +- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + name: threat.indicator.file.mime_type + type: keyword +- description: |- + The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. + While not required, you can use a MITRE ATT&CK® associated software description. + name: threat.software.alias + type: keyword +- description: MD5 hash. + name: threat.indicator.file.hash.md5 + type: keyword +- description: SHA256 hash. + name: threat.indicator.file.hash.sha256 + type: keyword +- description: SSDEEP hash. + name: threat.indicator.file.hash.ssdeep + type: keyword +- description: The file's sha384 hash, if available. + name: threat.indicator.file.hash.sha384 + type: keyword +- description: The file's import tlsh, if available. + name: threat.indicator.file.hash.tlsh + type: keyword +- description: |- + A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + name: threat.indicator.file.pe.imphash + type: keyword +- description: telfhash symbol hash for ELF file. + name: threat.indicator.file.elf.telfhash + type: keyword +- description: List of common names (CN) of subject. + name: threat.indicator.file.x509.subject.common_name + type: keyword +- description: List of common name (CN) of issuing certificate authority. + name: threat.indicator.file.x509.issuer.common_name + type: keyword +- description: Algorithm used to generate the public key. + name: threat.indicator.file.x509.public_key_algorithm + type: keyword +- description: Time at which the certificate is first considered valid. + name: threat.indicator.file.x509.not_before + type: date +- description: Time at which the certificate is no longer considered valid. + name: threat.indicator.file.x509.not_after + type: date +- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + name: threat.indicator.file.x509.serial_number + type: keyword +- description: The name of the indicator's provider. + name: threat.indicator.provider + type: keyword +- description: Country ISO code. + name: threat.indicator.geo.country_iso_code + type: keyword diff --git a/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/fields/fields.yml b/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/fields/fields.yml new file mode 100755 index 0000000000..8fab848b82 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/fields/fields.yml @@ -0,0 +1,45 @@ +- name: abusech.malwarebazaar + type: group + description: All fields related to AbuseCH URL indicators. + fields: + - name: tags + type: keyword + description: > + A list of tags associated with the queried malware sample. + + - name: intelligence + type: group + fields: + - name: downloads + type: long + description: > + Number of downloads from MalwareBazaar. + + - name: uploads + type: long + description: > + Number of uploads from MalwareBazaar. + + - name: mail + type: group + fields: + - name: Generic + type: keyword + description: > + Malware seen in generic spam traffic. + + - name: IT + type: keyword + description: > + Malware seen in IT spam traffic. + + - name: anonymous + type: long + description: > + Identifies if the sample was submitted anonymously. + + - name: code_sign + type: keyword + description: > + Code signing information for the sample. + diff --git a/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/manifest.yml b/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/manifest.yml new file mode 100755 index 0000000000..4ec941f6c5 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/manifest.yml @@ -0,0 +1,68 @@ +type: logs +title: AbuseCH MalwareBazaar logs +streams: + - input: httpjson + vars: + - name: url + type: text + title: AbuseCH MalwareBazaar API endpoint + multi: false + required: true + show_user: false + default: https://mb-api.abuse.ch/api/v1/ + - name: http_client_timeout + type: text + title: HTTP Client Timeout + multi: false + required: false + show_user: false + default: 30s + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 10m + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - abusech-malwarebazaar + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: AbuseCH MalwareBazaar logs + description: Collect AbuseCH MalwareBazaar logs diff --git a/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/sample_event.json b/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/sample_event.json new file mode 100755 index 0000000000..0403fcfacc --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/malwarebazaar/sample_event.json @@ -0,0 +1,95 @@ +{ + "@timestamp": "2022-04-11T08:44:21.828Z", + "abusech": { + "malwarebazaar": { + "anonymous": 0, + "code_sign": [], + "intelligence": { + "downloads": 11, + "uploads": 1 + }, + "tags": [ + "exe", + "RedLineStealer" + ] + } + }, + "agent": { + "ephemeral_id": "15657330-8e8b-49be-b82d-529320d9c53c", + "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "ti_abusech.malwarebazaar", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-04-11T08:44:21.828Z", + "dataset": "ti_abusech.malwarebazaar", + "ingested": "2022-04-11T08:44:22Z", + "kind": "enrichment", + "original": "{\"anonymous\":0,\"code_sign\":[],\"dhash_icon\":null,\"file_name\":\"7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e.exe\",\"file_size\":432640,\"file_type\":\"exe\",\"file_type_mime\":\"application/x-dosexec\",\"first_seen\":\"2021-10-05 14:02:45\",\"imphash\":\"f34d5f2d4577ed6d9ceec516c1f5a744\",\"intelligence\":{\"clamav\":null,\"downloads\":\"11\",\"mail\":null,\"uploads\":\"1\"},\"last_seen\":null,\"md5_hash\":\"1fc1c2997c8f55ac10496b88e23f5320\",\"origin_country\":\"FR\",\"reporter\":\"abuse_ch\",\"sha1_hash\":\"42c7153680d7402e56fe022d1024aab49a9901a0\",\"sha256_hash\":\"7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e78fd28b2253ea755c28\",\"sha3_384_hash\":\"d63e73b68973bc73ab559549aeee2141a48b8a3724aabc0d81fb14603c163a098a5a10be9f6d33b888602906c0d89955\",\"signature\":\"RedLineStealer\",\"ssdeep\":\"12288:jhhl1Eo+iEXvpb1C7drqAd1uUaJvzXGyO2F5V3bS1jsTacr:7lL\",\"tags\":[\"exe\",\"RedLineStealer\"],\"telfhash\":null,\"tlsh\":\"T13794242864BFC05994E3EEA12DDCA8FBD99A55E3640C743301B4633B8B52B84DE4F479\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "related": { + "hash": [ + "1fc1c2997c8f55ac10496b88e23f5320", + "7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e78fd28b2253ea755c28", + "12288:jhhl1Eo+iEXvpb1C7drqAd1uUaJvzXGyO2F5V3bS1jsTacr:7lL", + "f34d5f2d4577ed6d9ceec516c1f5a744", + "T13794242864BFC05994E3EEA12DDCA8FBD99A55E3640C743301B4633B8B52B84DE4F479" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "abusech-malwarebazaar" + ], + "threat": { + "indicator": { + "file": { + "elf": {}, + "extension": "exe", + "hash": { + "md5": "1fc1c2997c8f55ac10496b88e23f5320", + "sha1": "42c7153680d7402e56fe022d1024aab49a9901a0", + "sha256": "7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e78fd28b2253ea755c28", + "sha384": "d63e73b68973bc73ab559549aeee2141a48b8a3724aabc0d81fb14603c163a098a5a10be9f6d33b888602906c0d89955", + "ssdeep": "12288:jhhl1Eo+iEXvpb1C7drqAd1uUaJvzXGyO2F5V3bS1jsTacr:7lL", + "tlsh": "T13794242864BFC05994E3EEA12DDCA8FBD99A55E3640C743301B4633B8B52B84DE4F479" + }, + "mime_type": "application/x-dosexec", + "name": "7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e.exe", + "pe": { + "imphash": "f34d5f2d4577ed6d9ceec516c1f5a744" + }, + "size": 432640 + }, + "first_seen": "2021-10-05T14:02:45.000Z", + "geo": { + "country_iso_code": "FR" + }, + "provider": "abuse_ch", + "type": "file" + }, + "software": { + "alias": "RedLineStealer" + } + } +} \ No newline at end of file diff --git a/packages/ti_abusech/1.6.0/data_stream/url/agent/stream/httpjson.yml.hbs b/packages/ti_abusech/1.6.0/data_stream/url/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..92be22f0b6 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/url/agent/stream/httpjson.yml.hbs @@ -0,0 +1,38 @@ +config_version: "2" +interval: {{interval}} +request.method: "GET" + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: +- set: + target: header.Content-Type + value: application/json + +response.split: + target: body.urls + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_abusech/1.6.0/data_stream/url/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/1.6.0/data_stream/url/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..7fb2584cdc --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/url/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,123 @@ +--- +description: Pipeline for parsing Abuse.ch URL Threat Intel +processors: + #################### + # Event ECS fields # + #################### + - set: + field: ecs.version + value: '8.4.0' + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator + + ###################### + # General ECS fields # + ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: abusech.url + - fingerprint: + fields: + - abusech.url.id + target_field: "_id" + + ##################### + # Threat ECS Fields # + ##################### + - set: + field: threat.indicator.type + value: url + - date: + field: abusech.url.date_added + target_field: threat.indicator.first_seen + formats: + - "yyyy-MM-dd HH:mm:ss z" + - "yyyy-MM-dd HH:mm:ss Z" + if: "ctx.abusech?.url?.date_added != null" + - uri_parts: + field: abusech.url.url + target_field: threat.indicator.url + keep_original: true + remove_if_successful: true + - set: + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" + ignore_empty_value: true + - rename: + field: abusech.url.urlhaus_reference + target_field: threat.indicator.reference + ignore_missing: true + + # Host can be both IP addresses and domain names + - grok: + field: abusech.url.host + patterns: + - "(?:%{IP:threat.indicator.ip}|%{GREEDYDATA:threat.indicator.url.domain})" + ignore_failure: true + - rename: + field: abusech.url.reporter + target_field: threat.indicator.provider + ignore_missing: true + + ###################### + # Cleanup processors # + ###################### + - set: + field: threat.indicator.type + value: unknown + if: ctx?.threat?.indicator?.type == null + - convert: + field: abusech.url.larted + type: boolean + ignore_missing: true + - script: + lang: painless + if: ctx?.abusech != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: + - abusech.url.date_added + - abusech.url.url + - abusech.url.host + - message + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_abusech/1.6.0/data_stream/url/fields/agent.yml b/packages/ti_abusech/1.6.0/data_stream/url/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/url/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/ti_abusech/1.6.0/data_stream/url/fields/base-fields.yml b/packages/ti_abusech/1.6.0/data_stream/url/fields/base-fields.yml new file mode 100755 index 0000000000..516451aa4c --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/url/fields/base-fields.yml @@ -0,0 +1,28 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: ti_abusech +- name: event.dataset + type: constant_keyword + description: Event dataset + value: ti_abusech.url +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name + value: AbuseCH URL +- name: threat.feed.dashboard_id + type: constant_keyword + description: Dashboard ID used for Kibana CTI UI + value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6 +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/ti_abusech/1.6.0/data_stream/url/fields/beats.yml b/packages/ti_abusech/1.6.0/data_stream/url/fields/beats.yml new file mode 100755 index 0000000000..cb44bb2944 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/url/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/ti_abusech/1.6.0/data_stream/url/fields/ecs.yml b/packages/ti_abusech/1.6.0/data_stream/url/fields/ecs.yml new file mode 100755 index 0000000000..50b0000459 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/url/fields/ecs.yml @@ -0,0 +1,114 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: Error message. + name: error.message + type: match_only_text +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: Type of indicator as represented by Cyber Observable in STIX 2.0. + name: threat.indicator.type + type: keyword +- description: Reference URL linking to additional information about this indicator. + name: threat.indicator.reference + type: keyword +- description: The date and time when intelligence source first reported sighting this indicator. + name: threat.indicator.first_seen + type: date +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: threat.indicator.url.domain + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.url.full + type: wildcard +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: threat.indicator.url.extension + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.url.original + type: wildcard +- description: Path of the request, such as "/search". + name: threat.indicator.url.path + type: wildcard +- description: Port of the request, such as 443. + name: threat.indicator.url.port + type: long +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: threat.indicator.url.scheme + type: keyword +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: threat.indicator.url.query + type: keyword +- description: Identifies a threat indicator as an IP address (irrespective of direction). + name: threat.indicator.ip + type: ip +- description: The name of the indicator's provider. + name: threat.indicator.provider + type: keyword diff --git a/packages/ti_abusech/1.6.0/data_stream/url/fields/fields.yml b/packages/ti_abusech/1.6.0/data_stream/url/fields/fields.yml new file mode 100755 index 0000000000..63f361d48e --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/url/fields/fields.yml @@ -0,0 +1,49 @@ +- name: abusech.url + type: group + description: All fields related to AbuseCH URL indicators. + fields: + - name: id + type: keyword + description: > + The ID of the indicator. + + - name: urlhaus_reference + type: keyword + description: > + Link to URLhaus entry. + + - name: url_status + type: keyword + description: > + The current status of the URL. Possible values are: online, offline and unknown. + + - name: threat + type: keyword + description: > + The threat corresponding to this malware URL. + + - name: reporter + type: keyword + description: > + The Twitter handle of the reporter that has reported this malware URL (or anonymous). + + - name: larted + type: boolean + description: > + Indicates whether the malware URL has been reported to the hosting provider (true or false) + + - name: tags + type: keyword + description: > + A list of tags associated with the queried malware URL + + - name: blacklists.spamhaus_dbl + type: keyword + description: > + If the indicator is listed on the spamhaus blacklist. + + - name: blacklists.surbl + type: keyword + description: > + If the indicator is listed on the surbl blacklist. + diff --git a/packages/ti_abusech/1.6.0/data_stream/url/manifest.yml b/packages/ti_abusech/1.6.0/data_stream/url/manifest.yml new file mode 100755 index 0000000000..689bbf2a44 --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/url/manifest.yml @@ -0,0 +1,68 @@ +type: logs +title: AbuseCH URL logs +streams: + - input: httpjson + vars: + - name: url + type: text + title: AbuseCH URL API endpoint + multi: false + required: true + show_user: false + default: https://urlhaus-api.abuse.ch/v1/urls/recent/ + - name: http_client_timeout + type: text + title: HTTP Client Timeout + multi: false + required: false + show_user: false + default: 30s + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 10m + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - abusech-url + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: AbuseCH URL logs + description: Collect AbuseCH URL logs diff --git a/packages/ti_abusech/1.6.0/data_stream/url/sample_event.json b/packages/ti_abusech/1.6.0/data_stream/url/sample_event.json new file mode 100755 index 0000000000..9add2167bf --- /dev/null +++ b/packages/ti_abusech/1.6.0/data_stream/url/sample_event.json @@ -0,0 +1,71 @@ +{ + "@timestamp": "2022-04-11T08:44:51.227Z", + "abusech": { + "url": { + "blacklists": { + "spamhaus_dbl": "not listed", + "surbl": "not listed" + }, + "id": "1656008", + "larted": true, + "threat": "malware_download", + "url_status": "online" + } + }, + "agent": { + "ephemeral_id": "7dd3429b-dcc4-46c1-8b32-b3d1452126fd", + "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "ti_abusech.url", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "0cd371ed-8f03-437b-909d-8daccf9843fc", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-04-11T08:44:51.227Z", + "dataset": "ti_abusech.url", + "ingested": "2022-04-11T08:44:52Z", + "kind": "enrichment", + "original": "{\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"date_added\":\"2021-10-05 13:57:05 UTC\",\"host\":\"120.85.169.98\",\"id\":\"1656008\",\"larted\":\"true\",\"reporter\":\"tammeto\",\"tags\":null,\"threat\":\"malware_download\",\"url\":\"http://120.85.169.98:55871/mozi.m\",\"url_status\":\"online\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/1656008/\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "abusech-url" + ], + "threat": { + "indicator": { + "first_seen": "2021-10-05T13:57:05.000Z", + "ip": "120.85.169.98", + "provider": "tammeto", + "reference": "https://urlhaus.abuse.ch/url/1656008/", + "type": "url", + "url": { + "domain": "120.85.169.98", + "extension": "m", + "full": "http://120.85.169.98:55871/mozi.m", + "original": "http://120.85.169.98:55871/mozi.m", + "path": "/mozi.m", + "port": 55871, + "scheme": "http" + } + } + } +} \ No newline at end of file diff --git a/packages/ti_abusech/1.6.0/docs/README.md b/packages/ti_abusech/1.6.0/docs/README.md new file mode 100755 index 0000000000..25f3fc12b8 --- /dev/null +++ b/packages/ti_abusech/1.6.0/docs/README.md @@ -0,0 +1,262 @@ +# AbuseCH integration + +This integration is for [AbuseCH](https://urlhaus-api.abuse.ch/) logs. It includes the following datasets for retrieving logs from the AbuseCH API: + +- `url` dataset: Supports URL based indicators from AbuseCH API. +- `malware` dataset: Supports Malware based indicators from AbuseCH API. +- `malwarebazaar` dataset: Supports indicators from the MalwareBazaar from AbuseCH. + +## Logs + +### URL + +The AbuseCH URL data_stream retrieves threat intelligence indicators from the URL API endpoint `https://urlhaus-api.abuse.ch/v1/urls/recent/`. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| abusech.url.blacklists.spamhaus_dbl | If the indicator is listed on the spamhaus blacklist. | keyword | +| abusech.url.blacklists.surbl | If the indicator is listed on the surbl blacklist. | keyword | +| abusech.url.id | The ID of the indicator. | keyword | +| abusech.url.larted | Indicates whether the malware URL has been reported to the hosting provider (true or false) | boolean | +| abusech.url.reporter | The Twitter handle of the reporter that has reported this malware URL (or anonymous). | keyword | +| abusech.url.tags | A list of tags associated with the queried malware URL | keyword | +| abusech.url.threat | The threat corresponding to this malware URL. | keyword | +| abusech.url.url_status | The current status of the URL. Possible values are: online, offline and unknown. | keyword | +| abusech.url.urlhaus_reference | Link to URLhaus entry. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | +| threat.feed.name | Display friendly feed name | constant_keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | +| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | +| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | +| threat.indicator.url.port | Port of the request, such as 443. | long | +| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | + + +The AbuseCH malware data_stream retrieves threat intelligence indicators from the payload API endpoint `https://urlhaus-api.abuse.ch/v1/payloads/recent/`. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| abusech.malware.signature | Malware familiy. | keyword | +| abusech.malware.virustotal.link | Link to the Virustotal report. | keyword | +| abusech.malware.virustotal.percent | AV detection in percent. | float | +| abusech.malware.virustotal.result | AV detection ration. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | +| threat.feed.name | Display friendly feed name | constant_keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | +| threat.indicator.file.hash.tlsh | The file's import tlsh, if available. | keyword | +| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | + + +The AbuseCH malwarebazaar data_stream retrieves threat intelligence indicators from the MalwareBazaar API endpoint `https://mb-api.abuse.ch/api/v1/`. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| abusech.malwarebazaar.anonymous | Identifies if the sample was submitted anonymously. | long | +| abusech.malwarebazaar.code_sign | Code signing information for the sample. | keyword | +| abusech.malwarebazaar.intelligence.downloads | Number of downloads from MalwareBazaar. | long | +| abusech.malwarebazaar.intelligence.mail.Generic | Malware seen in generic spam traffic. | keyword | +| abusech.malwarebazaar.intelligence.mail.IT | Malware seen in IT spam traffic. | keyword | +| abusech.malwarebazaar.intelligence.uploads | Number of uploads from MalwareBazaar. | long | +| abusech.malwarebazaar.tags | A list of tags associated with the queried malware sample. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | +| threat.feed.name | Display friendly feed name | constant_keyword | +| threat.indicator.file.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| threat.indicator.file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.file.hash.sha384 | The file's sha384 hash, if available. | keyword | +| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | +| threat.indicator.file.hash.tlsh | The file's import tlsh, if available. | keyword | +| threat.indicator.file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | +| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | +| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | +| threat.indicator.file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| threat.indicator.file.x509.not_after | Time at which the certificate is no longer considered valid. | date | +| threat.indicator.file.x509.not_before | Time at which the certificate is first considered valid. | date | +| threat.indicator.file.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | +| threat.indicator.file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| threat.indicator.file.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | +| threat.software.alias | The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description. | keyword | diff --git a/packages/ti_abusech/1.6.0/img/abusech2.svg b/packages/ti_abusech/1.6.0/img/abusech2.svg new file mode 100755 index 0000000000..6a0c76dd2c --- /dev/null +++ b/packages/ti_abusech/1.6.0/img/abusech2.svg @@ -0,0 +1,76 @@ + + + + diff --git a/packages/ti_abusech/1.6.0/kibana/dashboard/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420.json b/packages/ti_abusech/1.6.0/kibana/dashboard/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420.json new file mode 100755 index 0000000000..59a4a7e24c --- /dev/null +++ b/packages/ti_abusech/1.6.0/kibana/dashboard/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about URL type indicators from the AbuseCH integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[AbuseCH Overview](/app/dashboards#/view/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6) \\n[AbuseCH Files](/app/dashboards#/view/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6) \\n**[AbuseCH URLs (This Page)](/app/dashboards#/view/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420)** \\n\\n[Integrations Page](/app/integrations/detail/ti_abusech/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":12,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":18,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-72aa700a-49b6-4a2f-b380-24ebe7124ec1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"72aa700a-49b6-4a2f-b380-24ebe7124ec1\":{\"columnOrder\":[\"0389e125-4ae6-412a-a4af-2fa28f18c412\"],\"columns\":{\"0389e125-4ae6-412a-a4af-2fa28f18c412\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"abusech.url.blacklists.spamhaus_dbl: * and not abusech.url.blacklists.spamhaus_dbl:\\\"not listed\\\" \"},\"isBucketed\":false,\"label\":\"Indicators on Spamhaus DBL\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"0389e125-4ae6-412a-a4af-2fa28f18c412\",\"layerId\":\"72aa700a-49b6-4a2f-b380-24ebe7124ec1\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"8272f9f8-d835-4e4c-9e63-7cdbfb14d190\",\"w\":6,\"x\":24,\"y\":0},\"panelIndex\":\"8272f9f8-d835-4e4c-9e63-7cdbfb14d190\",\"title\":\"Spamhaus Count [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4fe4b45f-8f52-4794-a386-8e3f6352aa25\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4fe4b45f-8f52-4794-a386-8e3f6352aa25\":{\"columnOrder\":[\"e7b09852-9ec8-4a42-a3c7-faf909c1997a\"],\"columns\":{\"e7b09852-9ec8-4a42-a3c7-faf909c1997a\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"abusech.url.blacklists.surbl: * and not abusech.url.blacklists.surbl:\\\"not listed\\\" \"},\"isBucketed\":false,\"label\":\"Indicators on SURBL\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e7b09852-9ec8-4a42-a3c7-faf909c1997a\",\"layerId\":\"4fe4b45f-8f52-4794-a386-8e3f6352aa25\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"7c8e2070-5b71-4eb5-ae52-e95ef5a17ba6\",\"w\":6,\"x\":30,\"y\":0},\"panelIndex\":\"7c8e2070-5b71-4eb5-ae52-e95ef5a17ba6\",\"title\":\"Surbl Counter [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8f36a8c1-19df-4eba-8fa5-4f259d349375\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8f36a8c1-19df-4eba-8fa5-4f259d349375\":{\"columnOrder\":[\"efd6bc64-ffcd-42fe-8218-0795986addc4\"],\"columns\":{\"efd6bc64-ffcd-42fe-8218-0795986addc4\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"abusech.url.url_status: \\\"online\\\" \"},\"isBucketed\":false,\"label\":\"URL's Online\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"efd6bc64-ffcd-42fe-8218-0795986addc4\",\"layerId\":\"8f36a8c1-19df-4eba-8fa5-4f259d349375\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"a96389e6-d361-457e-afc1-0dbdb35ee7e0\",\"w\":6,\"x\":36,\"y\":0},\"panelIndex\":\"a96389e6-d361-457e-afc1-0dbdb35ee7e0\",\"title\":\"URLs Online [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-471ad94f-c181-4ffb-a640-1666974adb33\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"471ad94f-c181-4ffb-a640-1666974adb33\":{\"columnOrder\":[\"8cd8034f-16bf-4a7a-b816-950498dc1f90\"],\"columns\":{\"8cd8034f-16bf-4a7a-b816-950498dc1f90\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"abusech.url.url_status:\\\"offline\\\" \"},\"isBucketed\":false,\"label\":\"URL's Offline\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8cd8034f-16bf-4a7a-b816-950498dc1f90\",\"layerId\":\"471ad94f-c181-4ffb-a640-1666974adb33\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"b2904153-3afd-41a7-8f5f-01b76b8346ec\",\"w\":6,\"x\":42,\"y\":0},\"panelIndex\":\"b2904153-3afd-41a7-8f5f-01b76b8346ec\",\"title\":\"URLs Offline [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":18,\"x\":7,\"y\":8},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa49c4c-5544-472d-afce-e51d6a5687fe\":{\"columnOrder\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\"],\"columns\":{\"15e2b5ad-2040-4253-89a6-60f085c66f86\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"},\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"15e2b5ad-2040-4253-89a6-60f085c66f86\"],\"layerId\":\"9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":31,\"i\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"w\":23,\"x\":25,\"y\":8},\"panelIndex\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"title\":\"Most Popular File Extensions [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":7,\"y\":23},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs AbuseCH] URLs", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8272f9f8-d835-4e4c-9e63-7cdbfb14d190:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8272f9f8-d835-4e4c-9e63-7cdbfb14d190:indexpattern-datasource-layer-72aa700a-49b6-4a2f-b380-24ebe7124ec1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7c8e2070-5b71-4eb5-ae52-e95ef5a17ba6:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7c8e2070-5b71-4eb5-ae52-e95ef5a17ba6:indexpattern-datasource-layer-4fe4b45f-8f52-4794-a386-8e3f6352aa25", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a96389e6-d361-457e-afc1-0dbdb35ee7e0:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a96389e6-d361-457e-afc1-0dbdb35ee7e0:indexpattern-datasource-layer-8f36a8c1-19df-4eba-8fa5-4f259d349375", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b2904153-3afd-41a7-8f5f-01b76b8346ec:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b2904153-3afd-41a7-8f5f-01b76b8346ec:indexpattern-datasource-layer-471ad94f-c181-4ffb-a640-1666974adb33", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", + "type": "index-pattern" + }, + { + "id": "ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", + "name": "tag-ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_abusech/1.6.0/kibana/dashboard/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6.json b/packages/ti_abusech/1.6.0/kibana/dashboard/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6.json new file mode 100755 index 0000000000..c27db69f53 --- /dev/null +++ b/packages/ti_abusech/1.6.0/kibana/dashboard/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6.json @@ -0,0 +1,147 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about file type indicators from the AbuseCH integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[AbuseCH Overview](/app/dashboards#/view/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6) \\n**[AbuseCH Files (This Page)](/app/dashboards#/view/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6)** \\n[AbuseCH URLs](/app/dashboards#/view/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420) \\n\\n[Integrations Page](/app/integrations/detail/ti_abusech/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":46,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-2e2257a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\":{\"columnOrder\":[\"8622e147-406f-4711-8f68-e2425614106e\"],\"columns\":{\"8622e147-406f-4711-8f68-e2425614106e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique File types\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8622e147-406f-4711-8f68-e2425614106e\",\"layerId\":\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"layerType\":\"data\"}},\"title\":\"Unique File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"title\":\"Unique File Types [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\"}},\"title\":\"Unique MD5 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":12,\"y\":0},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\"}},\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":18,\"y\":0},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\"}},\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":24,\"y\":0},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-52e62840-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"12768311-834b-48d5-8aad-d17d139c2ae5\":{\"columnOrder\":[\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\"],\"columns\":{\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique TLSH\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.tlsh\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\",\"layerId\":\"12768311-834b-48d5-8aad-d17d139c2ae5\",\"layerType\":\"data\"}},\"title\":\"Unique TLSH [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"w\":6,\"x\":30,\"y\":0},\"panelIndex\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"title\":\"Unique TLSH [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4f8c9d00-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\":{\"columnOrder\":[\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\"],\"columns\":{\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Imphash\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.pe.imphash\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\",\"layerId\":\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"layerType\":\"data\"}},\"title\":\"Unique Imphash [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"w\":6,\"x\":36,\"y\":0},\"panelIndex\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"title\":\"Unique Imphash [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-88ef6dd0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\":{\"columnOrder\":[\"b5cdfd94-1e22-4673-8216-59aca2131761\"],\"columns\":{\"b5cdfd94-1e22-4673-8216-59aca2131761\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SSDEEP\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.ssdeep\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b5cdfd94-1e22-4673-8216-59aca2131761\",\"layerId\":\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"layerType\":\"data\"}},\"title\":\"Unique SSDEEP [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"w\":6,\"x\":42,\"y\":0},\"panelIndex\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"title\":\"Unique SSDEEP [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-118b51de-bd55-4ed6-b916-c939ad73b2c3\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"b8c9d8e0-3bb8-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"118b51de-bd55-4ed6-b916-c939ad73b2c3\":{\"columnOrder\":[\"1ada77b6-5741-44ff-a00d-4653fca22f84\",\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\"],\"columns\":{\"1ada77b6-5741-44ff-a00d-4653fca22f84\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top Countries\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.geo.country_iso_code\"},\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Countries\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ada77b6-5741-44ff-a00d-4653fca22f84\"],\"layerId\":\"118b51de-bd55-4ed6-b916-c939ad73b2c3\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Top Countries [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"6189e979-9121-4247-9942-fa7a3cc3839c\",\"w\":20,\"x\":7,\"y\":8},\"panelIndex\":\"6189e979-9121-4247-9942-fa7a3cc3839c\",\"title\":\"Top Countries [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4ee4a490-3b37-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\":{\"columnOrder\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\",\"de0e531b-dda7-461f-9783-3ab9267d202e\"],\"columns\":{\"06b603cb-c9fb-493a-9ca4-e6502ca12054\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.file.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.type\"},\"de0e531b-dda7-461f-9783-3ab9267d202e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\"],\"layerId\":\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"w\":21,\"x\":27,\"y\":8},\"panelIndex\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"title\":\"File Types [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Based on count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Most seen indicator tags\",\"field\":\"abusech.malwarebazaar.tags\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Most seen indicator tags [Logs AbuseCH]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":19,\"i\":\"d1788a2e-c400-4d7b-9251-a8e5a806b6ef\",\"w\":20,\"x\":7,\"y\":27},\"panelIndex\":\"d1788a2e-c400-4d7b-9251-a8e5a806b6ef\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"2d0c0ec0-3bbf-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06d9ac79-2055-437e-892c-de9ee07fe674\":{\"columnOrder\":[\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"df062557-78a5-4a78-93f1-34583c809bc3\"],\"columns\":{\"35f5321a-27f4-4076-9d1d-d326187f4689\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.name\"},\"df062557-78a5-4a78-93f1-34583c809bc3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"isTransposed\":false},{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"isTransposed\":false}],\"layerId\":\"06d9ac79-2055-437e-892c-de9ee07fe674\",\"layerType\":\"data\"}},\"title\":\"Most popular file names [Logs AbuseCH]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"title\":\"Most popular file names [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs AbuseCH] Files", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6189e979-9121-4247-9942-fa7a3cc3839c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6189e979-9121-4247-9942-fa7a3cc3839c:indexpattern-datasource-layer-118b51de-bd55-4ed6-b916-c939ad73b2c3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d1788a2e-c400-4d7b-9251-a8e5a806b6ef:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674", + "type": "index-pattern" + }, + { + "id": "ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", + "name": "tag-ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_abusech/1.6.0/kibana/dashboard/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6.json b/packages/ti_abusech/1.6.0/kibana/dashboard/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6.json new file mode 100755 index 0000000000..103067d9d5 --- /dev/null +++ b/packages/ti_abusech/1.6.0/kibana/dashboard/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about indicators ingested from the AbuseCH integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[AbuseCH Overview (This Page)](/app/dashboards#/view/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6)** \\n[AbuseCH Files](/app/dashboards#/view/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6) \\n[AbuseCH URLs](/app/dashboards#/view/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420) \\n\\n[Integrations Page](/app/integrations/detail/ti_abusech/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the AbuseCH integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from AbuseCH. \\n\\nIt shows how many parts has been enabled (URL, Malware and MalwareBazaar), the ingestion rates (by default it fetches new updates every 10 minutes) and provides a few filters for drilling down to specific indicator types retrieved from AbuseCH.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"event.dataset\",\"id\":\"1635779550157\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern\",\"label\":\"Feed Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1635779603363\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1635779625911\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Feed and Indicator Selector [Logs AbuseCH]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-1d376820-3b22-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"070f5dbc-7687-4e97-9a57-5542b401c13f\":{\"columnOrder\":[\"1e352b49-3b83-44a6-98fe-8703d30f2517\"],\"columns\":{\"1e352b49-3b83-44a6-98fe-8703d30f2517\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"1e352b49-3b83-44a6-98fe-8703d30f2517\",\"layerId\":\"070f5dbc-7687-4e97-9a57-5542b401c13f\",\"layerType\":\"data\"}},\"title\":\"Total Indicators [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"w\":6,\"x\":7,\"y\":7},\"panelIndex\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-49830790-3b27-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"df8e3a91-700b-428a-a763-525076e4d3c8\":{\"columnOrder\":[\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\"],\"columns\":{\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Datastreams\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\",\"layerId\":\"df8e3a91-700b-428a-a763-525076e4d3c8\",\"layerType\":\"data\"}},\"title\":\"Total Datastreams [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"w\":6,\"x\":7,\"y\":15},\"panelIndex\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"title\":\"Total Datastreams [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-ec1a2c50-3b30-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1e757dc0-2e6d-4bd2-aa38-7da9133ca960\":{\"columnOrder\":[\"66779b74-d127-4249-93e4-b8cd9c39b91f\",\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\"],\"columns\":{\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"66779b74-d127-4249-93e4-b8cd9c39b91f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.provider\"}}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\"],\"layerId\":\"1e757dc0-2e6d-4bd2-aa38-7da9133ca960\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"66779b74-d127-4249-93e4-b8cd9c39b91f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":false},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"inside\",\"xTitle\":\"Providers\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Count\"}},\"title\":\"Total Indicators per Provider [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"86d83606-4176-44b1-b3f3-011d5b5b4b58\",\"w\":23,\"x\":13,\"y\":7},\"panelIndex\":\"86d83606-4176-44b1-b3f3-011d5b5b4b58\",\"title\":\"Total Indicators per Provider [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-62801870-3b2a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"682732d8-8691-4c5a-bf89-de8e30d71dfb\":{\"columnOrder\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\",\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\"],\"columns\":{\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"dd629c44-e7db-438e-8656-340b94fd30d8\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Indicators\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\"],\"layerId\":\"682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"legendPosition\":\"right\",\"metric\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2,\"truncateLegend\":true}],\"shape\":\"donut\"}},\"title\":\"Total Indicators per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-8c0613c0-3b25-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"w\":41,\"x\":7,\"y\":23},\"panelIndex\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs AbuseCH] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "86d83606-4176-44b1-b3f3-011d5b5b4b58:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "86d83606-4176-44b1-b3f3-011d5b5b4b58:indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", + "type": "index-pattern" + }, + { + "id": "ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", + "name": "tag-ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_abusech/1.6.0/kibana/tag/ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6.json b/packages/ti_abusech/1.6.0/kibana/tag/ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6.json new file mode 100755 index 0000000000..7cf7c3514a --- /dev/null +++ b/packages/ti_abusech/1.6.0/kibana/tag/ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#6092C0", + "description": "", + "name": "AbuseCH" + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag" +} \ No newline at end of file diff --git a/packages/ti_abusech/1.6.0/manifest.yml b/packages/ti_abusech/1.6.0/manifest.yml new file mode 100755 index 0000000000..21b904a01f --- /dev/null +++ b/packages/ti_abusech/1.6.0/manifest.yml @@ -0,0 +1,26 @@ +name: ti_abusech +title: AbuseCH +version: "1.6.0" +release: ga +description: Ingest threat intelligence indicators from URL Haus and Malware Bazaar feeds with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: ["security", "threat_intel"] +conditions: + kibana.version: ^8.0.0 +icons: + - src: /img/abusech2.svg + title: AbuseCH + size: 512x512 + type: image/svg+xml +policy_templates: + - name: ti_abusech + title: AbuseCH API + description: Ingest threat intelligence indicators from URL Haus and Malware Bazaar feeds with Elastic Agent. + inputs: + - type: httpjson + title: "Collect AbuseCH logs via API" + description: "Ingest threat intelligence indicators from URL Haus and Malware Bazaar feeds with Elastic Agent." +owner: + github: elastic/security-external-integrations diff --git a/packages/ti_misp/1.6.1/changelog.yml b/packages/ti_misp/1.6.1/changelog.yml new file mode 100755 index 0000000000..b100ca1de8 --- /dev/null +++ b/packages/ti_misp/1.6.1/changelog.yml @@ -0,0 +1,71 @@ +# newer versions go on top +- version: "1.6.1" + changes: + - description: Fix proxy URL documentation rendering. + type: bugfix + link: https://github.com/elastic/integrations/pull/3881 +- version: "1.6.0" + changes: + - description: Update categories to include `threat_intel`. + type: enhancement + link: https://github.com/elastic/integrations/pull/3689 +- version: "1.5.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "1.4.1" + changes: + - description: update readme to include link to MISP documentation + type: enhancement + link: https://github.com/elastic/integrations/pull/3168 +- version: "1.4.0" + changes: + - description: Fix pagination looping forever + type: enhancement + link: https://github.com/elastic/integrations/pull/3446 +- version: "1.3.1" + changes: + - description: Update package descriptions + type: enhancement + link: https://github.com/elastic/integrations/pull/3398 +- version: "1.3.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2781 +- version: "1.2.2" + changes: + - description: Add mapping for event.created + type: enhancement + link: https://github.com/elastic/integrations/pull/3042 +- version: "1.2.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.2.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2448 +- version: "1.1.0" + changes: + - description: Adds dashboards and threat.feed ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2485 +- version: "1.0.2" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.0.1" + changes: + - description: Bump minimum version + type: enhancement + link: https://github.com/elastic/integrations/pull/2063 +- version: "1.0.0" + changes: + - description: Initial release + type: enhancement + link: https://github.com/elastic/integrations/pull/1946 diff --git a/packages/ti_misp/1.6.1/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_misp/1.6.1/data_stream/threat/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..8172ba39f7 --- /dev/null +++ b/packages/ti_misp/1.6.1/data_stream/threat/agent/stream/httpjson.yml.hbs @@ -0,0 +1,75 @@ +config_version: "2" +interval: {{interval}} +request.method: "POST" + +{{#if url}} +request.url: {{url}}/events/restSearch +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} +request.body: +{{#if filters}} + {{filters}} +{{/if}} +request.transforms: +{{#if api_token}} +- set: + target: header.Authorization + value: {{api_token}} +{{/if}} +- set: + target: body.page + value: 1 +- set: + target: body.limit + value: 10 +- set: + target: body.returnFormat + value: json +- set: + target: body.timestamp + value: '[[.cursor.timestamp]]' + default: '[[ formatDate (now (parseDuration "-{{initial_interval}}")) "UnixDate" ]]' + +response.split: + target: body.response + split: + target: body.Event.Attribute + ignore_empty_value: true + keep_parent: true + split: + target: body.Event.Object + keep_parent: true + split: + target: body.Event.Object.Attribute + keep_parent: true +response.request_body_on_pagination: true +response.pagination: +- set: + target: body.page + value: '[[if (ne (len .last_response.body.response) 0)]][[add .last_response.page 1]][[end]]' + fail_on_template_error: true +cursor: + timestamp: + value: '[[.last_event.Event.timestamp]]' +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_misp/1.6.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_misp/1.6.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..fc6ea653a0 --- /dev/null +++ b/packages/ti_misp/1.6.1/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,385 @@ +--- +description: Pipeline for parsing MISP Threat Intel +processors: + #################### + # Event ECS fields # + #################### + - set: + field: ecs.version + value: "8.3.0" + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: threat + - set: + field: event.type + value: indicator + + ###################### + # General ECS fields # + ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - fingerprint: + fields: + - json.Event.Attribute.uuid + - json.Event.Object.Attribute.uuid + target_field: "_id" + ignore_missing: true + - rename: + field: json.Event + target_field: misp + ignore_missing: true + - set: + field: threat.indicator.provider + value: misp + if: ctx.misp?.Orgc?.local != 'false' + - set: + field: threat.indicator.provider + value: "{{misp.Orgc.name}}" + if: ctx.misp?.Orgc?.local == 'false' + ignore_empty_value: true + + # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event + - remove: + field: + - misp.ShadowAttribute + - misp.RelatedEvent + - misp.Galaxy + - misp.Attribute.Galaxy + - misp.Attribute.ShadowAttribute + - misp.EventReport + - misp.Object.Attribute.Galaxy + - misp.Object.Attribute.ShadowAttribute + ignore_missing: true + - remove: + field: + - misp.Attribute + ignore_missing: true + if: ctx.misp?.Attribute.size() == 0 + - remove: + field: + - misp.Object + ignore_missing: true + if: ctx.misp?.Object.size() == 0 + - date: + field: misp.timestamp + formats: + - UNIX + ignore_failure: true + - rename: + field: misp.Attribute + target_field: misp.attribute + ignore_missing: true + - rename: + field: misp.Object + target_field: misp.object + ignore_missing: true + - rename: + field: misp.object.Attribute + target_field: misp.object.attribute + ignore_missing: true + - rename: + field: misp.Orgc + target_field: misp.orgc + ignore_missing: true + - rename: + field: misp.Org + target_field: misp.org + ignore_missing: true + - rename: + field: misp.Tag + target_field: misp.tag + ignore_missing: true + + # # Dance around issue of not being able to split the document into two. + # # Make the Object.Attribute field primary if it exists, but keep the + # # outer Attribute as context. + - rename: + field: misp.attribute + target_field: misp.context.attribute + ignore_missing: true + if: ctx.misp?.object != null + - rename: + field: misp.object.attribute + target_field: misp.attribute + ignore_missing: true + if: ctx.misp?.object != null + + ##################### + # Threat ECS Fields # + ##################### + - set: + field: threat.feed.name + value: "MISP" + - rename: + field: misp.attribute.first_seen + target_field: threat.indicator.first_seen + ignore_missing: true + - rename: + field: misp.attribute.last_seen + target_field: threat.indicator.last_seen + ignore_missing: true + - convert: + field: misp.analysis + type: long + target_field: threat.indicator.scanner_stats + ignore_missing: true + - convert: + field: misp.threat_level_id + type: long + ignore_missing: true + + ## File/Hash indicator operations + - set: + field: threat.indicator.type + value: file + if: "ctx.misp?.attribute?.type != null && (['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.misp?.attribute?.type) || ctx.misp?.attribute?.type.startsWith('filename'))" + - rename: + field: misp.attribute.value + target_field: "threat.indicator.file.hash.{{misp.attribute.type}}" + ignore_missing: true + if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type != null && !ctx.misp?.attribute?.type.startsWith('filename')" + - rename: + field: misp.attribute.value + target_field: threat.indicator.file.name + ignore_missing: true + if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type == 'filename'" + - grok: + field: misp.attribute.type + patterns: + - "%{WORD}\\|%{WORD:_tmp.hashtype}" + ignore_missing: true + if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') + - grok: + field: misp.attribute.value + patterns: + - "%{DATA:threat.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" + ignore_missing: true + if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') + - set: + field: threat.indicator.file.hash.{{_tmp.hashtype}} + value: "{{_tmp.hashvalue}}" + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null" + + ## URL/URI indicator operations + - set: + field: threat.indicator.type + value: url + if: "ctx.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx.misp?.attribute?.type)" + - uri_parts: + field: misp.attribute.value + target_field: threat.indicator.url + keep_original: true + remove_if_successful: true + if: ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri' + - set: + field: threat.indicator.url.full + value: "{{{threat.indicator.url.original}}}" + ignore_empty_value: true + if: "ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri'" + + ## Regkey indicator operations + - set: + field: threat.indicator.type + value: windows-registry-key + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('regkey')" + - rename: + field: misp.attribute.value + target_field: threat.indicator.registry.key + ignore_missing: true + if: "ctx.threat?.indicator?.type == 'windows-registry-key' && ctx.misp?.attribute?.type == 'regkey'" + - grok: + field: misp.attribute.value + patterns: + - "%{DATA:threat.indicator.registry.key}\\|%{DATA:threat.indicator.registry.value}" + ignore_missing: true + if: "ctx.misp?.attribute?.type == 'regkey|value'" + + ## AS indicator operations + - set: + field: threat.indicator.type + value: autonomous-system + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type == 'AS'" + - convert: + field: misp.attribute.value + type: long + target_field: threat.indicator.as.number + ignore_missing: true + if: ctx.threat?.indicator?.type == 'autonomous-system' + + ## Domain/IP/Port indicator operations + - set: + field: threat.indicator.type + value: domain-name + if: "ctx.misp?.attribute?.type != null && (ctx.misp?.attribute?.type == 'hostname' || ctx.misp?.attribute?.type.startsWith('domain'))" + - set: + field: threat.indicator.type + value: ipv4-addr + if: "ctx.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" + - rename: + field: misp.attribute.value + target_field: threat.indicator.url.domain + ignore_missing: true + if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.misp?.attribute?.type != 'domain|ip' && ctx.threat?.indicator?.url?.domain == null" + - rename: + field: misp.attribute.value + target_field: threat.indicator.ip + ignore_missing: true + if: "ctx.threat?.indicator?.type == 'ipv4-addr' && ctx.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" + - grok: + field: misp.attribute.value + patterns: + - "%{DATA:threat.indicator.url.domain}\\|%{IP:threat.indicator.ip}" + ignore_missing: true + if: ctx.misp?.attribute?.type == 'domain|ip' && ctx.threat?.indicator?.url?.domain == null + - grok: + field: misp.attribute.value + patterns: + - "%{IP:threat.indicator.ip}\\|%{NUMBER:threat.indicator.port}" + ignore_missing: true + if: "['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" + + ## Email indicator operations + # Currently this ignores email-message, except setting the type it will leave the rest of the fields under misp. + - set: + field: threat.indicator.type + value: email-addr + if: "ctx.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)" + - set: + field: threat.indicator.type + value: email-message + if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)" + - rename: + field: misp.attribute.value + target_field: threat.indicator.email.address + ignore_missing: true + if: ctx.threat?.indicator?.type == 'email-addr' + - rename: + field: misp.event_creator_email + target_field: user.email + ignore_missing: true + - append: + field: user.roles + value: "reporting_user" + if: ctx?.user?.email != null + + ## MAC Address indicator operations + - set: + field: threat.indicator.type + value: mac-addr + if: "ctx.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.misp?.attribute?.type)" + - rename: + field: misp.attribute.value + target_field: threat.indicator.mac + ignore_missing: true + if: ctx.threat?.indicator?.type == 'mac-addr' + + ################### + # Tags ECS fields # + ################### + # Stripping special characters from tags + - script: + lang: painless + if: ctx.misp?.tag != null + source: | + def tags = ctx.misp.tag.stream() + .map(t -> t.name.replace('\\', '').replace('"', '')) + .collect(Collectors.toList()); + def tlpTags = tags.stream() + .filter(t -> t.startsWith('tlp:')) + .map(t -> t.replace('tlp:', '')) + .collect(Collectors.toList()); + + ctx.tags = tags; + ctx.threat.indicator.marking = [ 'tlp': tlpTags ]; + + # Setting indicator type to unknown if it does not match anything + - set: + field: threat.indicator.type + value: unknown + if: ctx.threat?.indicator?.type == null + + ################# + # Convert types # + ################# + - convert: + field: misp.attribute.distribution + type: long + ignore_missing: true + - convert: + field: misp.context.attribute.distribution + type: long + ignore_missing: true + - convert: + field: threat.indicator.port + type: long + ignore_missing: true + - convert: + field: misp.attribute_count + type: long + ignore_missing: true + + ###################### + # Cleanup processors # + ###################### + - script: + lang: painless + if: ctx?.misp != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event + - remove: + field: + - misp.attribute.value + ignore_missing: true + if: ctx.threat?.indicator?.type != 'unknown' + - remove: + field: + # This removes a number of fields that may be wanted in the future when + # misp.attribute and misp.object.attribute can + # be separated. At the root of .object are fields that mirror fields at + # the root of misp. + - misp.object + ignore_missing: true + - remove: + field: + - misp.Attribute.timestamp + - misp.timestamp + - misp.tag + - misp.org + - misp.analysis + - _tmp + - json + ignore_missing: true + +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_misp/1.6.1/data_stream/threat/fields/agent.yml b/packages/ti_misp/1.6.1/data_stream/threat/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/ti_misp/1.6.1/data_stream/threat/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/ti_misp/1.6.1/data_stream/threat/fields/base-fields.yml b/packages/ti_misp/1.6.1/data_stream/threat/fields/base-fields.yml new file mode 100755 index 0000000000..ad1000cb9b --- /dev/null +++ b/packages/ti_misp/1.6.1/data_stream/threat/fields/base-fields.yml @@ -0,0 +1,28 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: ti_misp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: ti_misp.threat +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name + value: MISP +- name: threat.feed.dashboard_id + type: constant_keyword + description: Dashboard ID used for Kibana CTI UI + value: ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294 +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/ti_misp/1.6.1/data_stream/threat/fields/beats.yml b/packages/ti_misp/1.6.1/data_stream/threat/fields/beats.yml new file mode 100755 index 0000000000..cb44bb2944 --- /dev/null +++ b/packages/ti_misp/1.6.1/data_stream/threat/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/ti_misp/1.6.1/data_stream/threat/fields/ecs.yml b/packages/ti_misp/1.6.1/data_stream/threat/fields/ecs.yml new file mode 100755 index 0000000000..e6dcb70141 --- /dev/null +++ b/packages/ti_misp/1.6.1/data_stream/threat/fields/ecs.yml @@ -0,0 +1,188 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Array of user roles at the time of the event. + name: user.roles + type: keyword +- name: threat.feed.name + type: keyword +- description: The date and time when intelligence source first reported sighting this indicator. + name: threat.indicator.first_seen + type: date +- description: The date and time when intelligence source last reported sighting this indicator. + name: threat.indicator.last_seen + type: date +- description: Count of AV/EDR vendors that successfully detected malicious file or URL. + name: threat.indicator.scanner_stats + type: long +- description: |- + Type of indicator as represented by Cyber Observable in STIX 2.0. + Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate + name: threat.indicator.type + type: keyword +- description: Identifies a threat indicator as an IP address (irrespective of direction). + name: threat.indicator.ip + type: ip +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: threat.indicator.url.domain + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.url.full + type: wildcard +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: threat.indicator.url.extension + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.url.original + type: wildcard +- description: Path of the request, such as "/search". + name: threat.indicator.url.path + type: wildcard +- description: Port of the request, such as 443. + name: threat.indicator.url.port + type: long +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: threat.indicator.url.scheme + type: keyword +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: threat.indicator.url.query + type: keyword +- description: Identifies a threat indicator as an email address (irrespective of direction). + name: threat.indicator.email.address + type: keyword +- description: The name of the indicator's provider. + name: threat.indicator.provider + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: threat.indicator.as.number + type: long +- description: MD5 hash. + name: threat.indicator.file.hash.md5 + type: keyword +- description: SHA1 hash. + name: threat.indicator.file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: threat.indicator.file.hash.sha256 + type: keyword +- description: |- + Traffic Light Protocol sharing markings. + Recommended values are: + * WHITE + * GREEN + * AMBER + * RED + name: threat.indicator.marking.tlp + type: keyword +- description: Identifies a threat indicator as a port number (irrespective of direction). + name: threat.indicator.port + type: long +- description: Hive-relative path of keys. + name: threat.indicator.registry.key + type: keyword +- description: Name of the value written. + name: threat.indicator.registry.value + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: threat.indicator.file.size + type: long +- description: File type (file, dir, or symlink). + name: threat.indicator.file.type + type: keyword +- description: Name of the file including the extension, without the directory. + name: threat.indicator.file.name + type: keyword diff --git a/packages/ti_misp/1.6.1/data_stream/threat/fields/fields.yml b/packages/ti_misp/1.6.1/data_stream/threat/fields/fields.yml new file mode 100755 index 0000000000..133826511b --- /dev/null +++ b/packages/ti_misp/1.6.1/data_stream/threat/fields/fields.yml @@ -0,0 +1,291 @@ +- name: misp + type: group + description: > + Fields for MISP indicators + + fields: + - name: id + type: keyword + description: > + Attribute ID. + + - name: orgc_id + type: keyword + description: > + Organization Community ID of the event. + + - name: org_id + type: keyword + description: > + Organization ID of the event. + + - name: threat_level_id + type: long + description: > + Threat level from 5 to 1, where 1 is the most critical. + + - name: info + type: keyword + description: > + Additional text or information related to the event. + + - name: published + type: boolean + description: > + When the event was published. + + - name: uuid + type: keyword + description: > + The UUID of the event object. + + - name: date + type: date + description: > + The date of when the event object was created. + + - name: attribute_count + type: long + description: > + How many attributes are included in a single event object. + + - name: timestamp + type: date + description: > + The timestamp of when the event object was created. + + - name: distribution + type: keyword + description: > + Distribution type related to MISP. + + - name: proposal_email_lock + type: boolean + description: > + Settings configured on MISP for email lock on this event object. + + - name: locked + type: boolean + description: > + If the current MISP event object is locked or not. + + - name: publish_timestamp + type: date + description: > + At what time the event object was published + + - name: sharing_group_id + type: keyword + description: > + The ID of the grouped events or sources of the event. + + - name: disable_correlation + type: boolean + description: > + If correlation is disabled on the MISP event object. + + - name: extends_uuid + type: keyword + description: > + The UUID of the event object it might extend. + + - name: org.id + type: keyword + description: > + The organization ID related to the event object. + + - name: org.name + type: keyword + description: > + The organization name related to the event object. + + - name: org.uuid + type: keyword + description: > + The UUID of the organization related to the event object. + + - name: org.local + type: boolean + description: > + If the event object is local or from a remote source. + + - name: orgc.id + type: keyword + description: > + The Organization Community ID in which the event object was reported from. + + - name: orgc.name + type: keyword + description: > + The Organization Community name in which the event object was reported from. + + - name: orgc.uuid + type: keyword + description: > + The Organization Community UUID in which the event object was reported from. + + - name: orgc.local + type: boolean + description: > + If the Organization Community was local or synced from a remote source. + + - name: attribute.id + type: keyword + description: > + The ID of the attribute related to the event object. + + - name: attribute.type + type: keyword + description: > + The type of the attribute related to the event object. For example email, ipv4, sha1 and such. + + - name: attribute.category + type: keyword + description: > + The category of the attribute related to the event object. For example "Network Activity". + + - name: attribute.to_ids + type: boolean + description: > + If the attribute should be automatically synced with an IDS. + + - name: attribute.uuid + type: keyword + description: > + The UUID of the attribute related to the event. + + - name: attribute.event_id + type: keyword + description: > + The local event ID of the attribute related to the event. + + - name: attribute.distribution + type: long + description: > + How the attribute has been distributed, represented by integer numbers. + + - name: attribute.timestamp + type: date + description: > + The timestamp in which the attribute was attached to the event object. + + - name: attribute.comment + type: keyword + description: > + Comments made to the attribute itself. + + - name: attribute.sharing_group_id + type: keyword + description: > + The group ID of the sharing group related to the specific attribute. + + - name: attribute.deleted + type: boolean + description: > + If the attribute has been removed from the event object. + + - name: attribute.disable_correlation + type: boolean + description: > + If correlation has been enabled on the attribute related to the event object. + + - name: attribute.object_id + type: keyword + description: > + The ID of the Object in which the attribute is attached. + + - name: attribute.object_relation + type: keyword + description: > + The type of relation the attribute has with the event object itself. + + - name: attribute.value + type: keyword + description: > + The value of the attribute, depending on the type like "url, sha1, email-src". + + - name: context.attribute.id + type: keyword + description: > + The ID of the secondary attribute related to the event object. + + - name: context.attribute.type + type: keyword + description: > + The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. + + - name: context.attribute.category + type: keyword + description: > + The category of the secondary attribute related to the event object. For example "Network Activity". + + - name: context.attribute.to_ids + type: boolean + description: > + If the secondary attribute should be automatically synced with an IDS. + + - name: context.attribute.uuid + type: keyword + description: > + The UUID of the secondary attribute related to the event. + + - name: context.attribute.event_id + type: keyword + description: > + The local event ID of the secondary attribute related to the event. + + - name: context.attribute.distribution + type: long + description: > + How the secondary attribute has been distributed, represented by integer numbers. + + - name: context.attribute.timestamp + type: date + description: > + The timestamp in which the secondary attribute was attached to the event object. + + - name: context.attribute.comment + type: keyword + description: > + Comments made to the secondary attribute itself. + + - name: context.attribute.sharing_group_id + type: keyword + description: > + The group ID of the sharing group related to the specific secondary attribute. + + - name: context.attribute.deleted + type: boolean + description: > + If the secondary attribute has been removed from the event object. + + - name: context.attribute.disable_correlation + type: boolean + description: > + If correlation has been enabled on the secondary attribute related to the event object. + + - name: context.attribute.object_id + type: keyword + description: > + The ID of the Object in which the secondary attribute is attached. + + - name: context.attribute.object_relation + type: keyword + description: > + The type of relation the secondary attribute has with the event object itself. + + - name: context.attribute.value + type: keyword + description: > + The value of the attribute, depending on the type like "url, sha1, email-src". + + - name: context.attribute.first_seen + type: keyword + description: > + The first time the indicator was seen. + + - name: context.attribute.last_seen + type: keyword + description: > + The last time the indicator was seen. + diff --git a/packages/ti_misp/1.6.1/data_stream/threat/manifest.yml b/packages/ti_misp/1.6.1/data_stream/threat/manifest.yml new file mode 100755 index 0000000000..ecc9fe6490 --- /dev/null +++ b/packages/ti_misp/1.6.1/data_stream/threat/manifest.yml @@ -0,0 +1,101 @@ +type: logs +title: MISP +streams: + - input: httpjson + vars: + - name: url + type: text + title: MISP URL + multi: false + required: true + show_user: true + default: https://mispserver.com + description: The URL or hostname of the MISP instance. + - name: api_token + type: password + title: MISP API Token + multi: false + required: true + show_user: true + description: The API token used to access the MISP instance. + - name: initial_interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 120h + description: How far back to look for indicators the first time the agent is started. + - name: http_client_timeout + type: text + title: HTTP Client Timeout + multi: false + required: false + show_user: false + default: 30s + - name: filters + type: yaml + title: MISP API Filters + multi: false + required: false + show_user: false + default: | + #type: + # OR: + # - ip-src + # - ip-dst + #tags: + # NOT: + # - tlp-red + description: Filters documented at [MISP API Documentation](https://www.circl.lu/doc/misp/automation/#search) is supported. + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 10m + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + default: | + #verification_mode: none + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - misp-threat + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: MISP + description: Collect indicators from the MISP API diff --git a/packages/ti_misp/1.6.1/data_stream/threat/sample_event.json b/packages/ti_misp/1.6.1/data_stream/threat/sample_event.json new file mode 100755 index 0000000000..a13d7182dd --- /dev/null +++ b/packages/ti_misp/1.6.1/data_stream/threat/sample_event.json @@ -0,0 +1,97 @@ +{ + "@timestamp": "2014-10-06T07:12:57.000Z", + "agent": { + "ephemeral_id": "dcc4828e-8e2d-49de-ac30-3a38de7e73da", + "id": "f33cbb31-3e5c-4242-8b35-d4631555523c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "ti_misp.threat", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "f33cbb31-3e5c-4242-8b35-d4631555523c", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-04-11T08:58:54.124Z", + "dataset": "ti_misp.threat", + "ingested": "2022-04-11T08:58:55Z", + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"22\",\"first_seen\":null,\"id\":\"12394\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1462454963\",\"to_ids\":false,\"type\":\"domain\",\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"value\":\"whatsapp.com\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"1\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#339900\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"tlp:green\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"29\",\"date\":\"2014-10-03\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1610622316\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1412579577\",\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\"}}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "22", + "id": "12394", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "1462454963", + "to_ids": false, + "type": "domain", + "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16" + }, + "attribute_count": 29, + "date": "2014-10-03", + "disable_correlation": false, + "distribution": "3", + "extends_uuid": "", + "id": "2", + "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "locked": false, + "org_id": "1", + "orgc": { + "id": "2", + "local": false, + "name": "CthulhuSPRL.be", + "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" + }, + "orgc_id": "2", + "proposal_email_lock": false, + "publish_timestamp": "1610622316", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 2, + "uuid": "54323f2c-e50c-4268-896c-4867950d210b" + }, + "tags": [ + "type:OSINT", + "tlp:green" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "marking": { + "tlp": [ + "green" + ] + }, + "provider": "misp", + "scanner_stats": 2, + "type": "domain-name", + "url": { + "domain": "whatsapp.com" + } + } + } +} \ No newline at end of file diff --git a/packages/ti_misp/1.6.1/docs/README.md b/packages/ti_misp/1.6.1/docs/README.md new file mode 100755 index 0000000000..ca60df6b7c --- /dev/null +++ b/packages/ti_misp/1.6.1/docs/README.md @@ -0,0 +1,259 @@ +# MISP Integration + +The MISP integration uses the [REST API from the running MISP instance](https://www.circl.lu/doc/misp/automation/#automation-api) to retrieve indicators and Threat Intelligence. + +## Logs + +### Threat + +The MISP integration configuration allows to set the polling interval, how far back it +should look initially, and optionally any filters used to filter the results. + +The filters themselves are based on the [MISP API documentation](https://www.circl.lu/doc/misp/automation/#search) and should support all documented fields. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| misp.attribute.category | The category of the attribute related to the event object. For example "Network Activity". | keyword | +| misp.attribute.comment | Comments made to the attribute itself. | keyword | +| misp.attribute.deleted | If the attribute has been removed from the event object. | boolean | +| misp.attribute.disable_correlation | If correlation has been enabled on the attribute related to the event object. | boolean | +| misp.attribute.distribution | How the attribute has been distributed, represented by integer numbers. | long | +| misp.attribute.event_id | The local event ID of the attribute related to the event. | keyword | +| misp.attribute.id | The ID of the attribute related to the event object. | keyword | +| misp.attribute.object_id | The ID of the Object in which the attribute is attached. | keyword | +| misp.attribute.object_relation | The type of relation the attribute has with the event object itself. | keyword | +| misp.attribute.sharing_group_id | The group ID of the sharing group related to the specific attribute. | keyword | +| misp.attribute.timestamp | The timestamp in which the attribute was attached to the event object. | date | +| misp.attribute.to_ids | If the attribute should be automatically synced with an IDS. | boolean | +| misp.attribute.type | The type of the attribute related to the event object. For example email, ipv4, sha1 and such. | keyword | +| misp.attribute.uuid | The UUID of the attribute related to the event. | keyword | +| misp.attribute.value | The value of the attribute, depending on the type like "url, sha1, email-src". | keyword | +| misp.attribute_count | How many attributes are included in a single event object. | long | +| misp.context.attribute.category | The category of the secondary attribute related to the event object. For example "Network Activity". | keyword | +| misp.context.attribute.comment | Comments made to the secondary attribute itself. | keyword | +| misp.context.attribute.deleted | If the secondary attribute has been removed from the event object. | boolean | +| misp.context.attribute.disable_correlation | If correlation has been enabled on the secondary attribute related to the event object. | boolean | +| misp.context.attribute.distribution | How the secondary attribute has been distributed, represented by integer numbers. | long | +| misp.context.attribute.event_id | The local event ID of the secondary attribute related to the event. | keyword | +| misp.context.attribute.first_seen | The first time the indicator was seen. | keyword | +| misp.context.attribute.id | The ID of the secondary attribute related to the event object. | keyword | +| misp.context.attribute.last_seen | The last time the indicator was seen. | keyword | +| misp.context.attribute.object_id | The ID of the Object in which the secondary attribute is attached. | keyword | +| misp.context.attribute.object_relation | The type of relation the secondary attribute has with the event object itself. | keyword | +| misp.context.attribute.sharing_group_id | The group ID of the sharing group related to the specific secondary attribute. | keyword | +| misp.context.attribute.timestamp | The timestamp in which the secondary attribute was attached to the event object. | date | +| misp.context.attribute.to_ids | If the secondary attribute should be automatically synced with an IDS. | boolean | +| misp.context.attribute.type | The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. | keyword | +| misp.context.attribute.uuid | The UUID of the secondary attribute related to the event. | keyword | +| misp.context.attribute.value | The value of the attribute, depending on the type like "url, sha1, email-src". | keyword | +| misp.date | The date of when the event object was created. | date | +| misp.disable_correlation | If correlation is disabled on the MISP event object. | boolean | +| misp.distribution | Distribution type related to MISP. | keyword | +| misp.extends_uuid | The UUID of the event object it might extend. | keyword | +| misp.id | Attribute ID. | keyword | +| misp.info | Additional text or information related to the event. | keyword | +| misp.locked | If the current MISP event object is locked or not. | boolean | +| misp.org.id | The organization ID related to the event object. | keyword | +| misp.org.local | If the event object is local or from a remote source. | boolean | +| misp.org.name | The organization name related to the event object. | keyword | +| misp.org.uuid | The UUID of the organization related to the event object. | keyword | +| misp.org_id | Organization ID of the event. | keyword | +| misp.orgc.id | The Organization Community ID in which the event object was reported from. | keyword | +| misp.orgc.local | If the Organization Community was local or synced from a remote source. | boolean | +| misp.orgc.name | The Organization Community name in which the event object was reported from. | keyword | +| misp.orgc.uuid | The Organization Community UUID in which the event object was reported from. | keyword | +| misp.orgc_id | Organization Community ID of the event. | keyword | +| misp.proposal_email_lock | Settings configured on MISP for email lock on this event object. | boolean | +| misp.publish_timestamp | At what time the event object was published | date | +| misp.published | When the event was published. | boolean | +| misp.sharing_group_id | The ID of the grouped events or sources of the event. | keyword | +| misp.threat_level_id | Threat level from 5 to 1, where 1 is the most critical. | long | +| misp.timestamp | The timestamp of when the event object was created. | date | +| misp.uuid | The UUID of the event object. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | +| threat.feed.name | | keyword | +| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | +| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | +| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | +| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. Recommended values are: \* WHITE \* GREEN \* AMBER \* RED | keyword | +| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.registry.key | Hive-relative path of keys. | keyword | +| threat.indicator.registry.value | Name of the value written. | keyword | +| threat.indicator.scanner_stats | Count of AV/EDR vendors that successfully detected malicious file or URL. | long | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | +| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | +| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | +| threat.indicator.url.port | Port of the request, such as 443. | long | +| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| user.email | User email address. | keyword | +| user.roles | Array of user roles at the time of the event. | keyword | + + +An example event for `threat` looks as following: + +```json +{ + "@timestamp": "2014-10-06T07:12:57.000Z", + "agent": { + "ephemeral_id": "dcc4828e-8e2d-49de-ac30-3a38de7e73da", + "id": "f33cbb31-3e5c-4242-8b35-d4631555523c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "ti_misp.threat", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "f33cbb31-3e5c-4242-8b35-d4631555523c", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-04-11T08:58:54.124Z", + "dataset": "ti_misp.threat", + "ingested": "2022-04-11T08:58:55Z", + "kind": "enrichment", + "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"22\",\"first_seen\":null,\"id\":\"12394\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1462454963\",\"to_ids\":false,\"type\":\"domain\",\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"value\":\"whatsapp.com\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"1\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#339900\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"tlp:green\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"29\",\"date\":\"2014-10-03\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1610622316\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1412579577\",\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\"}}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "misp": { + "attribute": { + "category": "Network activity", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": 5, + "event_id": "22", + "id": "12394", + "object_id": "0", + "sharing_group_id": "0", + "timestamp": "1462454963", + "to_ids": false, + "type": "domain", + "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16" + }, + "attribute_count": 29, + "date": "2014-10-03", + "disable_correlation": false, + "distribution": "3", + "extends_uuid": "", + "id": "2", + "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", + "locked": false, + "org_id": "1", + "orgc": { + "id": "2", + "local": false, + "name": "CthulhuSPRL.be", + "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" + }, + "orgc_id": "2", + "proposal_email_lock": false, + "publish_timestamp": "1610622316", + "published": true, + "sharing_group_id": "0", + "threat_level_id": 2, + "uuid": "54323f2c-e50c-4268-896c-4867950d210b" + }, + "tags": [ + "type:OSINT", + "tlp:green" + ], + "threat": { + "feed": { + "name": "MISP" + }, + "indicator": { + "marking": { + "tlp": [ + "green" + ] + }, + "provider": "misp", + "scanner_stats": 2, + "type": "domain-name", + "url": { + "domain": "whatsapp.com" + } + } + } +} +``` \ No newline at end of file diff --git a/packages/ti_misp/1.6.1/img/misp.svg b/packages/ti_misp/1.6.1/img/misp.svg new file mode 100755 index 0000000000..076530aa25 --- /dev/null +++ b/packages/ti_misp/1.6.1/img/misp.svg @@ -0,0 +1,158 @@ + + + + diff --git a/packages/ti_misp/1.6.1/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json b/packages/ti_misp/1.6.1/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json new file mode 100755 index 0000000000..bd8d5dbf01 --- /dev/null +++ b/packages/ti_misp/1.6.1/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about file type indicators from the MISP integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_misp.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_misp.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[MISP Overview](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294) \\n**[MISP Files (This Page)](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877)** \\n[MISP URLs](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877) \\n\\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":27,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"title\":\"Files Navigation Textbox [Logs MISP]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-2e2257a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\":{\"columnOrder\":[\"8622e147-406f-4711-8f68-e2425614106e\"],\"columns\":{\"8622e147-406f-4711-8f68-e2425614106e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique File types\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8622e147-406f-4711-8f68-e2425614106e\",\"layerId\":\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"layerType\":\"data\"}},\"title\":\"Unique File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"title\":\"Unique File Types [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\"}},\"title\":\"Unique MD5 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":12,\"y\":0},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\"}},\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":18,\"y\":0},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\"}},\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":24,\"y\":0},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-52e62840-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"12768311-834b-48d5-8aad-d17d139c2ae5\":{\"columnOrder\":[\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\"],\"columns\":{\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique TLSH\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.tlsh\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\",\"layerId\":\"12768311-834b-48d5-8aad-d17d139c2ae5\",\"layerType\":\"data\"}},\"title\":\"Unique TLSH [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"w\":6,\"x\":30,\"y\":0},\"panelIndex\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"title\":\"Unique TLSH [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4f8c9d00-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\":{\"columnOrder\":[\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\"],\"columns\":{\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Imphash\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.pe.imphash\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\",\"layerId\":\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"layerType\":\"data\"}},\"title\":\"Unique Imphash [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"w\":6,\"x\":36,\"y\":0},\"panelIndex\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"title\":\"Unique Imphash [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-88ef6dd0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\":{\"columnOrder\":[\"b5cdfd94-1e22-4673-8216-59aca2131761\"],\"columns\":{\"b5cdfd94-1e22-4673-8216-59aca2131761\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SSDEEP\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.ssdeep\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b5cdfd94-1e22-4673-8216-59aca2131761\",\"layerId\":\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"layerType\":\"data\"}},\"title\":\"Unique SSDEEP [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"w\":6,\"x\":42,\"y\":0},\"panelIndex\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"title\":\"Unique SSDEEP [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"2d0c0ec0-3bbf-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06d9ac79-2055-437e-892c-de9ee07fe674\":{\"columnOrder\":[\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"df062557-78a5-4a78-93f1-34583c809bc3\"],\"columns\":{\"35f5321a-27f4-4076-9d1d-d326187f4689\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.name\"},\"df062557-78a5-4a78-93f1-34583c809bc3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"isTransposed\":false},{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"isTransposed\":false}],\"layerId\":\"06d9ac79-2055-437e-892c-de9ee07fe674\",\"layerType\":\"data\"}},\"title\":\"Most popular file names [Logs AbuseCH]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"w\":20,\"x\":7,\"y\":8},\"panelIndex\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"title\":\"Most popular file names [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4ee4a490-3b37-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\":{\"columnOrder\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\",\"de0e531b-dda7-461f-9783-3ab9267d202e\"],\"columns\":{\"06b603cb-c9fb-493a-9ca4-e6502ca12054\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.file.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.type\"},\"de0e531b-dda7-461f-9783-3ab9267d202e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\"],\"layerId\":\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"w\":21,\"x\":27,\"y\":8},\"panelIndex\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"title\":\"File Types [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs MISP] Files", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", + "type": "index-pattern" + }, + { + "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_misp/1.6.1/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json b/packages/ti_misp/1.6.1/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json new file mode 100755 index 0000000000..a9987e5bf9 --- /dev/null +++ b/packages/ti_misp/1.6.1/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about URL type indicators from the MISP integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_misp.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_misp.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[MISP Overview](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294) \\n[MISP Files](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877) \\n**[MISP URLs (This Page)](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877)** \\n\\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs MISP]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa49c4c-5544-472d-afce-e51d6a5687fe\":{\"columnOrder\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\"],\"columns\":{\"15e2b5ad-2040-4253-89a6-60f085c66f86\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"},\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"15e2b5ad-2040-4253-89a6-60f085c66f86\"],\"layerId\":\"9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":31,\"i\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"w\":23,\"x\":25,\"y\":0},\"panelIndex\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"title\":\"Most Popular File Extensions [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":18,\"x\":7,\"y\":8},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":7,\"y\":23},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs MISP] URLs", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", + "type": "index-pattern" + }, + { + "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_misp/1.6.1/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json b/packages/ti_misp/1.6.1/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json new file mode 100755 index 0000000000..e60f8f871b --- /dev/null +++ b/packages/ti_misp/1.6.1/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "description": "Dashboard providing statistics about indicators ingested from the MISP integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_misp.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.dataset\":\"ti_misp.threat\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[MISP Overview (This Page)](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294)** \\n[MISP Files](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877) \\n[MISP URLs](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877) \\n\\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the MISP integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from MISP. \\n\\nIt shows ingestion rates and provides a few filters for drilling down to specific indicator types retrieved from MISP.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":36,\"i\":\"ce31769b-ab7b-48c0-8869-bdf0c943d013\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"ce31769b-ab7b-48c0-8869-bdf0c943d013\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1641204819355\",\"indexPatternRefName\":\"control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_0_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1641204843291\",\"indexPatternRefName\":\"control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_1_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"8fd54b49-92c1-4b90-a0c9-c1cedaa137b5\",\"w\":26,\"x\":7,\"y\":0},\"panelIndex\":\"8fd54b49-92c1-4b90-a0c9-c1cedaa137b5\",\"title\":\"Indicator Selector [Logs MISP]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d87f35ee-570a-488b-b618-6ada39b49df4\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d87f35ee-570a-488b-b618-6ada39b49df4\":{\"columnOrder\":[\"427cdedd-a93a-4f8e-93ce-f872b3809ae4\",\"d0f21543-9576-400e-aeca-babc5407d3a7\"],\"columns\":{\"427cdedd-a93a-4f8e-93ce-f872b3809ae4\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d0f21543-9576-400e-aeca-babc5407d3a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.type\"},\"d0f21543-9576-400e-aeca-babc5407d3a7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"427cdedd-a93a-4f8e-93ce-f872b3809ae4\"],\"layerId\":\"d87f35ee-570a-488b-b618-6ada39b49df4\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d0f21543-9576-400e-aeca-babc5407d3a7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":22,\"i\":\"793c8c41-d3d3-4196-a0e6-aaac8bc1572b\",\"w\":15,\"x\":33,\"y\":0},\"panelIndex\":\"793c8c41-d3d3-4196-a0e6-aaac8bc1572b\",\"title\":\"Total Indicators per type [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0491a750-3050-47a9-bb99-c45984d3d28c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0491a750-3050-47a9-bb99-c45984d3d28c\":{\"columnOrder\":[\"fb93835d-e6a1-49b4-8911-ae15b081da8a\"],\"columns\":{\"fb93835d-e6a1-49b4-8911-ae15b081da8a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"fb93835d-e6a1-49b4-8911-ae15b081da8a\",\"layerId\":\"0491a750-3050-47a9-bb99-c45984d3d28c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"7cb42a10-64fd-454a-8669-f579fa2d0850\",\"w\":6,\"x\":7,\"y\":8},\"panelIndex\":\"7cb42a10-64fd-454a-8669-f579fa2d0850\",\"title\":\"Total Indicators [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-471f2a97-fb44-41a1-a5a0-2f68b9140ef5\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"471f2a97-fb44-41a1-a5a0-2f68b9140ef5\":{\"columnOrder\":[\"16691165-3643-4658-bfc8-4bba834f2789\",\"3e085a0a-8386-4f64-a629-44ae27b18878\"],\"columns\":{\"16691165-3643-4658-bfc8-4bba834f2789\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"3e085a0a-8386-4f64-a629-44ae27b18878\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.provider\"},\"3e085a0a-8386-4f64-a629-44ae27b18878\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"3e085a0a-8386-4f64-a629-44ae27b18878\"],\"layerId\":\"471f2a97-fb44-41a1-a5a0-2f68b9140ef5\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"16691165-3643-4658-bfc8-4bba834f2789\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":true},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":true,\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"f5937489-643e-4254-819d-b1290b4b74c2\",\"w\":20,\"x\":13,\"y\":8},\"panelIndex\":\"f5937489-643e-4254-819d-b1290b4b74c2\",\"title\":\"Total Indicators per Provider [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs AbuseCH]\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"77a4acf0-c56d-420f-b50b-8e5b082931c9\",\"w\":41,\"x\":7,\"y\":22},\"panelIndex\":\"77a4acf0-c56d-420f-b50b-8e5b082931c9\",\"title\":\"Indicators ingested [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs MISP] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5:control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5:control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b:indexpattern-datasource-layer-d87f35ee-570a-488b-b618-6ada39b49df4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7cb42a10-64fd-454a-8669-f579fa2d0850:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7cb42a10-64fd-454a-8669-f579fa2d0850:indexpattern-datasource-layer-0491a750-3050-47a9-bb99-c45984d3d28c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f5937489-643e-4254-819d-b1290b4b74c2:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f5937489-643e-4254-819d-b1290b4b74c2:indexpattern-datasource-layer-471f2a97-fb44-41a1-a5a0-2f68b9140ef5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77a4acf0-c56d-420f-b50b-8e5b082931c9:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77a4acf0-c56d-420f-b50b-8e5b082931c9:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", + "type": "index-pattern" + }, + { + "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "type": "tag" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/ti_misp/1.6.1/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json b/packages/ti_misp/1.6.1/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json new file mode 100755 index 0000000000..b202c82473 --- /dev/null +++ b/packages/ti_misp/1.6.1/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#6092C0", + "description": "", + "name": "MISP" + }, + "coreMigrationVersion": "8.0.0", + "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", + "migrationVersion": { + "tag": "8.0.0" + }, + "references": [], + "type": "tag" +} \ No newline at end of file diff --git a/packages/ti_misp/1.6.1/manifest.yml b/packages/ti_misp/1.6.1/manifest.yml new file mode 100755 index 0000000000..b65e312238 --- /dev/null +++ b/packages/ti_misp/1.6.1/manifest.yml @@ -0,0 +1,26 @@ +name: ti_misp +title: MISP +version: "1.6.1" +release: ga +description: Ingest threat intelligence indicators from MISP platform with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: ["security", "threat_intel"] +conditions: + kibana.version: ^8.0.0 +icons: + - src: /img/misp.svg + title: MISP + size: 216x216 + type: image/svg+xml +policy_templates: + - name: ti_misp + title: MISP + description: Ingest threat intelligence indicators from MISP platform with Elastic Agent. + inputs: + - type: httpjson + title: "Ingest threat intelligence indicators from MISP platform with Elastic Agent." + description: "Ingest threat intelligence indicators from MISP platform with Elastic Agent." +owner: + github: elastic/security-external-integrations